No filters applied

THOR Scan Report

Scan Information
Scanner Thor
Version 10.7.9
Run on System WIN-LRTT94FA08M
Argument list --path D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image --module Filescan
Signature Database 2023/09/24-052825
Start Time Fri Aug 30 08:27:13 2024
End Time Fri Aug 30 08:35:02 2024
IP Addresses 10.100.5.12
Run as user WIN-LRTT94FA08M\Administrator
Admin rights yes
Platform Windows Server 2019 Standard
Log File Name WIN-LRTT94FA08M_thor_2024-08-30_0826.txt
False Positive Filters Applied 0
Scan ID S-dM24AZNR1hE
Modules
Filescan 239
LogScan 13
Statistics
Alerts 9
Warnings 8
Notice 237
Info 121
Errors 0
Help
Shortcuts Use Ctrl+⬆ (Windows/Linux) or ⌘+⬆ (macOS) to return to the top of the page
Filters You can provide a file (--filter file) with regular expressions to suppress false positives
Hint 1 Select text and use the context menu to filter / select / lookup strings
Hint 2 Click on a module to filter for all events from that module.
Errors
Alerts
Alert 1
Aug 30 08:27:26 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Malicious Log Entry found
ENTRY:
192.241.193.117 - - [05/May/2024:05:06:30 +0300] "GET /autodiscover/autodiscover.json?@zdi/Powershell HTTP/1.1" 403 199 "-" "Mozilla/5.0 zgrab/0.x"
SCORE:
90
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\it_sec\httpd\access_log
LOG_MODIFIED:
Tue May 7 07:55:38 2024
LOG_ACCESSED:
Tue May 14 16:22:15 2024
LOG_CREATED:
Thu Aug 29 15:34:29 2024
REASON_1:
YARA rule EXPL_Exchange_ProxyShell_Successful_Aug21_1 / Detects successful ProxyShell exploitation attempts in log files
SUBSCORE_1:
85
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • /autodiscover/autodiscover.json?@zdi/Powershell
RULEDATE_1:
2021-08-08
TAGS_1:
EXPLOIT, SCRIPT
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule EXPL_Exchange_ProxyShell_Aug21_1 / Detects successful ProxyShell exploitation attempts in log files
SUBSCORE_2:
70
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • /autodiscover/autodiscover.json?@zdi/Powershell
RULEDATE_2:
2021-08-08
TAGS_2:
EXPLOIT, SCRIPT
AUTHOR_2:
Florian Roth
REASONS_COUNT:
2
Alert 2
Aug 30 08:27:26 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Malicious Log Entry found
ENTRY:
192.241.193.117 - - [05/May/2024:05:06:45 +0300] "GET /autodiscover/autodiscover.json?@zdi/Powershell HTTP/1.1" 403 199 "-" "Mozilla/5.0 zgrab/0.x"
SCORE:
90
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\it_sec\httpd\access_log
LOG_MODIFIED:
Tue May 7 07:55:38 2024
LOG_ACCESSED:
Tue May 14 16:22:15 2024
LOG_CREATED:
Thu Aug 29 15:34:29 2024
REASON_1:
YARA rule EXPL_Exchange_ProxyShell_Successful_Aug21_1 / Detects successful ProxyShell exploitation attempts in log files
SUBSCORE_1:
85
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • /autodiscover/autodiscover.json?@zdi/Powershell
RULEDATE_1:
2021-08-08
TAGS_1:
EXPLOIT, SCRIPT
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule EXPL_Exchange_ProxyShell_Aug21_1 / Detects successful ProxyShell exploitation attempts in log files
SUBSCORE_2:
70
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • /autodiscover/autodiscover.json?@zdi/Powershell
RULEDATE_2:
2021-08-08
TAGS_2:
EXPLOIT, SCRIPT
AUTHOR_2:
Florian Roth
REASONS_COUNT:
2
Alert 3
Aug 30 08:27:27 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Malware file found
SCORE:
85
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\it_sec\httpd\access_log
EXT:
TYPE:
IP Log
SIZE:
703152
FIRSTBYTES:
3139322e3234312e3233312e3531202d202d205b / 192.241.231.51 - - [
CREATED:
Thu Aug 29 15:34:29.290 2024
MODIFIED:
Tue May 7 07:55:38.000 2024
ACCESSED:
