2 4 - Joe Sandbox

ID: 452123Cookbook: urldownload.jbsTime: 21:22:07Date: 21/07/2021Version: 33.0.0 White Diamond

2

44444444444555555666666677788888999999

101010101010101111111212121212121212131313131314141414

1414

1414151515

Table of Contents

Table of ContentsWindows Analysis Report https://github.com/ION28/BLUESPAWN/releases/download/v0.5.1-alpha/BLUESPAWN-client-x86.exe

OverviewGeneral InformationDetectionSignaturesClassification

Process TreeMalware ConfigurationYara Overview

Dropped FilesMemory DumpsUnpacked PEs

Sigma OverviewJbx Signature Overview

AV Detection:Exploits:Privilege Escalation:Networking:System Summary:Malware Analysis System Evasion:HIPS / PFW / Operating System Protection Evasion:Stealing of Sensitive Information:Remote Access Functionality:

Mitre Att&ck MatrixBehavior GraphScreenshots

ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection

Initial SampleDropped FilesUnpacked PE FilesDomainsURLs

Domains and IPsContacted DomainsURLs from Memory and BinariesContacted IPsPublic

General InformationSimulations

Behavior and APIsJoe Sandbox View / Context

IPsDomainsASNJA3 FingerprintsDropped Files

Created / dropped FilesStatic File Info

No static file infoNetwork Behavior

Network Port DistributionTCP PacketsUDP PacketsDNS QueriesDNS AnswersHTTPS Packets

Code ManipulationsStatistics

BehaviorSystem Behavior

Analysis Process: cmd.exe PID: 572 Parent PID: 4172GeneralFile Activities

File Created

Analysis Process: conhost.exe PID: 244 Parent PID: 572General

Analysis Process: wget.exe PID: 6012 Parent PID: 572GeneralFile Activities

File CreatedFile Written

Copyright Joe Security LLC 2021 of 48

1515474747

4848

4848

Analysis Process: BLUESPAWN-client-x86.exe PID: 3132 Parent PID: 5640GeneralFile Activities

File WrittenFile Read

Analysis Process: conhost.exe PID: 1632 Parent PID: 3132General

DisassemblyCode Analysis


Windows Analysis Report https://github.com/ION28/BLUESPAWN/releases/download/v0.5.1-alpha/BLUESPAWN-client-x86.exe…

Overview

General Information

Sample URL: https://github.com/ION28/BLUESPAWN/releases/download/v0.5.1-alpha/BLUESPAWN-client-x86.exe

Analysis ID: 452123

Infos:

Most interesting Screenshot:

Detection

Mimikatz CobaltStrikeMimikatz CobaltStrikeCodoso GhostCodoso Ghost

MeterpreterMeterpreterPowerSploit UACMePowerSploit UACMe

Score: 100

Range: 0 - 100

Whitelisted: false

Confidence: 100%

Signatures

Antivirus detection for dropped file






Antivirus detection for dropped fileAntivirus detection for dropped file

Detected Hacktool Mimikatz






Detected Hacktool MimikatzDetected Hacktool Mimikatz

Malicious sample detected (through






Malicious sample detected (through Malicious sample detected (through ……

Multi AV Scanner detection for dropp






Multi AV Scanner detection for droppMulti AV Scanner detection for dropp……

Yara detected AntiVM3






Yara detected AntiVM3Yara detected AntiVM3

Yara detected CobaltStrike






Yara detected CobaltStrikeYara detected CobaltStrike

Yara detected Codoso Ghost






Yara detected Codoso GhostYara detected Codoso Ghost

Yara detected Meterpreter






Yara detected MeterpreterYara detected Meterpreter

Yara detected Mimikatz






Yara detected MimikatzYara detected Mimikatz

Yara detected PowerSploit






Yara detected PowerSploitYara detected PowerSploit

Yara detected Powershell dedcode a






Yara detected Powershell dedcode aYara detected Powershell dedcode a……

Yara detected UACMe UAC Bypass






Yara detected UACMe UAC BypassYara detected UACMe UAC Bypass……

Contains functionality to start a term






Contains functionality to start a termContains functionality to start a term……

Tries to detect sandboxes and other






Tries to detect sandboxes and otherTries to detect sandboxes and other……

AV process strings found (often use






AV process strings found (often useAV process strings found (often use……

Contains functionality to detect virtu






Contains functionality to detect virtuContains functionality to detect virtu……

Contains functionality to read the PEB






Contains functionality to read the PEBContains functionality to read the PEB

Drops PE files

Drops PE files

Drops PE files

Drops PE files

Drops PE files

Drops PE files

Drops PE filesDrops PE files

PE file contains executable resource






PE file contains executable resourcePE file contains executable resource……

PE file contains strange resources






PE file contains strange resourcesPE file contains strange resources

Queries the volume information (nam






Queries the volume information (namQueries the volume information (nam……

Sample execution stops while proce






Sample execution stops while proceSample execution stops while proce……

Uses code obfuscation techniques (






Uses code obfuscation techniques (Uses code obfuscation techniques (……

Yara signature match






Yara signature matchYara signature match

Classification

Malware Configuration

Ransomware

Spreading

Phishing

Banker

Trojan / Bot

Adware

Spyware

Exploiter

Evader

Miner

clean

clean

clean

clean

clean

clean

clean

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

malicious

malicious

malicious

malicious

malicious

malicious

malicious

System is w10x64

cmd.exe (PID: 572 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozil

la/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://github.com/ION28/BLUESPAWN/releases/download/v0.5.1-alpha/BLUESPAWN-client-x86.exe' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wget.exe (PID: 6012 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1;

WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://github.com/ION28/BLUESPAWN/releases/download/v0.5.1-alpha/BLUESPAWN-client-x86.exe' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)BLUESPAWN-client-x86.exe (PID: 3132 cmdline: 'C:\Users\user\Desktop\download\BLUESPAWN-client-x86.exe' MD5: 6D064EBB0F9123D367D7DB67384E930A)

conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

No configs have been found

Source Rule Description Author Strings

C:\Users\user\Desktop\download\BLUESPAWN-client-x86.exe Mimikatz_Strings Detects Mimikatz strings

Florian Roth 0x2fc474:$x5: mimidrv.sys


00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp

Recon_Commands_Windows_Gen1

Detects a set of reconnaissance commands on Windows systems

Florian Roth 0x1a23:$s1: netstat -an0x23a94:$s3: net user0x23aa2:$s3: net user0x1a8c:$s4: whoami0x23abe:$s7: net localgroup administrators

Process Tree

Yara Overview

Dropped Files

Memory Dumps


Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

AV Detection:


Multi AV Scanner detection for dropped file

Exploits:


Yara detected UACMe UAC Bypass tool

Privilege Escalation:

00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp

Payload_Exe2Hex Detects payload generated by exe2hex

Florian Roth 0x29ab9:$a1: set /p "=4d5a0x29acb:$a2: powershell -Command "$hex=0x29aea:$b1: set+%2Fp+%22%3D4d50x29b01:$b2: powershell+-Command+%22%24hex0x29b23:$c1: echo 4d 5a 0x29b33:$c2: echo r cx >>0x29b44:$d1: echo+4d+5a+0x29b54:$d2: echo+r+cx+%3E%3E

00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp

Exploit_MS15_077_078 MS15-078 / MS15-077 exploit - generic signature

Florian Roth 0xab2e:$s1: GDI32.DLL0x2212e:$s1: GDI32.DLL0xab4a:$s3: AddFontMemResourceEx0xab63:$s4: NamedEscape0xab73:$s5: CreateBitmap0xab84:$s6: DeleteObject0xab96:$op0: 83 45 E8 01 EB 07 C7 45 E80xaba5:$op1: 8D 85 24 42 FB FF 89 04 24 E8 80 22 0000 C7 450xabbb:$op2: EB 54 8B 15 6C 00 4C 00 8D 85 24 42 FB FF 89 440xabd1:$op3: 64 00 88 FF 84 03 70 03

00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp

DeepPanda_htran_exe Hack Deep Panda - htran-exe

Florian Roth 0x22642:$s3: [SERVER]connection to %s:%d error0x22668:$s4: -tran <ConnectPort> <TransmitHost> <TransmitPort>0x22754:$s11: -slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>0x227c3:$s20: -listen <ConnectPort> <TransmitPort>

00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp

CN_Toolset_NTscan_PipeCmd

Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe

Florian Roth 0x20fdf:$s2: Please Use NTCmd.exe Run This Program.0x2101d:$s4: \\.\pipe\%s%s%d0x2100a:$s5: %s\pipe\%s%s%d0x21031:$s6: %s\ADMIN$\System32\%s%s0x21031:$s7: %s\ADMIN$\System32\%s0x20fbc:$s9: PipeCmdSrv.exe0x2104d:$s10: This is a service executable! Couldn't start directly.

Click to see the 1519 entries



18.0.BLUESPAWN-client-x86.exe.c30000.0.unpack Mimikatz_Strings Detects Mimikatz strings


18.2.BLUESPAWN-client-x86.exe.c30000.0.unpack Mimikatz_Strings Detects Mimikatz strings


Unpacked PEs



Networking:


System Summary:

Malicious sample detected (through community Yara rule)

Malware Analysis System Evasion:


Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

HIPS / PFW / Operating System Protection Evasion:

Yara detected Powershell dedcode and execute

Stealing of Sensitive Information:



Remote Access Functionality:




Contains functionality to start a terminal service

Mitre Att&ck Matrix

InitialAccess Execution Persistence

PrivilegeEscalation Defense Evasion

CredentialAccess Discovery

LateralMovement Collection Exfiltration

Commandand Control

NetworkEffects

ValidAccounts

WindowsManagementInstrumentation

PathInterception

ProcessInjection 2

Masquerading 1 OSCredentialDumping 1

System TimeDiscovery 1

RemoteDesktopProtocol 1

Data fromLocalSystem

ExfiltrationOver OtherNetworkMedium

EncryptedChannel 2

Eavesdrop onInsecureNetworkCommunication

DefaultAccounts

ScheduledTask/Job

Boot orLogonInitializationScripts

Boot orLogonInitializationScripts

Virtualization/SandboxEvasion 1

LSASSMemory

Security SoftwareDiscovery 2 1 1

RemoteDesktopProtocol

Data fromRemovableMedia

ExfiltrationOverBluetooth

Non-ApplicationLayerProtocol 1

Exploit SS7 toRedirect PhoneCalls/SMS

DomainAccounts

At (Linux) Logon Script(Windows)

LogonScript(Windows)

Process Injection 2 SecurityAccountManager

Virtualization/SandboxEvasion 1

SMB/WindowsAdmin Shares

Data fromNetworkSharedDrive

AutomatedExfiltration

ApplicationLayerProtocol 2

Exploit SS7 toTrack DeviceLocation

LocalAccounts

At (Windows) Logon Script(Mac)

LogonScript(Mac)

Obfuscated Files orInformation 1

NTDS Process Discovery 1 DistributedComponentObject Model

InputCapture

ScheduledTransfer

ProtocolImpersonation

SIM CardSwap

CloudAccounts

Cron NetworkLogon Script

NetworkLogonScript

Software Packing LSASecrets

Remote SystemDiscovery 1

SSH Keylogging DataTransferSize Limits

FallbackChannels

ManipulateDeviceCommunication

ReplicationThroughRemovableMedia

Launchd Rc.common Rc.common Steganography CachedDomainCredentials

System InformationDiscovery 1 3

VNC GUI InputCapture

ExfiltrationOver C2Channel

MultibandCommunication

Jamming orDenial ofService


Behavior GraphID: 452123

URL: https://github.com/ION28/BL...

Startdate: 21/07/2021

Architecture: WINDOWS

Score: 100

Malicious sample detected(through community Yara

rule)Detected Hacktool Mimikatz Yara detected Powershell

dedcode and execute 9 other signatures

BLUESPAWN-client-x86.exe

1

started

cmd.exe

2

started

Antivirus detectionfor dropped file

Multi AV Scanner detectionfor dropped file

conhost.exe

started

wget.exe

3

started

conhost.exe

started

github.com

140.82.121.4, 443, 49699

GITHUBUS

United States

github-releases.githubusercontent.com

185.199.111.154, 443, 49700

FASTLYUS

Netherlands

C:\Users\user\...\BLUESPAWN-client-x86.exe, PE32

dropped

Legend:

Process

Signature

Created File

DNS/IP Info

Is Dropped

Is Windows Process

Number of created Registry Values

Number of created Files

Visual Basic

Delphi

Java

.Net C# or VB.NET

C, C++ or other language

Is malicious

Internet

Hide Legend

ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Graph

Screenshots


Source Detection Scanner Label Link

https://github.com/ION28/BLUESPAWN/releases/download/v0.5.1-alpha/BLUESPAWN-client-x86.exe

0% Virustotal Browse

https://github.com/ION28/BLUESPAWN/releases/download/v0.5.1-alpha/BLUESPAWN-client-x86.exe

0% Avira URL Cloud safe


C:\Users\user\Desktop\download\BLUESPAWN-client-x86.exe 100% Avira TR/Dldr.Cekar.jkrfz

C:\Users\user\Desktop\download\BLUESPAWN-client-x86.exe 14% Metadefender Browse

C:\Users\user\Desktop\download\BLUESPAWN-client-x86.exe 69% ReversingLabs Win32.Virus.Cekar

No Antivirus matches


github-releases.githubusercontent.com 0% Virustotal Browse

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains


https://www.virustotal.com/gui/url/ecd1becce73bbe2c71a5d43555f10e36bed4b13c391bf11805bbabbbca483bea/detection/u-ecd1becce73bbe2c71a5d43555f10e36bed4b13c391bf11805bbabbbca483bea-1624662019

https://www.metadefender.com/#!/results/file/bzIxMDYyN184SE91Y2JXWDctQXI5MFh6eUQz/regular/analysis

https://www.virustotal.com/gui/url/02231ff629563fc7c3ee115d2619b4c9188538f4682ac7e1edcc36dfa4036ec8/detection/u-02231ff629563fc7c3ee115d2619b4c9188538f4682ac7e1edcc36dfa4036ec8-1626801121


www.chinesehack.org/ 0% Virustotal Browse

www.chinesehack.org/ 0% Avira URL Cloud safe

zhouzhen.eviloctal.org 0% Virustotal Browse

zhouzhen.eviloctal.org 0% Avira URL Cloud safe

www.welivesecurity.comversion1$decrypt 0% Avira URL Cloud safe

https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/ 0% Avira URL Cloud safe

www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/peimports 0% Avira URL Cloud safe

www.binvul.com/viewthread.php?tid=508 0% Avira URL Cloud safe

locus7s.com/ 0% Avira URL Cloud safe

emplacement_de_la_backdoor.php 0% Avira URL Cloud safe

www.governmentsecurity.org 0% Avira URL Cloud safe

michaeldaw.org) 0% Avira URL Cloud safe

www.ru24-team.net 0% Avira URL Cloud safe

www35.websamba.com/cybervurgun/ 0% Avira URL Cloud safe

www.aventgrup.net/arsiv/klasvayv/1.0/2.gif 0% Avira URL Cloud safe

blog.rvrsh3ll.net 0% Avira URL Cloud safe

www.md5.com.cn 0% Avira URL Cloud safe

https://bit.no.com:43110/theshadowbrokers.bit/post/message7/date2017-01-08$x1Danderspritz$x2DanderSp


kerinci.net/?x=decode 0% Avira URL Cloud safe

https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/ 0% Avira URL Cloud safe

https://posts.specterops.io/covenant-v0-5-eee0507b85ba 0% Avira URL Cloud safe

blacksecurity.org 0% Avira URL Cloud safe

popeye.snu.ac.kr/~smkim/mysql 0% Avira URL Cloud safe

tools.zjqhr.com/ 0% Avira URL Cloud safe

www.xcodez.com/ 0% Avira URL Cloud safe

127.0.0.1 0% Avira URL Cloud safe

www.qsdconsulting.c 0% Avira URL Cloud safe

www.darknet.org.uk/2014/12/insomniashell-asp-net-reverse-shell-bind-shell/ 0% Avira URL Cloud safe

blog.weili.me 0% Avira URL Cloud safe

www.xfocus.net 0% Avira URL Cloud safe

www.cnhonker.com 0% Avira URL Cloud safe

www.pretentiousname.com/misc/win7_uac_whitelist2.html 0% Avira URL Cloud safe

https://github-releases.githubusercontent.com/189113067/32b6e400-7822-11eb-8b16-38699c6bbd6d?X-Amz-A


www.pcshares.cn/pcshare200/lostpass.asp 0% Avira URL Cloud safe

www.clantemplates.com 0% Avira URL Cloud safe

blog.xanda.org/2015/08/28/yara-rule-for-angler-ek-redirector-js/ 0% Avira URL Cloud safe

www.weigongkai.com/shell/ 0% Avira URL Cloud safe

Name IP Active Malicious Antivirus Detection Reputation

github.com 140.82.121.4 true false high

github-releases.githubusercontent.com 185.199.111.154 true false 0%, Virustotal, Browse unknown

IP Domain Country Flag ASN ASN Name Malicious

140.82.121.4 github.com United States 36459 GITHUBUS false

185.199.111.154 github-releases.githubusercontent.com

Netherlands 54113 FASTLYUS false

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public


https://www.virustotal.com/gui/url/013593e8cc00f439f80f1428e99e41c5881954a3a2a893e6a3415f1ff11aaf07/detection/u-013593e8cc00f439f80f1428e99e41c5881954a3a2a893e6a3415f1ff11aaf07-1387519166

https://www.virustotal.com/gui/url/d59c776968105928439a5915701ce4a3e8b81f0b0ce2bb9c8d33beca32911f40/detection/u-d59c776968105928439a5915701ce4a3e8b81f0b0ce2bb9c8d33beca32911f40-1553737745

https://www.virustotal.com/gui/url/02231ff629563fc7c3ee115d2619b4c9188538f4682ac7e1edcc36dfa4036ec8/detection/u-02231ff629563fc7c3ee115d2619b4c9188538f4682ac7e1edcc36dfa4036ec8-1626801121

General Information

Joe Sandbox Version: 33.0.0 White Diamond

Analysis ID: 452123

Start date: 21.07.2021

Start time: 21:22:07

Joe Sandbox Product: CloudBasic

Overall analysis duration: 0h 7m 53s

Hypervisor based Inspection enabled: false

Report type: light

Cookbook file name: urldownload.jbs

Sample URL: https://github.com/ION28/BLUESPAWN/releases/download/v0.5.1-alpha/BLUESPAWN-client-x86.exe

Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

Number of analysed new started processes analysed:

35

Number of new started drivers analysed: 0

Number of existing processes analysed: 0

Number of existing drivers analysed: 0

Number of injected processes analysed: 0

Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled

Analysis Mode: default

Analysis stop reason: Timeout

Detection: MAL

Classification: mal100.troj.expl.evad.win@6/4@2/2

EGA Information: Failed

HDC Information: Successful, ratio: 100% (good quality ratio 84%)Quality average: 60.8%Quality standard deviation: 39%

HCA Information: Failed

Cookbook Comments: Adjust boot timeEnable AMSI

Warnings:

No simulations

No context

No context

No context

Show All

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN


No context

No context

C:\Users\user\Desktop\cmdline.outProcess: C:\Windows\SysWOW64\wget.exe

File Type: ASCII text, with very long lines, with CRLF line terminators

Category: modified

Size (bytes): 10050

Entropy (8bit): 3.245096136223553

Encrypted: false

SSDEEP: 48:gieF1Xf8h9YRMFTh9YRMFTzAz1KDbZFqNKqBPjkTDoc1UGtOZrU3bcmyweUoaPpJ:OtUmUUUp6BZrq2ooEyz5Og25Q3CEUJ3

MD5: 85026215E843F5D329B37C003C2CC379

SHA1: 37AF8E007F2055B3A97191DE57BD7E8161FF1B2D

SHA-256: 0DCFB9206EFBC436501A3FC54F0FA01882905D989913E5E79CDD9F423CC9FD45

SHA-512: 5E53D461703BF71C7CF502617FBD599387BEA8286A64E445DF1C3D8799DE1E2C5BE0B247545B638E4C61CC48122AE92396EADCB1D1C06A47CD6EA0485DC1DDAF

Malicious: false

Reputation: low

Preview:--2021-07-21 21:22:58-- https://github.com/ION28/BLUESPAWN/releases/download/v0.5.1-alpha/BLUESPAWN-client-x86.exe..Resolving github.com (github.com)... 140.82.121.4..Connecting to github.com (github.com)|140.82.121.4|:443... connected...HTTP request sent, awaiting response... 302 Found..Location: https://github-releases.githubusercontent.com/189113067/32b6e400-7822-11eb-8b16-38699c6bbd6d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210721%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210721T192258Z&X-Amz-Expires=300&X-Amz-Signature=6633b83cc7a404172e6d95c57a1e5edf4fb09c2a79c23fc73bf337963aead556&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=189113067&response-content-disposition=attachment%3B%20filename%3DBLUESPAWN-client-x86.exe&response-content-type=application%2Foctet-stream [following]..--2021-07-21 21:22:58-- https://github-releases.githubusercontent.com/189113067/32b6e400-7822-11eb-8b16-38699c6bbd6d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Cre

C:\Users\user\Desktop\download\.wget-hstsProcess: C:\Windows\SysWOW64\wget.exe

File Type: ASCII text, with CRLF line terminators

Category: dropped

Size (bytes): 232

Entropy (8bit): 5.202293372655879

Encrypted: false

SSDEEP: 6:SYeRLlbA0noH9VhyyJQQ5oA8Upi27BirjMG5mBy:mPLMcDUpiC2jMGay

MD5: B81F6910329E45A5689191FF4341D7BE

SHA1: D9BD49AA339592B245200BCB795BA813773142F4

SHA-256: 3A854443ED0C9F6D6AC36392FA1CA7F8D1129AAB29DA230726412D9D0AE3795E

SHA-512: A772BE6F258D6E6CECB8385BDD7618F222D104C2791F91F6A78B616EE867F855D2C498A91FFC516A8A7DA724FDA1CDCB8EAC316C1BE73CB8C20382239AE53A73

Malicious: false

Reputation: low

Preview:# HSTS 1.0 Known Hosts database for GNU Wget...# Edit at your own risk...# <hostname>.<port>.<incl. subdomains>.<created>.<max-age>..github.com.0.1.1626927778.31536000..github-releases.githubusercontent.com.0.0.1626927778.31536000..

C:\Users\user\Desktop\download\BLUESPAWN-client-x86.exe

Process: C:\Windows\SysWOW64\wget.exe

File Type: PE32 executable (console) Intel 80386, for MS Windows

Category: dropped

Size (bytes): 5302272

Entropy (8bit): 7.097068277150172

Encrypted: false

SSDEEP: 98304:E7yW3bK7tdk/9NqTSrVHVbnblILGiVKoKEhbM020F+ul3AIGttI9VNiqZPwZi:EDbK7tdk/9NqMxVK1x2QwI3tw

MD5: 6D064EBB0F9123D367D7DB67384E930A

SHA1: AA162F41AA7CC26570982319934E60A334B43857

SHA-256: 5645F8D63D32E493D1F72CF00CBBB01502C83A41F6EF723EB3A294794BC9233B

JA3 Fingerprints

Dropped Files

Created / dropped Files


Static File Info

No static file info

Network Port Distribution

SHA-512: E1ACAA677AB75BB0C552D6EB4FE97A9FF73EF0066C09B79C749A7669D241EAD8A01C3EC0F95FD578C48DA9F50BCFE55DB9A2A7B04E8BFDEEE51957BCB4EE71A8

Malicious: true

Yara Hits: Rule: Mimikatz_Strings, Description: Detects Mimikatz strings, Source: C:\Users\user\Desktop\download\BLUESPAWN-client-x86.exe, Author: Florian Roth

Antivirus: Antivirus: Avira, Detection: 100%Antivirus: Metadefender, Detection: 14%, BrowseAntivirus: ReversingLabs, Detection: 69%

Reputation: low

Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{..?...?...?...+...'...+.......+...$....!.<......*......$.........?...*......P...+...$...?...U............>......>...Rich?...........PE..L...C.8`......................!.............../[email protected][email protected];......`<[email protected].@............./..............................text............................... ..`.rdata...S..../..T..................@[email protected]........`;......B;[email protected].......`<.......;.............@[email protected][email protected]........................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\download\BLUESPAWN-client-x86.exe

\Device\ConDrvProcess: C:\Users\user\Desktop\download\BLUESPAWN-client-x86.exe

File Type: ASCII text, with CRLF line terminators

Category: dropped

Size (bytes): 613

Entropy (8bit): 3.4816612937996543

Encrypted: false

SSDEEP: 12:UL1LMLGhFnsZy9MR/c+wBKufAB5jjx5cE3FtOioKpgpMztGMiENp:I5AIFsZycwBDfAB5jFDbAC0u

MD5: CA18640C981C2D2E2364F02A5BC2A675

SHA1: BD531790F43EB28DC913CBB245B126219D825A34

SHA-256: E696449FB0571B0EADA582571742F87E988FC76D3162592009A21BC452F2002F

SHA-512: 2FDDA1E7B9AC6A9F2946AA5527B9CBC9AA7EB7C2D725F93CCECB2372EB0C8EE7B87D9FE2ECE55FE2B24AC434707B017DB33FB8485D6E07236B179A90C3F9A885

Malicious: false

Reputation: low

Preview:....________ ______ _____ ____________________________ _______ ___ _______ __..___ __ )___ / __ / / /___ ____/__ ___/___ __ \___ |__ | / /___ | / /..__ __ |__ / _ / / / __ __/ _____ \ __ /_/ /__ /| |__ | /| / / __ |/ / .._ /_/ / _ /___/ /_/ / _ /___ ____/ / _ ____/ _ ___ |__ |/ |/ / _ /| / ../_____/ /_____/\____/ /_____/ /____/ /_/ /_/ |_|____/|__/ /_/ |_/ ........[!][MEDIUM] Running the x86 version of BLUESPAWN on an x64 system! This configuration is not fully supported, so we recommend downloading the x64 version...Press enter to continue. ..

Network Behavior

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class

Jul 21, 2021 21:22:57.862591982 CEST 192.168.2.5 8.8.8.8 0x9ef Standard query (0)

github.com A (IP address) IN (0x0001)

Jul 21, 2021 21:22:58.201708078 CEST 192.168.2.5 8.8.8.8 0xc7b5 Standard query (0)

github-releases.githubusercontent.com

A (IP address) IN (0x0001)

TCP Packets

UDP Packets

DNS Queries

DNS Answers



Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class

Jul 21, 2021 21:22:57.933666945 CEST

8.8.8.8 192.168.2.5 0x9ef No error (0) github.com 140.82.121.4 A (IP address) IN (0x0001)

Jul 21, 2021 21:22:58.214871883 CEST

8.8.8.8 192.168.2.5 0xc7b5 No error (0) github-releases.githubusercontent.com

185.199.111.154 A (IP address) IN (0x0001)

Jul 21, 2021 21:22:58.214871883 CEST


185.199.110.154 A (IP address) IN (0x0001)

Jul 21, 2021 21:22:58.214871883 CEST


185.199.109.154 A (IP address) IN (0x0001)

Jul 21, 2021 21:22:58.214871883 CEST


185.199.108.154 A (IP address) IN (0x0001)

Timestamp Source IPSourcePort Dest IP

DestPort Subject Issuer

NotBefore

NotAfter

JA3 SSL ClientFingerprint JA3 SSL Client Digest

Jul 21, 2021 21:22:57.990139961 CEST

140.82.121.4 443 192.168.2.5 49699 CN=github.com, O="GitHub, Inc.", L=San Francisco, ST=California, C=US CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1, O="DigiCert, Inc.", C=US

CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1, O="DigiCert, Inc.", C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Thu Mar 25 01:00:00 CET 2021 Thu Dec 17 01:00:00 CET 2020

Thu Mar 31 01:59:59 CEST 2022 Tue Dec 17 00:59:59 CET 2030

771,49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-35-22-23-13,29-23-25-24,0-1-2

807fca46d9d0cf63adf4e5e80e414bbe

CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1, O="DigiCert, Inc.", C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Thu Dec 17 01:00:00 CET 2020

Tue Dec 17 00:59:59 CET 2030

Jul 21, 2021 21:22:58.260082960 CEST

185.199.111.154 443 192.168.2.5 49700 CN=www.github.com, O="GitHub, Inc.", L=San Francisco, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Wed May 06 02:00:00 CEST 2020 Tue Oct 22 14:00:00 CEST 2013

Thu Apr 14 14:00:00 CEST 2022 Sun Oct 22 14:00:00 CEST 2028

771,49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-35-22-23-13,29-23-25-24,0-1-2

807fca46d9d0cf63adf4e5e80e414bbe

CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Tue Oct 22 14:00:00 CEST 2013

Sun Oct 22 14:00:00 CEST 2028

HTTPS Packets


File ActivitiesFile Activities


Start date: 21/07/2021

Path: C:\Windows\SysWOW64\cmd.exe

Wow64 process (32bit): true

Commandline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://github.com/ION28/BLUESPAWN/releases/download/v0.5.1-alpha/BLUESPAWN-client-x86.exe' > cmdline.out 2>&1

Imagebase: 0x150000

File size: 232960 bytes

MD5 hash: F3BDBE3BB6F734E357235F4D5898582D

Has elevated privileges: true

Has administrator privileges: true

Programmed in: C, C++ or other language

Reputation: low

Show Windows behavior



Path: C:\Windows\System32\conhost.exe

Wow64 process (32bit): false

Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Imagebase: 0x7ff7ecfc0000


MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496




Reputation: low



Path: C:\Windows\SysWOW64\wget.exe


Commandline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://github.com/ION28/BLUESPAWN/releases/download/v0.5.1-alpha/BLUESPAWN-client-x86.exe'

Imagebase: 0x400000


MD5 hash: 3DADB6E2ECE9C4B3E1E322E617658B60




Reputation: low

Analysis Process: cmd.exe PID: 572 Parent PID: 4172Analysis Process: cmd.exe PID: 572 Parent PID: 4172

General

File CreatedFile Created

Analysis Process: conhost.exe PID: 244 Parent PID: 572Analysis Process: conhost.exe PID: 244 Parent PID: 572

General

Analysis Process: wget.exe PID: 6012 Parent PID: 572Analysis Process: wget.exe PID: 6012 Parent PID: 572

General


File ActivitiesFile Activities Show Windows behavior



Path: C:\Users\user\Desktop\download\BLUESPAWN-client-x86.exe


Commandline: 'C:\Users\user\Desktop\download\BLUESPAWN-client-x86.exe'

Imagebase: 0xc30000


MD5 hash: 6D064EBB0F9123D367D7DB67384E930A




Yara matches: Rule: Recon_Commands_Windows_Gen1, Description: Detects a set of reconnaissance commands on Windows systems, Source: 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp, Author: Florian RothRule: Payload_Exe2Hex, Description: Detects payload generated by exe2hex, Source: 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp, Author: Florian RothRule: Exploit_MS15_077_078, Description: MS15-078 / MS15-077 exploit - generic signature, Source: 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp, Author: Florian RothRule: DeepPanda_htran_exe, Description: Hack Deep Panda - htran-exe, Source: 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp, Author: Florian RothRule: CN_Toolset_NTscan_PipeCmd, Description: Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe, Source: 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp, Author: Florian RothRule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp, Author: Florian RothRule: power_pe_injection, Description: PowerShell with PE Reflective Injection, Source: 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp, Author: Benjamin DELPY (gentilkiwi)Rule: apt_equation_equationlaser_runtimeclasses, Description: Rule to detect the EquationLaser malware, Source: 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp, Author: unknownRule: apt_equation_cryptotable, Description: Rule to detect the crypto library used in Equation group malware, Source: 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp, Author: unknownRule: EquationDrug_HDDSSD_Op, Description: EquationDrug - HDD/SSD firmware operation - nls_933w.dll, Source: 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp, Author: Florian Roth @4nc4pRule: webshell_php_obfuscated_encoding, Description: PHP webshell obfuscated by encoding, Source: 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp, Author: Arnim RuppRule: webshell_php_by_string_known_webshell, Description: Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., Source: 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp, Author: Arnim RuppRule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp, Author: Arnim RuppRule: FVEY_ShadowBrokers_Jan17_Screen_Strings, Description: Detects strings derived from the ShadowBroker\'s leak of Windows tools/exploits, Source: 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp, Author: Florian RothRule: doublepulsarxor_petya, Description: rule to hit on the xored doublepulsar shellcode, Source:

File CreatedFile Created

File WrittenFile Written

Analysis Process: BLUESPAWN-client-x86.exe PID: 3132 Parent PID: 5640Analysis Process: BLUESPAWN-client-x86.exe PID: 3132 Parent PID: 5640

General


00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp, Author: patrick jonesRule: doublepulsardllinjection_petya, Description: rule to hit on the xored doublepulsar dll injection shellcode, Source: 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp, Author: patrick jonesRule: Meterpreter_Reverse_Tcp, Description: Meterpreter reverse TCP backdoor in memory. Tested on Win7x64., Source: 00000012.00000002.592199194.00000000032EF000.00000004.00000001.sdmp, Author: chort (@chort0)Rule: hacktool_macos_exploit_cve_5889, Description: http://www.cvedetails.com/cve/cve-2015-5889, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_macos_exploit_tpwn, Description: tpwn exploits a null pointer dereference in XNU to escalate privileges to root., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_macos_juuso_keychaindump, Description: For reading OS X keychain passwords as root., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_macos_keylogger_b4rsby_swiftlog, Description: Dirty user level command line keylogger hacked together in Swift., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_macos_keylogger_caseyscarborough, Description: A simple and easy to use keylogger for macOS., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_macos_keylogger_dannvix, Description: A simple keylogger for macOS., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_macos_keylogger_eldeveloper_keystats, Description: A simple keylogger for macOS., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_macos_keylogger_giacomolaw, Description: A simple keylogger for macOS., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_macos_keylogger_logkext, Description: LogKext is an open source keylogger for Mac OS X, a product of FSB software., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_macos_keylogger_roxlu_ofxkeylogger, Description: ofxKeylogger keylogger., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_macos_keylogger_skreweverything_swift, Description: It is a simple and easy to use keylogger for macOS written in Swift., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_macos_macpmem, Description: MacPmem enables read/write access to physical memory on macOS. Can be used by CSIRT teams and attackers., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_macos_manwhoami_icloudcontacts, Description: Pulls iCloud Contacts for an account. No dependencies. No user notification., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_macos_manwhoami_mmetokendecrypt, Description: This program decrypts / extracts all authorization tokens on macOS / OS X / OSX., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_macos_manwhoami_osxchromedecrypt, Description: Decrypt Google Chrome / Chromium passwords and credit cards on macOS / OS X., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_macos_n0fate_chainbreaker, Description: chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_macos_ptoomey3_keychain_dumper, Description: Keychain dumping utility., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_multi_bloodhound_owned, Description: Bloodhound: Custom queries to document a compromise, find collateral spread of owned nodes, and visualize deltas in privilege gains, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @fusionraceRule: hacktool_multi_jtesta_ssh_mitm, Description: intercepts ssh connections to capture credentials, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @fusionraceRule: hacktool_multi_masscan, Description: masscan is a performant port scanner, it produces results similar to nmap, Source:


00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_multi_ncc_ABPTTS, Description: Allows for TCP tunneling over HTTP, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_multi_ntlmrelayx, Description: https://www.fox-it.com/en/insights/blogs/blog/inside-windows-network/, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_multi_pyrasite_py, Description: A tool for injecting arbitrary code into running Python processes., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @fusionraceRule: hacktool_multi_responder_py, Description: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @fusionraceRule: hacktool_windows_hot_potato, Description: https://foxglovesecurity.com/2016/01/16/hot-potato/, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_windows_moyix_creddump, Description: creddump is a python tool to extract credentials and secrets from Windows registry hives., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_windows_ncc_wmicmd, Description: Command shell wrapper for WMI, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @mimeframeRule: hacktool_windows_rdp_cmd_delivery, Description: Delivers a text payload via RDP (rubber ducky), Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @fusionraceRule: hacktool_windows_wmi_implant, Description: A PowerShell based tool that is designed to act like a RAT, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @fusionraceRule: hacktool_windows_mimikatz_errors, Description: Mimikatz credential dump tool: Error messages, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @fusionraceRule: hacktool_windows_mimikatz_sekurlsa, Description: Mimikatz credential dump tool, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: @fusionraceRule: Msfpayloads_msf, Description: Metasploit Payloads - file msf.sh, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Msfpayloads_msf_2, Description: Metasploit Payloads - file msf.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Msfpayloads_msf_psh, Description: Metasploit Payloads - file msf-psh.vba, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Msfpayloads_msf_exe, Description: Metasploit Payloads - file msf-exe.vba, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Msfpayloads_msf_3, Description: Metasploit Payloads - file msf.psh, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Msfpayloads_msf_4, Description: Metasploit Payloads - file msf.aspx, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Msfpayloads_msf_exe_2, Description: Metasploit Payloads - file msf-exe.aspx, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Msfpayloads_msf_6, Description: Metasploit Payloads - file msf.vbs, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Msfpayloads_msf_7, Description: Metasploit Payloads - file msf.vba, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Msfpayloads_msf_8, Description: Metasploit Payloads - file msf.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Msfpayloads_msf_cmd, Description: Metasploit Payloads - file msf-cmd.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Msfpayloads_msf_11, Description: Metasploit Payloads - file msf.hta, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author:


Florian RothRule: HKTL_Meterpreter_inMemory, Description: Detects Meterpreter in-memory, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: netbiosX, Florian RothRule: Base64_PS1_Shellcode, Description: Detects Base64 encoded PS1 Shellcode, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Nick Carr, David LedbetterRule: PowerShell_ISESteroids_Obfuscation, Description: Detects PowerShell ISESteroids obfuscation, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: SUSP_OBFUSC_PowerShell_True_Jun20_1, Description: Detects indicators often found in obfuscated PowerShell scripts, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Recon_Commands_Windows_Gen1, Description: Detects a set of reconnaissance commands on Windows systems, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Payload_Exe2Hex, Description: Detects payload generated by exe2hex, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Reflective_DLL_Loader_Aug17_1, Description: Detects Reflective DLL Loader, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Reflective_DLL_Loader_Aug17_2, Description: Detects Reflective DLL Loader - suspicious - Possible FP could be program crack, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Reflective_DLL_Loader_Aug17_3, Description: Detects Reflective DLL Loader, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: GetUserSPNs_VBS, Description: Auto-generated rule - file GetUserSPNs.vbs, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: GetUserSPNs_PS1, Description: Auto-generated rule - file GetUserSPNs.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: kerberoast_PY, Description: Auto-generated rule - file kerberoast.py, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: p0wnedPowerCat, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: p0wnedPotato, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: p0wnedExploits, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: p0wnedBinaries, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: p0wnedAmsiBypass, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: p0wnedShell_outputs, Description: p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: ps1_toolkit_PowerUp, Description: Auto-generated rule - file PowerUp.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: ps1_toolkit_Inveigh_BruteForce, Description: Auto-generated rule - file Inveigh-BruteForce.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: ps1_toolkit_Invoke_Shellcode, Description: Auto-generated rule - file Invoke-Shellcode.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: ps1_toolkit_Invoke_Mimikatz, Description: Auto-generated rule - file Invoke-Mimikatz.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: ps1_toolkit_Invoke_RelfectivePEInjection, Description: Auto-generated rule - file


Invoke-RelfectivePEInjection.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: ps1_toolkit_Persistence, Description: Auto-generated rule - file Persistence.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection, Description: Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: ps1_toolkit_Inveigh_BruteForce_2, Description: Auto-generated rule - from files Inveigh-BruteForce.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: ps1_toolkit_PowerUp_2, Description: Auto-generated rule - from files PowerUp.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: ps1_toolkit_Persistence_2, Description: Auto-generated rule - from files Persistence.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: ps1_toolkit_Inveigh_BruteForce_3, Description: Auto-generated rule - from files Inveigh-BruteForce.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Suspicious_PowerShell_Code_1, Description: Detects suspicious PowerShell code, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: SUSP_PS1_FromBase64String_Content_Indicator, Description: Detects suspicious base64 encoded PowerShell expressions, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: HTA_with_WScript_Shell, Description: Detects WScript Shell in HTA, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: VBS_dropper_script_Dec17_1, Description: Detects a supicious VBS script that drops an executable, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: PS_AMSI_Bypass, Description: Detects PowerShell AMSI Bypass, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: JS_Suspicious_Obfuscation_Dropbox, Description: Detects PowerShell AMSI Bypass, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: JS_Suspicious_MSHTA_Bypass, Description: Detects MSHTA Bypass, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: JavaScript_Run_Suspicious, Description: Detects a suspicious Javascript Run command, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: VBS_Obfuscated_Mal_Feb18_1, Description: Detects malicious obfuscated VBS observed in February 2018, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: HKTL_PowerSploit, Description: Detects default strings used by PowerSploit to establish persistence, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Markus NeisRule: Empire_Invoke_BypassUAC, Description: Empire - a pure PowerShell post-exploitation agent - file Invoke-BypassUAC.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Invoke_Mimikatz, Description: Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Write_HijackDll, Description: Empire - a pure PowerShell post-exploitation agent - file Write-HijackDll.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Mimipenguin_SH, Description: Detects Mimipenguin Password Extractor - Linux, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_php_generic, Description: php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, Source:


00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Arnim RuppRule: webshell_php_generic_callback, Description: php webshell having some kind of input and using a callback to execute the payload. restricted to small files or would give lots of false positives, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Arnim RuppRule: webshell_php_obfuscated_encoding, Description: PHP webshell obfuscated by encoding, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Arnim RuppRule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Arnim RuppRule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Arnim RuppRule: webshell_php_by_string_known_webshell, Description: Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Arnim RuppRule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Arnim RuppRule: webshell_php_strings_susp, Description: typical webshell strings, suspicious, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Arnim RuppRule: CobaltStrike_Sleep_Decoder_Indicator, Description: Detects CobaltStrike sleep_mask decoder, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: [email protected]: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: [email protected]: Metasploit_Loader_RSMudge, Description: Detects a Metasploit Loader by RSMudge - file loader.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Armitage_msfconsole, Description: Detects Armitage component, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Armitage_OSX, Description: Detects Armitage component, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Invoke_Mimikatz, Description: Detects Invoke-Mimikatz String, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: NTLM_Dump_Output, Description: NTML Hash Dump output file - John/LC format, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Invoke_SMBExec, Description: Detects Invoke-WmiExec or Invoke-SmbExec, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Invoke_WMIExec_Gen_1, Description: Detects Invoke-WmiExec or Invoke-SmbExec, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Invoke_SMBExec_Invoke_WMIExec_1, Description: Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Invoke_WMIExec_Gen, Description: Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: PowerShdll, Description: Detects hack tool PowerShdll, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WMImplant, Description: Auto-generated rule - file WMImplant.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Invoke_PSImage, Description: Detects a command to execute PowerShell from String, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: merlinAgent, Description: Detects Merlin agent, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Hilko BengenRule: Invoke_OSiRis, Description: Osiris Device Guard Bypass - file Invoke-OSiRis.ps1, Source:


00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: SUSP_Reversed_Base64_Encoded_EXE, Description: Detects an base64 encoded executable with reversed characters, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: SUSP_Script_Base64_Blocks_Jun20_1, Description: Detects suspicious file with base64 encoded payload in blocks, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: SUSP_Reversed_Hacktool_Author, Description: Detects a suspicious path traversal into a Windows folder, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: SUSP_Base64_Encoded_Hacktool_Dev, Description: Detects a suspicious base64 encoded keyword, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Invoke_MetasploitPayload, Description: Detects Empire component - file Invoke-MetasploitPayload.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Exploit_Jenkins, Description: Detects Empire component - file Exploit-Jenkins.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Get_SecurityPackages, Description: Detects Empire component - file Get-SecurityPackages.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Invoke_PowerDump, Description: Detects Empire component - file Invoke-PowerDump.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Install_SSP, Description: Detects Empire component - file Install-SSP.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Invoke_ShellcodeMSIL, Description: Detects Empire component - file Invoke-ShellcodeMSIL.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: HKTL_Empire_PowerUp, Description: Detects Empire component - file PowerUp.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Invoke_Mimikatz_Gen, Description: Detects Empire component - file Invoke-Mimikatz.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Get_GPPPassword, Description: Detects Empire component - file Get-GPPPassword.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Invoke_SmbScanner, Description: Detects Empire component - file Invoke-SmbScanner.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Exploit_JBoss, Description: Detects Empire component - file Exploit-JBoss.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_dumpCredStore, Description: Detects Empire component - file dumpCredStore.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Invoke_EgressCheck, Description: Detects Empire component - file Invoke-EgressCheck.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Out_Minidump, Description: Detects Empire component - file Out-Minidump.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Invoke_PsExec, Description: Detects Empire component - file Invoke-PsExec.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Invoke_PostExfil, Description: Detects Empire component - file Invoke-PostExfil.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Invoke_SMBAutoBrute, Description: Detects Empire component - file Invoke-SMBAutoBrute.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Get_Keystrokes, Description: Detects Empire component - file Get-


Keystrokes.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Invoke_DllInjection, Description: Detects Empire component - file Invoke-DllInjection.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_KeePassConfig, Description: Detects Empire component - file KeePassConfig.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Invoke_SSHCommand, Description: Detects Empire component - file Invoke-SSHCommand.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_PowerShell_Framework_Gen1, Description: Detects Empire component, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_PowerUp_Gen, Description: Detects Empire component - from files PowerUp.ps1, PowerUp.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_PowerShell_Framework_Gen2, Description: Detects Empire component, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Agent_Gen, Description: Detects Empire component - from files agent.ps1, agent.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_PowerShell_Framework_Gen3, Description: Detects Empire component, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Invoke_InveighRelay_Gen, Description: Detects Empire component - from files Invoke-InveighRelay.ps1, Invoke-InveighRelay.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_KeePassConfig_Gen, Description: Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Invoke_Portscan_Gen, Description: Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_PowerShell_Framework_Gen4, Description: Detects Empire component, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen, Description: Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_Invoke_Gen, Description: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Empire_PowerShell_Framework_Gen5, Description: Detects Empire component, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Impacket_Tools_Generic_1, Description: Compiled Impacket Tools, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Invoke_mimikittenz, Description: Detects Mimikittenz - file Invoke-mimikittenz.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: JoeSecurity_PowerSploit, Description: Yara detected PowerSploit, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_Codoso_Ghost, Description: Yara detected Codoso Ghost, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_Meterpreter, Description: Yara detected Meterpreter, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Joe SecurityRule: Empire__Users_neo_code_Workspace_Empire_4sigs_PowerUp, Description:


