Actor(s): APT33
There is no description at this point.
rule ps1_powerton_w0 { meta: author = "jeFF0Falltrades" hash = "6bea9a7c9ded41afbebb72a11a1868345026d8e46d08b89577f30b50f4929e85" source = "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/powerton_apt_33.md" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerton" malpedia_version = "20190903" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $str_wmi = "Adding wmi persist ..." wide ascii $str_registery = "Poster \"Registery Value With Name" wide ascii $str_upload = "(New-Object Net.WebClient).UploadFile(\"$SRVURL$address\", \"$fullFilePath" wide ascii $str_pass = "jILHk{Yu1}2i0h^xe|t,d+Cy:KBv!l?7" wide ascii $str_addr = "$address=\"/contact/$BID$($global:rndPost)/confirm" wide ascii $str_png = "$env:temp + \"\\\" + $(date -format dd-m-y-HH-mm-s) + \".png" wide ascii $str_msg = "/contact/msg/$BID$($global:rndPost)" wide ascii $str_ua = "Mozilla/5.0 (Windows NT $osVer; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 Lightning/4.0.2" wide ascii $domain = "backupaccount.net" wide ascii condition: 2 of ($str*) or $domain }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY