Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Microsoft Office Hover Over malware IOC false positive #34

Closed
azfayel opened this issue Apr 19, 2018 · 1 comment
Closed

Microsoft Office Hover Over malware IOC false positive #34

azfayel opened this issue Apr 19, 2018 · 1 comment

Comments

@azfayel
Copy link

azfayel commented Apr 19, 2018

Lots of alerts regarding binary files like certutil, cmd, powershell.
I suppose they are false positive. Can you fine tune this yara rule ?
FILE: C:\Windows\Installer$PatchCache$\Managed\00004109210000000000000000F01FEC\14.0.4763\POWERPNT.EXE SCORE: 100 TYPE: EXE SIZE: 2162024 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: e24133dd836d99182a6227dcf6613d08 SHA1: 72c2dbbb1fe642073002b30987fcd68921a6b140 SHA256: 4dde54cfc600dbd9a610645d197a632e064115ffaa3a1b595c3a23036e501678 CREATED: Tue Mar 09 08:57:40 2010 MODIFIED: Tue Mar 09 08:57:40 2010 ACCESSED: Wed May 06 15:28:22 2015 REASON_1: Malware Hash TYPE: MD5 HASH: e24133dd836d99182a6227dcf6613d08 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd

FILE: C:\Windows\System32\certutil.exe SCORE: 100 TYPE: EXE SIZE: 903168 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 0d52559aef4aa5eac82f530617032283 SHA1: 8186d64dd28cd63ca883b1d3ce5f07aeabad67c0 SHA256: 48850fb7229d99e48c3a749556684e962587058d612c659c58f8b8db2d00abee CREATED: Tue Oct 29 17:48:26 2013 MODIFIED: Mon May 13 05:08:10 2013 ACCESSED: Tue Oct 29 17:48:26 2013 REASON_1: Malware Hash TYPE: MD5 HASH: 0d52559aef4aa5eac82f530617032283 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\System32\cmd.exe SCORE: 100 TYPE: EXE SIZE: 302592 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: ad7b9c14083b52bc532fba5948342b98 SHA1: ee8cbf12d87c4d388f09b4f69bed2e91682920b5 SHA256: 17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae CREATED: Sun Nov 21 04:24:03 2010 MODIFIED: Sun Nov 21 04:24:03 2010 ACCESSED: Sun Nov 21 04:24:03 2010 REASON_1: Malware Hash TYPE: MD5 HASH: ad7b9c14083b52bc532fba5948342b98 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\System32\mstsc.exe SCORE: 100 TYPE: EXE SIZE: 1068544 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 4676aaa9ddf52a50c829fedb4ea81e54 SHA1: f47600bbf079f6b0b6e7fd385262daebd369fa50 SHA256: 8640038aed460464a7421d7866cb24be70330b03d47143a772292c13fcd54e5f CREATED: Wed Nov 13 12:02:32 2013 MODIFIED: Wed Oct 02 00:34:12 2013 ACCESSED: Wed Nov 13 12:02:32 2013 REASON_1: Malware Hash TYPE: MD5 HASH: 4676aaa9ddf52a50c829fedb4ea81e54 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\System32\wscript.exe SCORE: 100 TYPE: EXE SIZE: 141824 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 979d74799ea6c8b8167869a68df5204a SHA1: 7fde3d18c7370dff0d5a339c93b8b7e91930f65d SHA256: 2160ba6829909eeb1d272ac4a5f43588750c0b4743477bf2b46952033b5d4b3b CREATED: Wed May 06 16:11:42 2015 MODIFIED: Sat Oct 12 03:15:48 2013 ACCESSED: Wed May 06 16:11:42 2015 REASON_1: Malware Hash TYPE: MD5 HASH: 979d74799ea6c8b8167869a68df5204a SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe SCORE: 160 TYPE: EXE SIZE: 452608 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 92f44e405db16ac55d97e3bfe3b132fa SHA1: 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d SHA256: 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7 CREATED: Tue Jul 14 01:32:37 2009 MODIFIED: Tue Jul 14 03:14:24 2009 ACCESSED: Tue Jul 14 01:32:37 2009 REASON_1: File Name IOC matched PATTERN: \WindowsPowerShell\ SUBSCORE: 60 DESC: -10REASON_2: Malware Hash TYPE: MD5 HASH: 92f44e405db16ac55d97e3bfe3b132fa SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\SysWOW64\certutil.exe SCORE: 100 TYPE: EXE SIZE: 903168 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 0d52559aef4aa5eac82f530617032283 SHA1: 8186d64dd28cd63ca883b1d3ce5f07aeabad67c0 SHA256: 48850fb7229d99e48c3a749556684e962587058d612c659c58f8b8db2d00abee CREATED: Tue Oct 29 17:48:26 2013 MODIFIED: Mon May 13 05:08:10 2013 ACCESSED: Tue Oct 29 17:48:26 2013 REASON_1: Malware Hash TYPE: MD5 HASH: 0d52559aef4aa5eac82f530617032283 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\SysWOW64\cmd.exe SCORE: 100 TYPE: EXE SIZE: 302592 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: ad7b9c14083b52bc532fba5948342b98 SHA1: ee8cbf12d87c4d388f09b4f69bed2e91682920b5 SHA256: 17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae CREATED: Sun Nov 21 04:24:03 2010 MODIFIED: Sun Nov 21 04:24:03 2010 ACCESSED: Sun Nov 21 04:24:03 2010 REASON_1: Malware Hash TYPE: MD5 HASH: ad7b9c14083b52bc532fba5948342b98 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\SysWOW64\mstsc.exe SCORE: 100 TYPE: EXE SIZE: 1068544 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 4676aaa9ddf52a50c829fedb4ea81e54 SHA1: f47600bbf079f6b0b6e7fd385262daebd369fa50 SHA256: 8640038aed460464a7421d7866cb24be70330b03d47143a772292c13fcd54e5f CREATED: Wed Nov 13 12:02:32 2013 MODIFIED: Wed Oct 02 00:34:12 2013 ACCESSED: Wed Nov 13 12:02:32 2013 REASON_1: Malware Hash TYPE: MD5 HASH: 4676aaa9ddf52a50c829fedb4ea81e54 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\SysWOW64\wscript.exe SCORE: 100 TYPE: EXE SIZE: 141824 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 979d74799ea6c8b8167869a68df5204a SHA1: 7fde3d18c7370dff0d5a339c93b8b7e91930f65d SHA256: 2160ba6829909eeb1d272ac4a5f43588750c0b4743477bf2b46952033b5d4b3b CREATED: Wed May 06 16:11:42 2015 MODIFIED: Sat Oct 12 03:15:48 2013 ACCESSED: Wed May 06 16:11:42 2015 REASON_1: Malware Hash TYPE: MD5 HASH: 979d74799ea6c8b8167869a68df5204a SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe SCORE: 160 TYPE: EXE SIZE: 452608 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 92f44e405db16ac55d97e3bfe3b132fa SHA1: 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d SHA256: 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7 CREATED: Tue Jul 14 01:32:37 2009 MODIFIED: Tue Jul 14 03:14:24 2009 ACCESSED: Tue Jul 14 01:32:37 2009 REASON_1: File Name IOC matched PATTERN: \WindowsPowerShell\ SUBSCORE: 60 DESC: -10REASON_2: Malware Hash TYPE: MD5 HASH: 92f44e405db16ac55d97e3bfe3b132fa SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\winsxs\wow64_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_f387767e655cd5ab\cmd.exe SCORE: 100 TYPE: EXE SIZE: 302592 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: ad7b9c14083b52bc532fba5948342b98 SHA1: ee8cbf12d87c4d388f09b4f69bed2e91682920b5 SHA256: 17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae CREATED: Sun Nov 21 04:24:03 2010 MODIFIED: Sun Nov 21 04:24:03 2010 ACCESSED: Sun Nov 21 04:24:03 2010 REASON_1: Malware Hash TYPE: MD5 HASH: ad7b9c14083b52bc532fba5948342b98 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\winsxs\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_6.1.7600.16385_none_cf5f9aad50446c26\powershell.exe SCORE: 100 TYPE: EXE SIZE: 452608 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 92f44e405db16ac55d97e3bfe3b132fa SHA1: 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d SHA256: 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7 CREATED: Tue Jul 14 01:32:37 2009 MODIFIED: Tue Jul 14 03:14:24 2009 ACCESSED: Tue Jul 14 01:32:37 2009 REASON_1: Malware Hash TYPE: MD5 HASH: 92f44e405db16ac55d97e3bfe3b132fa SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\winsxs\wow64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7601.18283_none_b096369f4b940a23\wscript.exe SCORE: 100 TYPE: EXE SIZE: 141824 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 979d74799ea6c8b8167869a68df5204a SHA1: 7fde3d18c7370dff0d5a339c93b8b7e91930f65d SHA256: 2160ba6829909eeb1d272ac4a5f43588750c0b4743477bf2b46952033b5d4b3b CREATED: Wed May 06 16:11:42 2015 MODIFIED: Sat Oct 12 03:15:48 2013 ACCESSED: Wed May 06 16:11:42 2015 REASON_1: Malware Hash TYPE: MD5 HASH: 979d74799ea6c8b8167869a68df5204a SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\winsxs\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_7.2.7601.16415_none_6ff75c0c95c8e0b9\mstsc.exe SCORE: 100 TYPE: EXE SIZE: 1068544 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 4676aaa9ddf52a50c829fedb4ea81e54 SHA1: f47600bbf079f6b0b6e7fd385262daebd369fa50 SHA256: 8640038aed460464a7421d7866cb24be70330b03d47143a772292c13fcd54e5f CREATED: Wed Nov 13 12:02:32 2013 MODIFIED: Wed Oct 02 00:34:12 2013 ACCESSED: Wed Nov 13 12:02:32 2013 REASON_1: Malware Hash TYPE: MD5 HASH: 4676aaa9ddf52a50c829fedb4ea81e54 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\winsxs\x86_microsoft-windows-certutil_31bf3856ad364e35_6.1.7601.18151_none_b75e12ea91c1f49b\certutil.exe SCORE: 100 TYPE: EXE SIZE: 903168 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 0d52559aef4aa5eac82f530617032283 SHA1: 8186d64dd28cd63ca883b1d3ce5f07aeabad67c0 SHA256: 48850fb7229d99e48c3a749556684e962587058d612c659c58f8b8db2d00abee CREATED: Tue Oct 29 17:48:26 2013 MODIFIED: Mon May 13 05:08:10 2013 ACCESSED: Tue Oct 29 17:48:26 2013 REASON_1: Malware Hash TYPE: MD5 HASH: 0d52559aef4aa5eac82f530617032283 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
@Neo23x0
Copy link
Owner

Neo23x0 commented Apr 23, 2018

It wasn't a YARA rule that caused these matches but hashes from an AlienVault OTX pulse that has been removed some time ago. Please use the loki-upgrader.exe to get the newest signatures.

@Neo23x0 Neo23x0 closed this as completed Apr 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Neo23x0 @azfayel