Detects Empire component - file PowerUp.ps1, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_h4ntu_shell_powered_by_tsoi_, Description: Web Shell - file h4ntu shell [powered by tsoi, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: unknownRule: webshell_PHP_sql, Description: Web Shell - file sql.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_PHP_a, Description: Web Shell - file a.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_iMHaPFtp_2, Description: Web Shell - file iMHaPFtp.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_Jspspyweb, Description: Web Shell - file Jspspyweb.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2, Description: Web Shell - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend, Description: Web Shell - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_phpshell_2_1_pwhash, Description: Web Shell - file pwhash.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_PHPRemoteView, Description: Web Shell - file PHPRemoteView.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_12302, Description: Web Shell - file 12302.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_caidao_shell_guo, Description: Web Shell - file guo.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_PHP_redcod, Description: Web Shell - file redcod.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_remview_fix, Description: Web Shell - file remview_fix.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_asp_cmd, Description: Web Shell - file cmd.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_php_sh_server, Description: Web Shell - file server.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_PH_Vayv_PH_Vayv, Description: Web Shell - file PH Vayv.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_caidao_shell_ice, Description: Web Shell - file ice.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_cihshell_fix, Description: Web Shell - file cihshell_fix.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_asp_shell, Description: Web Shell - file shell.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_Private_i3lue, Description: Web Shell - file Private-i3lue.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_php_up, Description: Web Shell - file up.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_Mysql_interface_v1_0, Description: Web Shell - file Mysql interface v1.0.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_php_s_u, Description: Web Shell - file s-u.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_phpshell_2_1_config, Description: Web Shell - file config.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_asp_EFSO_2, Description: Web Shell - file EFSO_2.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_up, Description: Web Shell - file up.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_NetworkFileManagerPHP, Description: Web Shell - file NetworkFileManagerPHP.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_Server_Variables, Description: Web Shell - file Server Variables.asp,


Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_caidao_shell_ice_2, Description: Web Shell - file ice.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_caidao_shell_mdb, Description: Web Shell - file mdb.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_guige, Description: Web Shell - file guige.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_phpspy2010, Description: Web Shell - file phpspy2010.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_asp_ice, Description: Web Shell - file ice.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_drag_system, Description: Web Shell - file system.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_DarkBlade1_3_asp_indexx, Description: Web Shell - file indexx.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_phpshell3, Description: Web Shell - file phpshell3.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_hsxa, Description: Web Shell - file hsxa.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_utils, Description: Web Shell - file utils.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_asp_01, Description: Web Shell - file 01.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_asp_404, Description: Web Shell - file 404.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshell_cnseay02_1, Description: Web Shell - file webshell-cnseay02-1.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_php_fbi, Description: Web Shell - file fbi.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_B374kPHP_B374k, Description: Web Shell - file B374k.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_cmd_asp_5_1, Description: Web Shell - file cmd-asp-5.1.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_php_dodo_zip, Description: Web Shell - file zip.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_aZRaiLPhp_v1_0, Description: Web Shell - file aZRaiLPhp v1.0.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_php_list, Description: Web Shell - file list.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_ironshell, Description: Web Shell - file ironshell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_caidao_shell_404, Description: Web Shell - file 404.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_ASP_aspydrv, Description: Web Shell - file aspydrv.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_web, Description: Web Shell - file web.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_mysqlwebsh, Description: Web Shell - file mysqlwebsh.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jspShell, Description: Web Shell - file jspShell.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_Dx_Dx, Description: Web Shell - file Dx.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_asp_ntdaddy, Description: Web Shell - file ntdaddy.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_MySQL_Web_Interface_Version_0_8, Description: Web Shell - file MySQL Web Interface Version 0.8.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author:


Florian RothRule: webshell_elmaliseker_2, Description: Web Shell - file elmaliseker.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_ASP_RemExp, Description: Web Shell - file RemExp.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_list1, Description: Web Shell - file list1.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_phpkit_1_0_odd, Description: Web Shell - file odd.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_123, Description: Web Shell - file 123.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_asp_1, Description: Web Shell - file 1.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_ASP_tool, Description: Web Shell - file tool.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_cmd_win32, Description: Web Shell - file cmd_win32.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_jshell, Description: Web Shell - file jshell.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_ASP_zehir4, Description: Web Shell - file zehir4.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_wsb_idc, Description: Web Shell - file idc.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_cpg_143_incl_xpl, Description: Web Shell - file cpg_143_incl_xpl.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_mumaasp_com, Description: Web Shell - file mumaasp.com.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_php_404, Description: Web Shell - file 404.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshell_cnseay_x, Description: Web Shell - file webshell-cnseay-x.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_asp_up, Description: Web Shell - file up.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_phpkit_0_1a_odd, Description: Web Shell - file odd.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_ASP_cmd, Description: Web Shell - file cmd.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_PHP_Shell_x3, Description: Web Shell - file PHP Shell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_PHP_g00nv13, Description: Web Shell - file g00nv13.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_php_h6ss, Description: Web Shell - file h6ss.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_zx, Description: Web Shell - file zx.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_Ani_Shell, Description: Web Shell - file Ani-Shell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_k8cmd, Description: Web Shell - file k8cmd.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_cmd, Description: Web Shell - file cmd.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_k81, Description: Web Shell - file k81.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_ASP_zehir, Description: Web Shell - file zehir.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_Worse_Linux_Shell, Description: Web Shell - file Worse Linux Shell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_zacosmall, Description: Web Shell - file zacosmall.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian Roth


Rule: webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit, Description: Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_redirect, Description: Web Shell - file redirect.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_cmdjsp, Description: Web Shell - file cmdjsp.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_Java_Shell, Description: Web Shell - file Java Shell.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_asp_1d, Description: Web Shell - file 1d.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_IXRbE, Description: Web Shell - file IXRbE.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_PHP_G5, Description: Web Shell - file G5.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_PHP_r57142, Description: Web Shell - file r57142.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_tree, Description: Web Shell - file tree.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_C99madShell_v_3_0_smowu, Description: Web Shell - file smowu.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_simple_backdoor, Description: Web Shell - file simple-backdoor.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_PHP_404, Description: Web Shell - file 404.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_Macker_s_Private_PHPShell, Description: Web Shell - file Macker\'s Private PHPShell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_Antichat_Shell_v1_3_2, Description: Web Shell - file Antichat Shell v1.3.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_Safe_mode_breaker, Description: Web Shell - file Safe mode breaker.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_Sst_Sheller, Description: Web Shell - file Sst-Sheller.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_list, Description: Web Shell - file list.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_PHPJackal_v1_5, Description: Web Shell - file PHPJackal v1.5.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_customize, Description: Web Shell - file customize.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_s72_Shell_v1_1_Coding, Description: Web Shell - file s72 Shell v1.1 Coding.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_sys3, Description: Web Shell - file sys3.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_guige02, Description: Web Shell - file guige02.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_php_ghost, Description: Web Shell - file ghost.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_WinX_Shell, Description: Web Shell - file WinX Shell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_Crystal_Crystal, Description: Web Shell - file Crystal.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_r57_1_4_0, Description: Web Shell - file r57.1.4.0.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_hsxa1, Description: Web Shell - file hsxa1.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian Roth


Rule: webshell_asp_ajn, Description: Web Shell - file ajn.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_php_cmd, Description: Web Shell - file cmd.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_asp_list, Description: Web Shell - file list.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_PHP_co, Description: Web Shell - file co.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_PHP_150, Description: Web Shell - file 150.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_cmdjsp_2, Description: Web Shell - file cmdjsp.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_PHP_c37, Description: Web Shell - file c37.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_PHP_b37, Description: Web Shell - file b37.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_php_backdoor, Description: Web Shell - file php-backdoor.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_asp_dabao, Description: Web Shell - file dabao.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_php_2, Description: Web Shell - file 2.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_asp_cmdasp, Description: Web Shell - file cmdasp.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_spjspshell, Description: Web Shell - file spjspshell.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_action, Description: Web Shell - file action.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_Inderxer, Description: Web Shell - file Inderxer.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_asp_Rader, Description: Web Shell - file Rader.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_c99_madnet_smowu, Description: Web Shell - file smowu.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_php_moon, Description: Web Shell - file moon.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_jdbc, Description: Web Shell - file jdbc.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_minupload, Description: Web Shell - file minupload.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_ELMALISEKER_Backd00r, Description: Web Shell - file ELMALISEKER Backd00r.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_PHP_bug_1_, Description: Web Shell - file bug (1).php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_caidao_shell_hkmjj, Description: Web Shell - file hkmjj.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_asd, Description: Web Shell - file asd.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_inback3, Description: Web Shell - file inback3.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_metaslsoft, Description: Web Shell - file metaslsoft.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_asp_Ajan, Description: Web Shell - file Ajan.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_config_myxx_zend, Description: Web Shell - from files config.jsp, myxx.jsp, zend.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_browser_201_3_ma_download, Description: Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, download.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian Roth


Rule: webshell_itsec_itsecteam_shell_jHn, Description: Web Shell - from files itsec.php, itsecteam_shell.php, jHn.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_ghost_source_icesword_silic, Description: Web Shell - from files ghost_source.php, icesword.php, silic.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_spy2009_m_ma3_xxx, Description: Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_2_520_job_ma1_ma4_2, Description: Web Shell - from files 2.jsp, 520.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_000_403_807_a_c5_config_css_dm_he1p_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_xxx, Description: Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_wso2_5_1_wso2_5_wso2, Description: Web Shell - from files wso2.5.1.php, wso2.5.php, wso2.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_000_403_c5_queryDong_spyjsp2010_t00ls, Description: Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp, t00ls.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_404_data_suiyue, Description: Web Shell - from files 404.jsp, data.jsp, suiyue.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_r57shell_r57shell127_SnIpEr_SA_Shell_EgY_SpIdEr_ShElL_V2_r57_xxx, Description: Web Shell - from files r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_807_a_css_dm_he1p_JspSpy_xxx, Description: Web Shell - from files 807.jsp, a.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, style.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_201_3_ma_download, Description: Web Shell - from files 201.jsp, 3.jsp, ma.jsp, download.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download, Description: Web Shell - from files browser.jsp, 201.jsp, 3.jsp, 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, ma.jsp, warn.jsp, webshell-nc.jsp, download.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_shell_phpspy_2006_arabicspy, Description: Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_in_JFolder_jfolder01_jsp_leo_warn, Description: Web Shell - from files in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_2_520_icesword_job_ma1_ma4_2, Description: Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_phpspy_2005_full_phpspy_2005_lite_PHPSPY, Description: Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, PHPSPY.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_shell_phpspy_2006_arabicspy_hkrkoz, Description: Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php, hkrkoz.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx, Description: Web Shell - from files c99.php, Shell [ci, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: unknownRule: webshell_2008_2009lite_2009mssql, Description: Web Shell - from files 2008.php,


2009lite.php, 2009mssql.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_shell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_arabicspy_PHPSPY_hkrkoz, Description: Web Shell - from files shell.php, phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, arabicspy.php, PHPSPY.php, hkrkoz.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_807_dm_JspSpyJDK5_m_cofigrue, Description: Web Shell - from files 807.jsp, dm.jsp, JspSpyJDK5.jsp, m.jsp, cofigrue.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx, Description: Web Shell - from files Dive Shell 1.0 - Emperor Hacking Team.php, phpshell.php, SimShell 1.0 - Simorgh Security MGZ.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_404_data_in_JFolder_jfolder01_xxx, Description: Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, suiyue.jsp, warn.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_jsp_reverse_jsp_reverse_jspbd, Description: Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_400_in_JFolder_jfolder01_jsp_leo_warn_webshell_nc, Description: Web Shell - from files 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp, webshell-nc.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2, Description: Web Shell - from files 2.jsp, 520.jsp, job.jsp, JspWebshell 1.2.jsp, ma1.jsp, ma4.jsp, 2.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx, Description: Web Shell - from files gfs_sh.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_itsec_PHPJackal_itsecteam_shell_jHn, Description: Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_Shell_ci_Biz_was_here_c100_v_xxx, Description: Web Shell - from files Shell [ci, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: unknownRule: webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1, Description: Web Shell - from files NIX REMOTE WEB-SHELL.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, KAdot Universal Shell v0.1.6.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_c99_c99shell_c99_w4cking_Shell_xxx, Description: Web Shell - from files c99.php, c99shell.php, c99_w4cking.php, Shell [ci, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: unknownRule: webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz, Description: Web Shell - from files 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_c99_c66_c99_shadows_mod_c99shell, Description: Web Shell - from files c99.php, c66.php, c99-shadows-mod.php, c99shell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_he1p_JspSpy_nogfw_ok_style_1_JspSpy1, Description: Web Shell - from files he1p.jsp, JspSpy.jsp, nogfw.jsp, ok.jsp, style.jsp, 1.jsp, JspSpy.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend, Description: Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_c99_c99shell_c99_c99shell, Description: Web Shell - from files c99.php, c99shell.php, c99.php, c99shell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat, Description: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_NIX_REMOTE_WEB_SHELL_nstview_xxx, Description: Web Shell - from files NIX REMOTE WEB-SHELL.php, nstview.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, Cyber Shell (v 1.0).php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian Roth


Rule: webshell_000_403_807_a_c5_config_css_dm_he1p_xxx, Description: Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_2_520_icesword_job_ma1, Description: Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_404_data_in_JFolder_jfolder01_jsp_suiyue_warn, Description: Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, suiyue.jsp, warn.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY, Description: Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_c99_locus7s_c99_w4cking_xxx, Description: Web Shell - from files c99_locus7s.php, c99_w4cking.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, acid.php, newsh.php, r57.php, Backdoor.PHP.Agent.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_browser_201_3_ma_ma2_download, Description: Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_000_403_c5_queryDong_spyjsp2010, Description: Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_r57shell127_r57_kartal_r57, Description: Web Shell - from files r57shell127.php, r57_kartal.php, r57.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_con2, Description: Web shells - generated from file con2.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_make2, Description: Web shells - generated from file make2.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_aaa, Description: Web shells - generated from file aaa.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_Expdoor_com_ASP, Description: Web shells - generated from file Expdoor.com ASP.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_php2, Description: Web shells - generated from file php2.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_bypass_iisuser_p, Description: Web shells - generated from file bypass-iisuser-p.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_sig_404super, Description: Web shells - generated from file 404super.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_JSP, Description: Web shells - generated from file JSP.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshell_123, Description: Web shells - generated from file webshell-123.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_dev_core, Description: Web shells - generated from file dev_core.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_pHp, Description: Web shells - generated from file pHp.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_pppp, Description: Web shells - generated from file pppp.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_code, Description: Web shells - generated from file code.php, Source:


00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_jspyyy, Description: Web shells - generated from file jspyyy.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_xxxx, Description: Web shells - generated from file xxxx.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_JJjsp3, Description: Web shells - generated from file JJjsp3.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_PHP1, Description: Web shells - generated from file PHP1.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_JJJsp2, Description: Web shells - generated from file JJJsp2.jsp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_radhat, Description: Web shells - generated from file radhat.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_asp1, Description: Web shells - generated from file asp1.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_php6, Description: Web shells - generated from file php6.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_xxx, Description: Web shells - generated from file xxx.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_GetPostpHp, Description: Web shells - generated from file GetPostpHp.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_php5, Description: Web shells - generated from file php5.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_PHP, Description: Web shells - generated from file PHP.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: webshell_webshells_new_Asp, Description: Web shells - generated from file Asp.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: perlbot_pl, Description: Semi-Auto-generated - file perlbot.pl.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: php_backdoor_php, Description: Semi-Auto-generated - file php-backdoor.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php, Description: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Nshell__1__php_php, Description: Semi-Auto-generated - file Nshell (1).php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: shankar_php_php, Description: Semi-Auto-generated - file shankar.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Casus15_php_php, Description: Semi-Auto-generated - file Casus15.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: small_php_php, Description: Semi-Auto-generated - file small.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: shellbot_pl, Description: Semi-Auto-generated - file shellbot.pl.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: fuckphpshell_php, Description: Semi-Auto-generated - file fuckphpshell.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: ngh_php_php, Description: Semi-Auto-generated - file ngh.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls


Rule: jsp_reverse_jsp, Description: Semi-Auto-generated - file jsp-reverse.jsp.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Tool_asp, Description: Semi-Auto-generated - file Tool.asp.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: NT_Addy_asp, Description: Semi-Auto-generated - file NT Addy.asp.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php, Description: Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: RemExp_asp, Description: Semi-Auto-generated - file RemExp.asp.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: phvayvv_php_php, Description: Semi-Auto-generated - file phvayvv.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: klasvayv_asp, Description: Semi-Auto-generated - file klasvayv.asp.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: rst_sql_php_php, Description: Semi-Auto-generated - file rst_sql.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: wh_bindshell_py, Description: Semi-Auto-generated - file wh_bindshell.py.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: lurm_safemod_on_cgi, Description: Semi-Auto-generated - file lurm_safemod_on.cgi.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: c99madshell_v2_0_php_php, Description: Semi-Auto-generated - file c99madshell_v2.0.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: backupsql_php_often_with_c99shell, Description: Semi-Auto-generated - file backupsql.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: uploader_php_php, Description: Semi-Auto-generated - file uploader.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: telnet_pl, Description: Semi-Auto-generated - file telnet.pl.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: w3d_php_php, Description: Semi-Auto-generated - file w3d.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: WebShell_cgi, Description: Semi-Auto-generated - file WebShell.cgi.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: WinX_Shell_html, Description: Semi-Auto-generated - file WinX Shell.html.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Dx_php_php, Description: Semi-Auto-generated - file Dx.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: csh_php_php, Description: Semi-Auto-generated - file csh.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: pHpINJ_php_php, Description: Semi-Auto-generated - file pHpINJ.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: sig_2008_php_php, Description: Semi-Auto-generated - file 2008.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: ak74shell_php_php, Description: Semi-Auto-generated - file ak74shell.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Rem_View_php_php, Description: Semi-Auto-generated - file Rem View.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Java_Shell_js, Description: Semi-Auto-generated - file Java Shell.js.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: STNC_php_php, Description: Semi-Auto-generated - file STNC.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: aZRaiLPhp_v1_0_php, Description: Semi-Auto-generated - file aZRaiLPhp


v1.0.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Moroccan_Spamers_Ma_EditioN_By_GhOsT_php, Description: Semi-Auto-generated - file Moroccan Spamers Ma-EditioN By GhOsT.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: zacosmall_php, Description: Semi-Auto-generated - file zacosmall.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: CmdAsp_asp, Description: Semi-Auto-generated - file CmdAsp.asp.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: simple_backdoor_php, Description: Semi-Auto-generated - file simple-backdoor.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: mysql_shell_php, Description: Semi-Auto-generated - file mysql_shell.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Dive_Shell_1_0___Emperor_Hacking_Team_php, Description: Semi-Auto-generated - file Dive Shell 1.0 - Emperor Hacking Team.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Asmodeus_v0_1_pl, Description: Semi-Auto-generated - file Asmodeus v0.1.pl.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: backup_php_often_with_c99shell, Description: Semi-Auto-generated - file backup.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Reader_asp, Description: Semi-Auto-generated - file Reader.asp.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: phpshell17_php, Description: Semi-Auto-generated - file phpshell17.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: myshell_php_php, Description: Semi-Auto-generated - file myshell.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: SimShell_1_0___Simorgh_Security_MGZ_php, Description: Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: jspshall_jsp, Description: Semi-Auto-generated - file jspshall.jsp.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: rootshell_php, Description: Semi-Auto-generated - file rootshell.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: connectback2_pl, Description: Semi-Auto-generated - file connectback2.pl.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: DefaceKeeper_0_2_php, Description: Semi-Auto-generated - file DefaceKeeper_0.2.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: shells_PHP_wso, Description: Semi-Auto-generated - file wso.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: backdoor1_php, Description: Semi-Auto-generated - file backdoor1.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: elmaliseker_asp, Description: Semi-Auto-generated - file elmaliseker.asp.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: indexer_asp, Description: Semi-Auto-generated - file indexer.asp.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: DxShell_php_php, Description: Semi-Auto-generated - file DxShell.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: s72_Shell_v1_1_Coding_html, Description: Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: hidshell_php_php, Description: Semi-Auto-generated - file hidshell.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: kacak_asp, Description: Semi-Auto-generated - file kacak.asp.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: PHP_Backdoor_Connect_pl_php, Description: Semi-Auto-generated - file PHP


Backdoor Connect.pl.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Antichat_Socks5_Server_php_php, Description: Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Antichat_Shell_v1_3_php, Description: Semi-Auto-generated - file Antichat Shell v1.3.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php, Description: Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: mysql_php_php, Description: Semi-Auto-generated - file mysql.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Worse_Linux_Shell_php, Description: Semi-Auto-generated - file Worse Linux Shell.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: cyberlords_sql_php_php, Description: Semi-Auto-generated - file cyberlords_sql.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: cmd_asp_5_1_asp, Description: Semi-Auto-generated - file cmd-asp-5.1.asp.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: pws_php_php, Description: Semi-Auto-generated - file pws.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: PHP_Shell_php_php, Description: Semi-Auto-generated - file PHP Shell.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html, Description: Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: EFSO_2_asp, Description: Semi-Auto-generated - file EFSO_2.asp.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: lamashell_php, Description: Semi-Auto-generated - file lamashell.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Ajax_PHP_Command_Shell_php, Description: Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: JspWebshell_1_2_jsp, Description: Semi-Auto-generated - file JspWebshell 1.2.jsp.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Sincap_php_php, Description: Semi-Auto-generated - file Sincap.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Test_php_php, Description: Semi-Auto-generated - file Test.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Phyton_Shell_py, Description: Semi-Auto-generated - file Phyton Shell.py.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: mysql_tool_php_php, Description: Semi-Auto-generated - file mysql_tool.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Zehir_4_asp, Description: Semi-Auto-generated - file Zehir 4.asp.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: sh_php_php, Description: Semi-Auto-generated - file sh.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: phpbackdoor15_php, Description: Semi-Auto-generated - file phpbackdoor15.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: phpjackal_php, Description: Semi-Auto-generated - file phpjackal.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: sql_php_php, Description: Semi-Auto-generated - file sql.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: cgi_python_py, Description: Semi-Auto-generated - file cgi-python.py.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: ru24_post_sh_php_php, Description: Semi-Auto-generated - file


ru24_post_sh.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: DTool_Pro_php, Description: Semi-Auto-generated - file DTool Pro.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: telnetd_pl, Description: Semi-Auto-generated - file telnetd.pl.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: php_include_w_shell_php, Description: Semi-Auto-generated - file php-include-w-shell.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: shell_php_php, Description: Semi-Auto-generated - file shell.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: telnet_cgi, Description: Semi-Auto-generated - file telnet.cgi.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: ironshell_php, Description: Semi-Auto-generated - file ironshell.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: backdoorfr_php, Description: Semi-Auto-generated - file backdoorfr.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: aspydrv_asp, Description: Semi-Auto-generated - file aspydrv.asp.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: cmdjsp_jsp, Description: Semi-Auto-generated - file cmdjsp.jsp.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: h4ntu_shell__powered_by_tsoi_, Description: Semi-Auto-generated - file h4ntu shell [powered by tsoi, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: unknownRule: Ajan_asp, Description: Semi-Auto-generated - file Ajan.asp.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: PHANTASMA_php, Description: Semi-Auto-generated - file PHANTASMA.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: MySQL_Web_Interface_Version_0_8_php, Description: Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: simple_cmd_html, Description: Semi-Auto-generated - file simple_cmd.html.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0001, Description: Semi-Auto-generated - from files 1.txt, c2007.php.php.txt, c100.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0002, Description: Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0003, Description: Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0004, Description: Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0005, Description: Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0006, Description: Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, ctt_sh.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0007, Description: Semi-Auto-generated - from files r577.php.php.txt, spy.php.php.txt, s.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0008, Description: Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0009, Description: Semi-Auto-generated - from files


w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0010, Description: Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0011, Description: Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0012, Description: Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0013, Description: Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0014, Description: Semi-Auto-generated - from files r577.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0015, Description: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0016, Description: Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0017, Description: Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_php_webshells, Description: Semi-Auto-generated - from files multiple_php_webshells, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0019, Description: Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0020, Description: Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0021, Description: Semi-Auto-generated - from files GFS web-shell ver 3.1.7 - PRiV8.php.txt, nshell.php.php.txt, gfs_sh.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0022, Description: Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, SpecialShell_99.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0023, Description: Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0024, Description: Semi-Auto-generated - from files antichat.php.php.txt, Fatalshell.php.php.txt, a_gedit.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0025, Description: Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0026, Description: Semi-Auto-generated - from files Crystal.php.txt, nshell.php.php.txt, load_shell.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0027, Description: Semi-Auto-generated - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0028, Description: Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, dC3 Security Crew Shell PRiV.php.txt, SpecialShell_99.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0029, Description: Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, 1.txt, c2007.php.php.txt, c100.php.txt, Source:


00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_php_webshells_2, Description: Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0030, Description: Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0031, Description: Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: multiple_webshells_0032, Description: Semi-Auto-generated - from files nixrem.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- MollsRule: DarkSecurityTeam_Webshell, Description: Dark Security Team Webshell, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: PHP_Cloaked_Webshell_SuperFetchExec, Description: Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_RemExp_asp_php, Description: PHP Webshells Github Archive - file RemExp.asp.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_dC3_Security_Crew_Shell_PRiV, Description: PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_simattacker, Description: PHP Webshells Github Archive - file simattacker.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_DTool_Pro, Description: PHP Webshells Github Archive - file DTool Pro.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_ironshell, Description: PHP Webshells Github Archive - file ironshell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_indexer_asp_php, Description: PHP Webshells Github Archive - file indexer.asp.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_toolaspshell, Description: PHP Webshells Github Archive - file toolaspshell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_b374k_mini_shell_php_php, Description: PHP Webshells Github Archive - file b374k-mini-shell-php.php.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Sincap_1_0, Description: PHP Webshells Github Archive - file Sincap 1.0.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_b374k_php, Description: PHP Webshells Github Archive - file b374k.php.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend, Description: PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_h4ntu_shell__powered_by_tsoi_, Description: PHP Webshells Github Archive - file h4ntu shell [powered by tsoi, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: unknownRule: WebShell_php_webshells_MyShell, Description: PHP Webshells Github Archive - file MyShell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_php_webshells_pws, Description: PHP Webshells Github Archive - file pws.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_reader_asp_php, Description: PHP Webshells Github Archive - file reader.asp.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2, Description: PHP Webshells Github Archive - file Safe_Mode_Bypass_PHP_4.4.2_and_PHP_5.1.2.php,


Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit, Description: PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_php_backdoor, Description: PHP Webshells Github Archive - file php-backdoor.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Worse_Linux_Shell, Description: PHP Webshells Github Archive - file Worse Linux Shell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_php_webshells_pHpINJ, Description: PHP Webshells Github Archive - file pHpINJ.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_php_webshells_NGH, Description: PHP Webshells Github Archive - file NGH.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_php_webshells_matamu, Description: PHP Webshells Github Archive - file matamu.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_ru24_post_sh, Description: PHP Webshells Github Archive - file ru24_post_sh.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_hiddens_shell_v1, Description: PHP Webshells Github Archive - file hiddens shell v1.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_c99_madnet, Description: PHP Webshells Github Archive - file c99_madnet.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_c99_locus7s, Description: PHP Webshells Github Archive - file c99_locus7s.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_JspWebshell_1_2, Description: PHP Webshells Github Archive - file JspWebshell_1.2.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_safe0ver, Description: PHP Webshells Github Archive - file safe0ver.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Uploader, Description: PHP Webshells Github Archive - file Uploader.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_php_webshells_kral, Description: PHP Webshells Github Archive - file kral.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_cgitelnet, Description: PHP Webshells Github Archive - file cgitelnet.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_simple_backdoor, Description: PHP Webshells Github Archive - file simple-backdoor.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_2, Description: PHP Webshells Github Archive - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_NTDaddy_v1_9, Description: PHP Webshells Github Archive - file NTDaddy v1.9.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_lamashell, Description: PHP Webshells Github Archive - file lamashell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Simple_PHP_backdoor_by_DK, Description: PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Moroccan_Spamers_Ma_EditioN_By_GhOsT, Description: PHP Webshells Github Archive - file Moroccan Spamers Ma-EditioN By GhOsT.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_C99madShell_v__2_0_madnet_edition, Description: PHP Webshells


Github Archive - file C99madShell v. 2.0 madnet edition.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_CmdAsp_asp_php, Description: PHP Webshells Github Archive - file CmdAsp.asp.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_NCC_Shell, Description: PHP Webshells Github Archive - file NCC-Shell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_php_webshells_README, Description: PHP Webshells Github Archive - file README.md, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_backupsql, Description: PHP Webshells Github Archive - file backupsql.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_AK_74_Security_Team_Web_Shell_Beta_Version, Description: PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_php_webshells_cpanel, Description: PHP Webshells Github Archive - file cpanel.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_accept_language, Description: PHP Webshells Github Archive - file accept_language.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_php_webshells_529, Description: PHP Webshells Github Archive - file 529.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_STNC_WebShell_v0_8, Description: PHP Webshells Github Archive - file STNC WebShell v0.8.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_php_webshells_tryag, Description: PHP Webshells Github Archive - file tryag.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_dC3_Security_Crew_Shell_PRiV_2, Description: PHP Webshells Github Archive - file dC3 Security Crew Shell PRiV.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_qsd_php_backdoor, Description: PHP Webshells Github Archive - file qsd-php-backdoor.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_php_webshells_spygrup, Description: PHP Webshells Github Archive - file spygrup.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Web_shell__c_ShAnKaR, Description: PHP Webshells Github Archive - file Web-shell (c)ShAnKaR.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz, Description: PHP Webshells Github Archive - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Gamma_Web_Shell, Description: PHP Webshells Github Archive - file Gamma Web Shell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_php_webshells_aspydrv, Description: PHP Webshells Github Archive - file aspydrv.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_JspWebshell_1_2_2, Description: PHP Webshells Github Archive - file JspWebshell 1.2.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_g00nshell_v1_3, Description: PHP Webshells Github Archive - file g00nshell-v1.3.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_WinX_Shell, Description: PHP Webshells Github Archive - file WinX Shell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_PHANTASMA, Description: PHP Webshells Github Archive - file PHANTASMA.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_php_webshells_cw, Description: PHP Webshells Github Archive - file cw.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author:


Florian RothRule: WebShell_php_include_w_shell, Description: PHP Webshells Github Archive - file php-include-w-shell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_mysql_tool, Description: PHP Webshells Github Archive - file mysql_tool.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_PhpSpy_Ver_2006, Description: PHP Webshells Github Archive - file PhpSpy Ver 2006.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_ZyklonShell, Description: PHP Webshells Github Archive - file ZyklonShell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_php_webshells_myshell, Description: PHP Webshells Github Archive - file myshell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_php_webshells_lolipop, Description: PHP Webshells Github Archive - file lolipop.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_simple_cmd, Description: PHP Webshells Github Archive - file simple_cmd.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_go_shell, Description: PHP Webshells Github Archive - file go-shell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_aZRaiLPhp_v1_0, Description: PHP Webshells Github Archive - file aZRaiLPhp v1.0.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_webshells_zehir4, Description: Webshells Github Archive - file zehir4, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_zehir4_asp_php, Description: PHP Webshells Github Archive - file zehir4.asp.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_php_webshells_lostDC, Description: PHP Webshells Github Archive - file lostDC.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_CasuS_1_5, Description: PHP Webshells Github Archive - file CasuS 1.5.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_ftpsearch, Description: PHP Webshells Github Archive - file ftpsearch.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell__Cyber_Shell_cybershell_Cyber_Shell__v_1_0_, Description: PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah, Description: PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Generic_PHP_7, Description: PHP Webshells Github Archive - from files Mysql interface v1.0.php, MySQL Web Interface Version 0.8.php, Mysql_interface_v1.0.php, MySQL_Web_Interface_Version_0.8.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall, Description: PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Generic_PHP_8, Description: PHP Webshells Github Archive - from files Macker\'s Private PHPShell.php, PHP Shell.php, Safe0ver Shell -Safe Mod Bypass By Evilc0der.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell__PH_Vayv_PHVayv_PH_Vayv_klasvayv_asp_php, Description: PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php, klasvayv.asp.php.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Generic_PHP_9, Description: PHP Webshells Github Archive - from files KAdot Universal Shell v0.1.6.php, KAdot_Universal_Shell_v0.1.6.php, KA_uShell


0.1.6.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell__PH_Vayv_PHVayv_PH_Vayv, Description: PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Generic_PHP_1, Description: PHP Webshells Github Archive - from files Dive Shell 1.0 - Emperor Hacking Team.php, Dive_Shell_1.0_Emperor_Hacking_Team.php, SimShell 1.0 - Simorgh Security MGZ.php, SimShell_1.0_-_Simorgh_Security_MGZ.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Generic_PHP_2, Description: PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell__CrystalShell_v_1_erne_stres, Description: PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Generic_PHP_3, Description: PHP Webshells Github Archive - from files Antichat Shell v1.3.php, Antichat Shell. Modified by Go0o$E.php, Antichat Shell.php, fatal.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Generic_PHP_4, Description: PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, nshell.php, Loaderz WEB Shell.php, stres.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_GFS, Description: PHP Webshells Github Archive - from files GFS web-shell ver 3.1.7 - PRiV8.php, Predator.php, GFS_web-shell_ver_3.1.7_-_PRiV8.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell__CrystalShell_v_1_sosyete_stres, Description: PHP Webshells Github Archive - from files CrystalShell v.1.php, sosyete.php, stres.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Generic_PHP_10, Description: PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php, PHPRemoteView.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Generic_PHP_11, Description: PHP Webshells Github Archive - from files rootshell.php, Rootshell.v.1.0.php, s72 Shell v1.1 Coding.php, s72_Shell_v1.1_Coding.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell__findsock_php_findsock_shell_php_reverse_shell, Description: PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: WebShell_Generic_PHP_6, Description: PHP Webshells Github Archive - from files c0derz shell [csh, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: unknownRule: Unpack_Injectt, Description: Webshells Auto-generated - file Injectt.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: HYTop_DevPack_fso, Description: Webshells Auto-generated - file fso.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FeliksPack3___PHP_Shells_ssh, Description: Webshells Auto-generated - file ssh.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: Debug_BDoor, Description: Webshells Auto-generated - file BDoor.dll, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: bin_Client, Description: Webshells Auto-generated - file Client.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: ZXshell2_0_rar_Folder_ZXshell, Description: Webshells Auto-generated - file ZXshell.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: RkNTLoad, Description: Webshells Auto-generated - file RkNTLoad.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: binder2_binder2, Description: Webshells Auto-generated - file binder2.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: thelast_orice2, Description: Webshells Auto-generated - file orice2.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_sincap, Description: Webshells Auto-generated - file sincap.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth


Rule: PhpShell, Description: Webshells Auto-generated - file PhpShell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: HYTop_DevPack_config, Description: Webshells Auto-generated - file config.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: sendmail, Description: Webshells Auto-generated - file sendmail.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_zehir4, Description: Webshells Auto-generated - file zehir4.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: hkshell_hkshell, Description: Webshells Auto-generated - file hkshell.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: iMHaPFtp, Description: Webshells Auto-generated - file iMHaPFtp.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: Unpack_TBack, Description: Webshells Auto-generated - file TBack.dll, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: DarkSpy105, Description: Webshells Auto-generated - file DarkSpy105.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: EditServer_Webshell, Description: Webshells Auto-generated - file EditServer.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_reader, Description: Webshells Auto-generated - file reader.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: ASP_CmdAsp, Description: Webshells Auto-generated - file CmdAsp.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: KA_uShell, Description: Webshells Auto-generated - file KA_uShell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: PHP_Backdoor_v1, Description: Webshells Auto-generated - file PHP Backdoor v1.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: svchostdll, Description: Webshells Auto-generated - file svchostdll.dll, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: HYTop_DevPack_server, Description: Webshells Auto-generated - file server.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: vanquish, Description: Webshells Auto-generated - file vanquish.dll, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: winshell, Description: Webshells Auto-generated - file winshell.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_remview, Description: Webshells Auto-generated - file remview.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: saphpshell, Description: Webshells Auto-generated - file saphpshell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: HYTop2006_rar_Folder_2006Z, Description: Webshells Auto-generated - file 2006Z.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: admin_ad, Description: Webshells Auto-generated - file admin-ad.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_casus15, Description: Webshells Auto-generated - file casus15.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: BIN_Client, Description: Webshells Auto-generated - file Client.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: shelltools_g0t_root_uptime, Description: Webshells Auto-generated - file uptime.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: Simple_PHP_BackDooR, Description: Webshells Auto-generated - file Simple_PHP_BackDooR.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: sig_2005Gray, Description: Webshells Auto-generated - file 2005Gray.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: DllInjection, Description: Webshells Auto-generated - file DllInjection.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth


Rule: Mithril_v1_45_Mithril, Description: Webshells Auto-generated - file Mithril.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: hkshell_hkrmv, Description: Webshells Auto-generated - file hkrmv.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: phpshell, Description: Webshells Auto-generated - file phpshell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_cmd, Description: Webshells Auto-generated - file cmd.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FeliksPack3___PHP_Shells_phpft, Description: Webshells Auto-generated - file phpft.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_indexer, Description: Webshells Auto-generated - file indexer.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: r57shell, Description: Webshells Auto-generated - file r57shell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: bdcli100, Description: Webshells Auto-generated - file bdcli100.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: HYTop_DevPack_2005Red, Description: Webshells Auto-generated - file 2005Red.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: HYTop2006_rar_Folder_2006X2, Description: Webshells Auto-generated - file 2006X2.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: rdrbs084, Description: Webshells Auto-generated - file rdrbs084.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: HYTop_CaseSwitch_2005, Description: Webshells Auto-generated - file 2005.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: eBayId_index3, Description: Webshells Auto-generated - file index3.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_phvayv, Description: Webshells Auto-generated - file phvayv.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: byshell063_ntboot, Description: Webshells Auto-generated - file ntboot.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_casus15_2, Description: Webshells Auto-generated - file casus15.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: installer, Description: Webshells Auto-generated - file installer.cmd, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: uploader, Description: Webshells Auto-generated - file uploader.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_remview_2, Description: Webshells Auto-generated - file remview.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FeliksPack3___PHP_Shells_r57, Description: Webshells Auto-generated - file r57.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: HYTop2006_rar_Folder_2006X, Description: Webshells Auto-generated - file 2006X.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_phvayv_2, Description: Webshells Auto-generated - file phvayv.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: elmaliseker, Description: Webshells Auto-generated - file elmaliseker.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: shelltools_g0t_root_resolve, Description: Webshells Auto-generated - file resolve.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_RemExp, Description: Webshells Auto-generated - file RemExp.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_tool, Description: Webshells Auto-generated - file tool.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth


Rule: FeliksPack3___PHP_Shells_2005, Description: Webshells Auto-generated - file 2005.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: byloader, Description: Webshells Auto-generated - file byloader.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: shelltools_g0t_root_Fport, Description: Webshells Auto-generated - file Fport.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: BackDooR__fr_, Description: Webshells Auto-generated - file BackDooR (fr).php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_ntdaddy, Description: Webshells Auto-generated - file ntdaddy.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: nstview_nstview, Description: Webshells Auto-generated - file nstview.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: HYTop_DevPack_upload, Description: Webshells Auto-generated - file upload.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: PasswordReminder, Description: Webshells Auto-generated - file PasswordReminder.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: Pack_InjectT, Description: Webshells Auto-generated - file InjectT.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_RemExp_2, Description: Webshells Auto-generated - file RemExp.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_c99, Description: Webshells Auto-generated - file c99.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: rknt_zip_Folder_RkNT, Description: Webshells Auto-generated - file RkNT.dll, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: dbgntboot, Description: Webshells Auto-generated - file dbgntboot.dll, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: PHP_shell, Description: Webshells Auto-generated - file shell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: hxdef100, Description: Webshells Auto-generated - file hxdef100.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: rdrbs100, Description: Webshells Auto-generated - file rdrbs100.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: Mithril_Mithril, Description: Webshells Auto-generated - file Mithril.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: hxdef100_2, Description: Webshells Auto-generated - file hxdef100.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: Release_dllTest, Description: Webshells Auto-generated - file dllTest.dll, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: webadmin, Description: Webshells Auto-generated - file webadmin.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: commands, Description: Webshells Auto-generated - file commands.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: hkdoordll, Description: Webshells Auto-generated - file hkdoordll.dll, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: r57shell_2, Description: Webshells Auto-generated - file r57shell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: Mithril_v1_45_dllTest, Description: Webshells Auto-generated - file dllTest.dll, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: dbgiis6cli, Description: Webshells Auto-generated - file dbgiis6cli.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: remview_2003_04_22, Description: Webshells Auto-generated - file remview_2003_04_22.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_test, Description: Webshells Auto-generated - file test.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth


Rule: Debug_cress, Description: Webshells Auto-generated - file cress.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_EFSO_2, Description: Webshells Auto-generated - file EFSO_2.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: thelast_index3, Description: Webshells Auto-generated - file index3.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: adjustcr, Description: Webshells Auto-generated - file adjustcr.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FeliksPack3___PHP_Shells_xIShell, Description: Webshells Auto-generated - file xIShell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: HYTop_AppPack_2005, Description: Webshells Auto-generated - file 2005.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: xssshell, Description: Webshells Auto-generated - file xssshell.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FeliksPack3___PHP_Shells_usr, Description: Webshells Auto-generated - file usr.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_phpinj, Description: Webshells Auto-generated - file phpinj.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: xssshell_db, Description: Webshells Auto-generated - file db.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: PHP_sh, Description: Webshells Auto-generated - file sh.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: xssshell_default, Description: Webshells Auto-generated - file default.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: EditServer_Webshell_2, Description: Webshells Auto-generated - file EditServer.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: by064cli, Description: Webshells Auto-generated - file by064cli.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: Mithril_dllTest, Description: Webshells Auto-generated - file dllTest.dll, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: peek_a_boo, Description: Webshells Auto-generated - file peek-a-boo.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: fmlibraryv3, Description: Webshells Auto-generated - file fmlibraryv3.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: Debug_dllTest_2, Description: Webshells Auto-generated - file dllTest.dll, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: connector, Description: Webshells Auto-generated - file connector.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: shelltools_g0t_root_HideRun, Description: Webshells Auto-generated - file HideRun.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: PHP_Shell_v1_7, Description: Webshells Auto-generated - file PHP_Shell_v1.7.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: xssshell_save, Description: Webshells Auto-generated - file save.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_phpinj_2, Description: Webshells Auto-generated - file phpinj.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: ZXshell2_0_rar_Folder_zxrecv, Description: Webshells Auto-generated - file zxrecv.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_ajan, Description: Webshells Auto-generated - file ajan.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: c99shell, Description: Webshells Auto-generated - file c99shell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: phpspy_2005_full, Description: Webshells Auto-generated - file phpspy_2005_full.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth


Rule: FSO_s_zehir4_2, Description: Webshells Auto-generated - file zehir4.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_indexer_2, Description: Webshells Auto-generated - file indexer.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: HYTop_DevPack_2005, Description: Webshells Auto-generated - file 2005.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: _root_040_zip_Folder_deploy, Description: Webshells Auto-generated - file deploy.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: by063cli, Description: Webshells Auto-generated - file by063cli.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: icyfox007v1_10_rar_Folder_asp, Description: Webshells Auto-generated - file asp.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_EFSO_2_2, Description: Webshells Auto-generated - file EFSO_2.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: byshell063_ntboot_2, Description: Webshells Auto-generated - file ntboot.dll, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: u_uay, Description: Webshells Auto-generated - file uay.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: bin_wuaus, Description: Webshells Auto-generated - file wuaus.dll, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: pwreveal, Description: Webshells Auto-generated - file pwreveal.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: shelltools_g0t_root_xwhois, Description: Webshells Auto-generated - file xwhois.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: vanquish_2, Description: Webshells Auto-generated - file vanquish.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: down_rar_Folder_down, Description: Webshells Auto-generated - file down.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: cmdShell, Description: Webshells Auto-generated - file cmdShell.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: ZXshell2_0_rar_Folder_nc, Description: Webshells Auto-generated - file nc.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: portlessinst, Description: Webshells Auto-generated - file portlessinst.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: SetupBDoor, Description: Webshells Auto-generated - file SetupBDoor.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: phpshell_3, Description: Webshells Auto-generated - file phpshell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: BIN_Server, Description: Webshells Auto-generated - file Server.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: HYTop2006_rar_Folder_2006, Description: Webshells Auto-generated - file 2006.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: r57shell_3, Description: Webshells Auto-generated - file r57shell.php, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: HDConfig, Description: Webshells Auto-generated - file HDConfig.exe, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: FSO_s_ajan_2, Description: Webshells Auto-generated - file ajan.asp, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian RothRule: Webshell_and_Exploit_CN_APT_HK, Description: Webshell and Exploit Code in relation with APT against Honk Kong protesters, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: JSP_Browser_APT_webshell, Description: VonLoesch JSP Browser used as web shell by APT groups - jsp File browser 1.1a, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: F.Roth


File ActivitiesFile Activities

Rule: JSP_jfigueiredo_APT_webshell, Description: JSP Browser used as web shell by APT groups - author: jfigueiredo, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: F.RothRule: JSP_jfigueiredo_APT_webshell_2, Description: JSP Browser used as web shell by APT groups - author: jfigueiredo, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: F.RothRule: Webshell_Insomnia, Description: Insomnia Webshell - file InsomniaShell.aspx, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: SoakSoak_Infected_Wordpress, Description: Detects a SoakSoak infected Wordpress site http://goo.gl/1GzWUX, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Pastebin_Webshell, Description: Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: ASPXspy2, Description: Web shell - file ASPXspy2.aspx, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Webshell_27_9_c66_c99, Description: Detects Webshell - rule generated from from files 27.9.txt, c66.php, c99-shadows-mod.php, c99.php ..., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Webshell_acid_AntiSecShell_3, Description: Detects Webshell Acid, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Webshell_c99_4, Description: Detects C99 Webshell, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Webshell_r57shell_2, Description: Detects Webshell R57, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Webshell_27_9_acid_c99_locus7s, Description: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57, Description: Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ..., Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Webshell_c100, Description: Detects Webshell - rule generated from from files c100 v. 777shell, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Webshell_AcidPoison, Description: Detects Poison Sh3ll - Webshell, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256, Description: Detects Webshell - rule generated from from files acid.php, FaTaLisTiCz_Fx.txt, fx.txt, p0isoN.sh3ll.txt, x0rg.byp4ss.txt, Source: 00000012.00000002.594455536.000000000437E000.00000004.00000001.sdmp, Author: Florian RothRule: Mimikatz_Strings, Description: Detects Mimikatz strings, Source: C:\Users\user\Desktop\download\BLUESPAWN-client-x86.exe, Author: Florian Roth

Antivirus matches: Detection: 100%, AviraDetection: 14%, Metadefender, BrowseDetection: 69%, ReversingLabs

Reputation: low

Show Windows behavior

File WrittenFile Written

File ReadFile Read



Joe Sandbox Cloud Basic 33.0.0 White Diamond

Disassembly

Code Analysis

Copyright Joe Security LLC



Path: C:\Windows\System32\conhost.exe

Wow64 process (32bit): false

Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Imagebase: 0x7ff7ecfc0000


MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496




Reputation: low

Analysis Process: conhost.exe PID: 1632 Parent PID: 3132Analysis Process: conhost.exe PID: 1632 Parent PID: 3132

General


http://www.joesecurity.org

2 4 - Joe Sandbox

Documents

Transcript of 2 4 - Joe Sandbox