Tue May 14 16:22:15.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXPL_Exchange_ProxyShell_Successful_Aug21_1 / Detects successful ProxyShell exploitation attempts in log files
SUBSCORE_1:
85
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • /autodiscover/autodiscover.json?@zdi/Powershell at 0x187f in
    ".241.193.117 - - [05/May/2024:05:06:30 +0300] \"GET /autodiscover/autodiscover.json?@zdi/Powershell HTTP/1.1\" 403 199 \"-\" \"Mozilla/5.0 zgrab/0.x\"\x0a192"
RULEDATE_1:
2021-08-08
TAGS_1:
EXPLOIT, SCRIPT
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
Alert 4
Aug 30 08:29:45 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Malicious Log Entry found
ENTRY:
192.241.193.117 - - [05/May/2024:05:06:30 +0300] "GET /autodiscover/autodiscover.json?@zdi/Powershell HTTP/1.1" 403 199 "-" "Mozilla/5.0 zgrab/0.x"
SCORE:
90
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\mpirogova\sites\site2\core\Logs[deleted]\httpd\access_log
LOG_MODIFIED:
Tue May 7 07:55:38 2024
LOG_ACCESSED:
Tue May 14 16:22:15 2024
LOG_CREATED:
Fri Aug 30 07:25:01 2024
REASON_1:
YARA rule EXPL_Exchange_ProxyShell_Successful_Aug21_1 / Detects successful ProxyShell exploitation attempts in log files
SUBSCORE_1:
85
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • /autodiscover/autodiscover.json?@zdi/Powershell
RULEDATE_1:
2021-08-08
TAGS_1:
EXPLOIT, SCRIPT
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule EXPL_Exchange_ProxyShell_Aug21_1 / Detects successful ProxyShell exploitation attempts in log files
SUBSCORE_2:
70
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • /autodiscover/autodiscover.json?@zdi/Powershell
RULEDATE_2:
2021-08-08
TAGS_2:
EXPLOIT, SCRIPT
AUTHOR_2:
Florian Roth
REASONS_COUNT:
2
Alert 5
Aug 30 08:29:45 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Malicious Log Entry found
ENTRY:
192.241.193.117 - - [05/May/2024:05:06:45 +0300] "GET /autodiscover/autodiscover.json?@zdi/Powershell HTTP/1.1" 403 199 "-" "Mozilla/5.0 zgrab/0.x"
SCORE:
90
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\mpirogova\sites\site2\core\Logs[deleted]\httpd\access_log
LOG_MODIFIED:
Tue May 7 07:55:38 2024
LOG_ACCESSED:
Tue May 14 16:22:15 2024
LOG_CREATED:
Fri Aug 30 07:25:01 2024
REASON_1:
YARA rule EXPL_Exchange_ProxyShell_Successful_Aug21_1 / Detects successful ProxyShell exploitation attempts in log files
SUBSCORE_1:
85
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • /autodiscover/autodiscover.json?@zdi/Powershell
RULEDATE_1:
2021-08-08
TAGS_1:
EXPLOIT, SCRIPT
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule EXPL_Exchange_ProxyShell_Aug21_1 / Detects successful ProxyShell exploitation attempts in log files
SUBSCORE_2:
70
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • /autodiscover/autodiscover.json?@zdi/Powershell
RULEDATE_2:
2021-08-08
TAGS_2:
EXPLOIT, SCRIPT
AUTHOR_2:
Florian Roth
REASONS_COUNT:
2
Alert 6
Aug 30 08:29:46 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Malware file found
SCORE:
85
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\mpirogova\sites\site2\core\Logs[deleted]\httpd\access_log
EXT:
TYPE:
IP Log
SIZE:
703152
FIRSTBYTES:
3139322e3234312e3233312e3531202d202d205b / 192.241.231.51 - - [
CREATED:
Fri Aug 30 07:25:01.721 2024
MODIFIED:
Tue May 7 07:55:38.000 2024
ACCESSED:
Tue May 14 16:22:15.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXPL_Exchange_ProxyShell_Successful_Aug21_1 / Detects successful ProxyShell exploitation attempts in log files
SUBSCORE_1:
85
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • /autodiscover/autodiscover.json?@zdi/Powershell at 0x187f in
    ".241.193.117 - - [05/May/2024:05:06:30 +0300] \"GET /autodiscover/autodiscover.json?@zdi/Powershell HTTP/1.1\" 403 199 \"-\" \"Mozilla/5.0 zgrab/0.x\"\x0a192"
RULEDATE_1:
2021-08-08
TAGS_1:
EXPLOIT, SCRIPT
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
Alert 7
Aug 30 08:35:01 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Malicious Log Entry found
ENTRY:
192.241.193.117 - - [05/May/2024:05:06:30 +0300] "GET /autodiscover/autodiscover.json?@zdi/Powershell HTTP/1.1" 403 199 "-" "Mozilla/5.0 zgrab/0.x"
SCORE:
90
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\var\var\httpd\access_log
LOG_MODIFIED:
Tue May 7 07:55:38 2024
LOG_ACCESSED:
Tue May 14 16:36:08 2024
LOG_CREATED:
Fri Aug 30 07:36:47 2024
REASON_1:
YARA rule EXPL_Exchange_ProxyShell_Successful_Aug21_1 / Detects successful ProxyShell exploitation attempts in log files
SUBSCORE_1:
85
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • /autodiscover/autodiscover.json?@zdi/Powershell
RULEDATE_1:
2021-08-08
TAGS_1:
EXPLOIT, SCRIPT
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule EXPL_Exchange_ProxyShell_Aug21_1 / Detects successful ProxyShell exploitation attempts in log files
SUBSCORE_2:
70
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • /autodiscover/autodiscover.json?@zdi/Powershell
RULEDATE_2:
2021-08-08
TAGS_2:
EXPLOIT, SCRIPT
AUTHOR_2:
Florian Roth
REASONS_COUNT:
2
Alert 8
Aug 30 08:35:01 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Malicious Log Entry found
ENTRY:
192.241.193.117 - - [05/May/2024:05:06:45 +0300] "GET /autodiscover/autodiscover.json?@zdi/Powershell HTTP/1.1" 403 199 "-" "Mozilla/5.0 zgrab/0.x"
SCORE:
90
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\var\var\httpd\access_log
LOG_MODIFIED:
Tue May 7 07:55:38 2024
LOG_ACCESSED:
Tue May 14 16:36:08 2024
LOG_CREATED:
Fri Aug 30 07:36:47 2024
REASON_1:
YARA rule EXPL_Exchange_ProxyShell_Successful_Aug21_1 / Detects successful ProxyShell exploitation attempts in log files
SUBSCORE_1:
85
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • /autodiscover/autodiscover.json?@zdi/Powershell
RULEDATE_1:
2021-08-08
TAGS_1:
EXPLOIT, SCRIPT
AUTHOR_1:
Florian Roth
REASON_2:
YARA rule EXPL_Exchange_ProxyShell_Aug21_1 / Detects successful ProxyShell exploitation attempts in log files
SUBSCORE_2:
70
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • /autodiscover/autodiscover.json?@zdi/Powershell
RULEDATE_2:
2021-08-08
TAGS_2:
EXPLOIT, SCRIPT
AUTHOR_2:
Florian Roth
REASONS_COUNT:
2
Alert 9
Aug 30 08:35:02 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Malware file found
SCORE:
85
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\var\var\httpd\access_log
EXT:
TYPE:
IP Log
SIZE:
703152
FIRSTBYTES:
3139322e3234312e3233312e3531202d202d205b / 192.241.231.51 - - [
CREATED:
Fri Aug 30 07:36:47.995 2024
MODIFIED:
Tue May 7 07:55:38.000 2024
ACCESSED:
Tue May 14 16:36:08.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXPL_Exchange_ProxyShell_Successful_Aug21_1 / Detects successful ProxyShell exploitation attempts in log files
SUBSCORE_1:
85
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • /autodiscover/autodiscover.json?@zdi/Powershell at 0x187f in
    ".241.193.117 - - [05/May/2024:05:06:30 +0300] \"GET /autodiscover/autodiscover.json?@zdi/Powershell HTTP/1.1\" 403 199 \"-\" \"Mozilla/5.0 zgrab/0.x\"\x0a192"
RULEDATE_1:
2021-08-08
TAGS_1:
EXPLOIT, SCRIPT
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
Warnings
Warning 1
Aug 30 08:26:48 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Startup
MESSAGE:
Signature file is older than 60 days. Run 'thor-util upgrade' to get new signatures.
Warning 2
Aug 30 08:28:17 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Malware file found
SCORE:
83
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\mpirogova\.cache\composer\files\phpunit\phpunit\1f77ae2d4af2b1612629468e2c7afc682466b121.zip\sebastianbergmann-phpunit-6e35126\src\Util\PHP\eval-stdin.php
EXT:
.php
TYPE:
PHP
SIZE:
54
FIRSTBYTES:
3c3f7068700a0a6576616c28273f3e27202e2066 / <?php eval('?>' . f
MODIFIED:
Thu Feb 11 14:56:33.000 2016
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\mpirogova\.cache\composer\files\phpunit\phpunit\1f77ae2d4af2b1612629468e2c7afc682466b121.zip
ARCHIVE_TYPE:
ZIP
ARCHIVE_SIZE:
593998
ARCHIVE_FIRSTBYTES:
504b03040a000000000010374b48000000000000 / PK 7KH
ARCHIVE_CREATED:
Thu Aug 29 15:38:58.104 2024
ARCHIVE_MODIFIED:
Tue Sep 3 10:20:38.000 2019
ARCHIVE_ACCESSED:
Tue May 14 16:10:01.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_WEBSHELL_PHP_Generic / php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings
SUBSCORE_1:
75
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • <? at 0x0 in
    "<?php\x0a\x0aeval('?>' . file_get_contents('php://input'))"
  • <?php at 0x0 in
    "<?php\x0a\x0aeval('?>' . file_get_contents('php://input'));\x0a"
  • php://input at 0x26 in
    "<?php\x0a\x0aeval('?>' . file_get_contents('php://input'));\x0a"
  • eval(' at 0x7 in
    "<?php\x0a\x0aeval('?>' . file_get_contents('php://input'));\x0a"
  • eval(' at 0x7 in
    "<?php\x0a\x0aeval('?>' . file_get_contents('php://input'));\x0a"
RULEDATE_1:
2021-01-14
TAGS_1:
GEN, T1033, T1087_002, T1505_003, VENDOR, WEBSHELL
AUTHOR_1:
Arnim Rupp (https://github.com/ruppde)
REASON_2:
YARA rule SUSP_WEBSHELL_Tiny_Eval_Oct20 / Detects suspicious tiny files including an eval statement
SUBSCORE_2:
65
REF_2:
Internal Research
SIGTYPE_2:
internal
SIGCLASS_2:
YARA Rule
MATCHED_2
  • eval( at 0x7 in
    "<?php\x0a\x0aeval('?>' . file_get_contents('php://input'));\x0a"
RULEDATE_2:
2020-10-15
TAGS_2:
FILE, SUSP, T1505_003, WEBSHELL
AUTHOR_2:
Florian Roth
REASONS_COUNT:
2
Warning 3
Aug 30 08:28:53 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
70
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\mpirogova\.cache\composer\repo\https---repo.packagist.org\p-provider-2019-07.json
EXT:
.json
TYPE:
UNKNOWN
SIZE:
2579459
FIRSTBYTES:
7b2270726f766964657273223a7b22302e302e30 / {"providers":{"0.0.0
CREATED:
Thu Aug 29 15:38:55.954 2024
MODIFIED:
Thu Dec 5 09:35:54.000 2019
ACCESSED:
Tue May 14 16:14:59.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule SUSP_JS_Dropping_Exe_Aug23 / Detects JavaScript file that drops executables
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "4d5a at 0x5081e in
    c88af246862def815"},"carno-php/serving":{"sha256":"4d5abf1f8ae6ebf1fa75860d47845d9a8c944ee01d8529c95c571d
  • powershell at 0x13de3 in
    0eca93a8c250536ecb27819edf"},"alissonpelizaro/ssh_powershell":{"sha256":"d542da6654214697055931a1024fc2ffc2862
RULEDATE_1:
2023-08-03
TAGS_1:
EXE, FILE, SUSP
AUTHOR_1:
X__Junior
REASONS_COUNT:
1
Warning 4
Aug 30 08:29:57 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
60
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\mpirogova\sites\site2\core\components\modalconsole\files\1.php
EXT:
.php
TYPE:
PHP
SIZE:
1238
FIRSTBYTES:
3c3f7068700a246576656e74537461747573203d / <?php $eventStatus =
CREATED:
Fri Aug 30 07:22:20.619 2024
MODIFIED:
Mon Nov 25 12:10:57.000 2019
ACCESSED:
Tue May 14 16:20:50.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
Filename IOC \\[0-9]\.(aspx|asp|jsp|jspx|php)
SUBSCORE_1:
60
REF_1:
Suspicious Web Shell file names https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3-1
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
  • \1.php
REASONS_COUNT:
1
Warning 5
Aug 30 08:29:57 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
60
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\mpirogova\sites\site2\core\components\modalconsole\files\2.php
EXT:
.php
TYPE:
PHP
SIZE:
1465
FIRSTBYTES:
3c3f7068700a246576656e74537461747573203d / <?php $eventStatus =
CREATED:
Fri Aug 30 07:22:20.620 2024
MODIFIED:
Mon Nov 25 13:42:16.000 2019
ACCESSED:
Tue May 14 16:21:01.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
Filename IOC \\[0-9]\.(aspx|asp|jsp|jspx|php)
SUBSCORE_1:
60
REF_1:
Suspicious Web Shell file names https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3-1
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
  • \2.php
REASONS_COUNT:
1
Warning 6
Aug 30 08:29:57 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
60
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\mpirogova\sites\site2\core\components\modalconsole\files\3.php
EXT:
.php
TYPE:
PHP
SIZE:
1726
FIRSTBYTES:
3c3f7068700a246576656e74537461747573203d / <?php $eventStatus =
CREATED:
Fri Aug 30 07:22:20.622 2024
MODIFIED:
Mon Nov 25 14:38:48.000 2019
ACCESSED:
Tue May 14 16:21:06.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
Filename IOC \\[0-9]\.(aspx|asp|jsp|jspx|php)
SUBSCORE_1:
60
REF_1:
Suspicious Web Shell file names https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3-1
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
  • \3.php
REASONS_COUNT:
1
Warning 7
Aug 30 08:29:57 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
60
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\mpirogova\sites\site2\core\components\modalconsole\files\4.php
EXT:
.php
TYPE:
PHP
SIZE:
1024
FIRSTBYTES:
3c3f7068700a246576656e74537461747573203d / <?php $eventStatus =
CREATED:
Fri Aug 30 07:22:20.674 2024
MODIFIED:
Mon Nov 25 15:21:12.000 2019
ACCESSED:
Tue May 14 16:21:11.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
Filename IOC \\[0-9]\.(aspx|asp|jsp|jspx|php)
SUBSCORE_1:
60
REF_1:
Suspicious Web Shell file names https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3-1
SIGTYPE_1:
internal
SIGCLASS_1:
Filename IOC
MATCHED_1
  • \4.php
REASONS_COUNT:
1
Warning 8
Aug 30 08:33:11 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Possibly Dangerous file found
SCORE:
70
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\.cache\composer\repo\https---repo.packagist.org\p-provider-2019-07.json
EXT:
.json
TYPE:
UNKNOWN
SIZE:
2216307
FIRSTBYTES:
7b2270726f766964657273223a7b22302e302e30 / {"providers":{"0.0.0
CREATED:
Fri Aug 30 07:30:27.859 2024
MODIFIED:
Mon Feb 3 14:17:02.000 2020
ACCESSED:
Tue May 14 16:13:09.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule SUSP_JS_Dropping_Exe_Aug23 / Detects JavaScript file that drops executables
SUBSCORE_1:
70
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "4d5a at 0x433cd in
    c88af246862def815"},"carno-php/serving":{"sha256":"4d5abf1f8ae6ebf1fa75860d47845d9a8c944ee01d8529c95c571d
  • powershell at 0x11454 in
    0eca93a8c250536ecb27819edf"},"alissonpelizaro/ssh_powershell":{"sha256":"d542da6654214697055931a1024fc2ffc2862
RULEDATE_1:
2023-08-03
TAGS_1:
EXE, FILE, SUSP
AUTHOR_1:
X__Junior
REASONS_COUNT:
1
Notices
Notice 1
Aug 30 08:27:26 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
10.16.6.250 - - [06/May/2024:11:56:51 +0300] "GET /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com HTTP/1.1" 403 199 "-" "-"
SCORE:
50
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\it_sec\httpd\access_log
LOG_MODIFIED:
Tue May 7 07:55:38 2024
LOG_ACCESSED:
Tue May 14 16:22:15 2024
