WEBSHELL_phpWhitespace_Feb20

Rule Info

Date
2020-02-28
Av Ratio
15.61
Rule Hash
662abfe8204c4bee0de40cd2294db51a
Score
65
Reference
https://github.com/blackye/webshell-sample
Description
Detects an obfuscation method that uses whitespaces in order to move visible text out of vision
Name
WEBSHELL_phpWhitespace_Feb20
Required Modules
[]
Tags
['T1027', 'T1100', 'WEBSHELL', 'T1136', 'OBFUS']
Author
Tobias Michalski
Minimum Yara
1.7
Virustotal Matches
https://www.virustotal.com/gui/search/webshell_phpwhitespace_feb20/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
24
Suspicious (< 10 engines)
19
Clean (0 engines)
0

Rule Matches

Hash
Total
Timestamp
Positives
VT
d3500c44c615ce1cbf4cffa815e17d3596b8b812db58d2ab63da3a39f4d7162a
60
2020-10-20 10:29:44
11
ff0245157ffc406ccf8bb041636d60e12f4b90ba68d73f5bee89148d58d5ef81
59
2020-10-20 10:01:42
10
8664323f2a3ed176e101d326a23de037145a499ae7498fe30fc288e2ba25bc5d
59
2020-10-17 02:16:31
2
8aa4443e99c6c99dbe240375bde094c67da9b5c606a61509a51f2ec2ac461e2d
60
2020-10-16 19:33:05
9
8fe1fe1e47c64362b74907ad7b0b35615ebab364a904620749e5bfefa304b404
60
2020-10-16 19:27:12
9
f8d33f8b1edb1f00f8b4112c6e9d07bdc4d393a426f0e932d4e1af70ea2e9a36
60
2020-10-16 14:43:00
10
2f44ce87adbbd0e98e36131de865ca2be711eff6aa6d32bd8e568d3c6da33fe2
60
2020-10-16 11:21:01
9
1a84a8c4f6a78b9afdaae0ed524478f3e62b9acee80820c4d199705437188007
60
2020-10-15 08:09:45
10
de99ea97f741513de9329219f5811a514990784747e89ca5a57c633088a32b8e
60
2020-10-14 14:56:29
11
0022dcb1d1fa01ae2691ddb622470d5f84c5c1b96612b6068cc6613178b47325
60
2020-10-12 23:36:46
14
ef1f2795b0e9fdf635192933d98d822de2f32672ebd50e72b75e14f9160a1336
59
2020-10-12 18:16:30
9
78f854daa6da1c747a4fee9ecbaa1ae0ed64d49f6ecaa6781c3372d6ee8717c1
59
2020-10-12 11:06:36
9
b2be8064f51f7f6abe8c629f6e98a41deec0676ea03f821d53a30020b7b57760
59
2020-10-12 11:05:22
9
1b78159e721fda97134882e690bad79515cf4eba1e6db2525a1b566bcc1632a1
57
2020-10-12 11:04:07
8
74ccd67998a2c75e7387282f73dd9275b823694f15b51c9eb6aecd54eb46e08e
58
2020-10-12 11:03:40
8
3c04e32348cac93ea617f38a0329192a7a73bfc034bf9a76f5289fdf4cccf171
58
2020-10-12 11:03:39
10
ee43c02a9186378bb41cddcac66497021f68c0b34a8a91b7c5050d5b818dd18b
59
2020-10-12 11:03:29
7
8bfe82630502a0fc3b88f6d88087eab375e131226bb01d56604c770e06cf9ac4
59
2020-10-12 11:03:22
9
66dcabf679e7886bd5ea5170b916f17ed1b9b9d1e00149989e7a5cc867f8d600
59
2020-10-12 11:03:09
9
9b973770e6ab5e1da715fc367920a45340158c9ae300fbc8db31c7f14151f896
59
2020-10-12 11:02:59
10
8ebc2e91ea3082d3d3a6d828f3e1edc37b8e0d6f85ee8bb91a83567f7dafb97c
59
2020-10-12 11:02:34
8
4c88fde18d7389649623c10ec3024f686671852e7e0ba67fe7d5db0b2079a6b0
59
2020-10-12 11:02:33
9
11acdbb896c84e6f098d9621ad7ec6f3b844e972b193d7deacbfd96973dd3923
59
2020-10-12 06:57:39
4
1f9ec295117b4cb2d5a34f2b606b54b2b8f269cd860adca2120d05db301af820
59
2020-10-12 00:12:28
10
a8b6ca34d3e696da72fc96157e9243cfa81b1ea3fd297ed578b6f27d02201f72
60
2020-10-11 15:59:36
10
c93c8eebf09825bd204b3c4e28bf7cdd670f65d2aa66a0fbde5b5c2ac2b97074
57
2020-10-11 14:43:26
10
1ad5b65aa7b3b6bdf294e4219fabf81b61d145711bfcb6d4f40cd4987def619f
59
2020-10-11 14:11:05
10
1ca3b0bd9ab3f37cefb5183b8fec3af97d25c1f745ceda824452971298674f75
59
2020-10-11 14:06:59
10
bd67ad26430936c5f7c45951187dc6f0571379c821794e0199f811e8ab834ddb
59
2020-10-11 14:04:15
10
4a1669a8fa90d130ed439a475ca9c1c4bb2f176b36e005dba2e8b29a1905a9ac
58
2020-10-11 14:02:43
10
a08829c310fd145051d4776a26a7c5e174a22ec907b5a84c8862ac5b23e36cc8
60
2020-10-11 12:54:56
10
6e3ae2f1fff5f6790f6bb6339bf85cc24391f1e44172b5188f2ac892705ba3dd
58
2020-10-11 12:53:38
10
b90c04ab7b4859263c3b5ba8754b8a007afb3d643ccbc4c9f336e5196ed66797
59
2020-10-11 11:59:54
10
3d84d09fc4673daff6d064ed887a6d2c24c21c0c2e583c222f0fa25dffef1e26
58
2020-10-11 11:47:40
10
a79a620b5309f690dd5712e429d041d59ebfa263ad90e769b413b31c95f6ab8e
59
2020-10-11 11:45:11
9
33bc39f93eeed48d9833d324d3785f14e6213192c8b17891159e60521e6bf902
60
2020-10-11 11:24:45
11
e2e5b34d4bd38e41f09a5560f0120c036c8b57c4b7fa38f23b3e71783f577714
59
2020-10-11 11:08:08
10
a14494cfddc1e92185a3a702645a319f39836fa91defbc58c81fcd3f5a69d200
59
2020-10-11 11:02:05
10
a7605c81b8d9f365b2b6edfe8238ae48522f24ccbba6ece206a3bf7a27922d36
59
2020-10-11 11:00:52
10
95be664338ba326bd557c9bed6b11d008be54dfbc23f79c6acdb4a8545cbc8cd
58
2020-10-11 11:00:48
10
dc7203aa574fc6c727f6fe303c5afaacb76bffe77cfc38f75df9fac7df4012a2
59
2020-10-11 10:49:15
8
8265beb255b293a76dd504ec20eec013d1389798eee7a68b9041ecdf9c6129e1
59
2020-10-10 21:00:49
9
75443d7f8738180b377a9fe2f9e3a1fd7edf1cbf16cf6fc4d06c814efabdec8f
34
2020-10-10 13:14:17
3

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2020