ioc[.]one - OSINT Cyber Threat Intelligence Database

Show in Graph

Common Information

Type	Value
Value	import "hash" rule PoshC2_DropperPy { meta: description = "PoshC2 - dropper.py" sha256 = "33827cd5a6e15bbaf99e65f767e65e1b639f48d6b6bb7a6e9e8c8cf02355a1e7" strings: $s1 = "if hh[0]: headers = ({'Host':hh[0],'User-Agent':ua,'Cookie':'SessionID=%s' % encsid.decode(\"utf-8\")})" ascii fullword $s2 = "if hh[0]:r=urllib2.Request(url2,headers={'Host':hh[0],'User-agent':ua,'Cookie':'SessionID=%s' % encsid})" ascii fullword $s3 = "if hh[0]: r=urllib2.Request(url,headers={'Host':hh[0],'User-agent':ua})" ascii fullword $s4 = "else: headers = ({'User-Agent':ua,'Cookie':'SessionID=%s' % encsid.decode(\"utf-8\")})" ascii fullword $s5 = "else:r=urllib2.Request(url2,headers={'User-agent':ua,'Cookie':'SessionID=%s' % encsid})" ascii fullword $s6 = "encsid=encrypt(key, '%s;%s;%s;%s;%s;%s;%s' % (un,hn,hn,arch,pid,procname,urlid))" ascii fullword $s7 = "encsid=encrypt(key, '%s;%s;%s;%s;%s;%s;%s' % (un,hn,hn,arch,pid,pname,urlid))" ascii fullword $s8 = "else: r=urllib2.Request(url,headers={'User-agent':ua})" ascii fullword $s9 = "hn=socket.gethostname();o=urllib2.build_opener()" ascii fullword $s10 = "exec(base64.b64decode(x))" ascii fullword $s11 = "html = response.read().decode('utf-8');x=decrypt(key, html)" ascii fullword $s12 = "ua=\"#REPLACEUSERAGENT#\"" ascii fullword $s13 = "url=serverclean[0]+\"#REPLACEQUICKCOMMAND#\"" ascii fullword $s14 = "res=urllib2.urlopen(r);html=res.read();x=decrypt(key, html).rstrip('\\0');" ascii fullword $s15 = "serverclean=[#REPLACEHOSTPORT#]" ascii fullword $s16 = "pykey=\"#REPLACESPYTHONKEY#\"" ascii fullword $s17 = "if pykey in b and pyhash == s and cstr < kdn: " ascii fullword $s18 = "import os,sys,base64,ssl,socket,pwd,hashlib,time" ascii fullword $s19 = "kdn=time.strptime(\"#REPLACEKILLDATE#\",\"%Y-%m-%d\")" ascii fullword $s20 = "cstr=time.strftime(\"%Y-%m-%d\",time.gmtime());cstr=time.strptime(cstr,\"%Y-%m-%d\")" ascii fullword condition: hash.sha256(0, filesize) == "33827cd5a6e15bbaf99e65f767e65e1b639f48d6b6bb7a6e9e8c8cf02355a1e7" or uint16(0) == 0x6d69 and filesize < 6KB and 8 of them }
Category
Type	Yara Rule
Misp Type
Description

Details		Published	Attributes	CTI		Title
Details	Website	2024-08-02	396			Resecurity \| C2 Frameworks - Threat Hunting in Action with YARA Rules