LOG_CREATED:
Thu Aug 29 15:34:29 2024
REASON_1:
YARA rule LOG_EXPL_Exchange_ProxyShell_Attempt_Aug21_1 / Detects ProxyShell exploitation attempts in log files
SUBSCORE_1:
50
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@
RULEDATE_1:
2021-08-09
TAGS_1:
EXPLOIT, LOG
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
Notice 2
Aug 30 08:27:27 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
10.16.6.250 - - [07/May/2024:10:31:56 +0300] "GET /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com HTTP/1.1" 403 199 "-" "-"
SCORE:
50
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\it_sec\httpd\access_log
LOG_MODIFIED:
Tue May 7 07:55:38 2024
LOG_ACCESSED:
Tue May 14 16:22:15 2024
LOG_CREATED:
Thu Aug 29 15:34:29 2024
REASON_1:
YARA rule LOG_EXPL_Exchange_ProxyShell_Attempt_Aug21_1 / Detects ProxyShell exploitation attempts in log files
SUBSCORE_1:
50
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@
RULEDATE_1:
2021-08-09
TAGS_1:
EXPLOIT, LOG
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
Notice 3
Aug 30 08:29:45 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
10.16.6.250 - - [06/May/2024:11:56:51 +0300] "GET /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com HTTP/1.1" 403 199 "-" "-"
SCORE:
50
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\mpirogova\sites\site2\core\Logs[deleted]\httpd\access_log
LOG_MODIFIED:
Tue May 7 07:55:38 2024
LOG_ACCESSED:
Tue May 14 16:22:15 2024
LOG_CREATED:
Fri Aug 30 07:25:01 2024
REASON_1:
YARA rule LOG_EXPL_Exchange_ProxyShell_Attempt_Aug21_1 / Detects ProxyShell exploitation attempts in log files
SUBSCORE_1:
50
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@
RULEDATE_1:
2021-08-09
TAGS_1:
EXPLOIT, LOG
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
Notice 4
Aug 30 08:29:46 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
10.16.6.250 - - [07/May/2024:10:31:56 +0300] "GET /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com HTTP/1.1" 403 199 "-" "-"
SCORE:
50
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\mpirogova\sites\site2\core\Logs[deleted]\httpd\access_log
LOG_MODIFIED:
Tue May 7 07:55:38 2024
LOG_ACCESSED:
Tue May 14 16:22:15 2024
LOG_CREATED:
Fri Aug 30 07:25:01 2024
REASON_1:
YARA rule LOG_EXPL_Exchange_ProxyShell_Attempt_Aug21_1 / Detects ProxyShell exploitation attempts in log files
SUBSCORE_1:
50
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@
RULEDATE_1:
2021-08-09
TAGS_1:
EXPLOIT, LOG
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
Notice 5
Aug 30 08:32:06 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\rsa_openssh.prv
EXT:
.prv
TYPE:
Certificate PEM
SIZE:
883
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Thu Aug 29 15:37:24.013 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:09:22.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x57\x67\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x73\x69\x6c\x77\x4b\x63\x61\x4b\x4e\x36\x77\x53\x4d\x4e\x64\x31\x57\x67\x51\x39\x2b\x48\x52\x71\x51\x45\x6b\x44\x30\x6b\x43\x54\x56\x74\x74\x72\x61\x7a"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 6
Aug 30 08:32:07 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_dsa
EXT:
TYPE:
Certificate PEM
SIZE:
1361
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:23.979 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:22:49.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x73\x67\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x5a\x48\x0a\x4e\x7a\x41\x41\x41\x41\x67\x51\x43\x73"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 7
Aug 30 08:32:07 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_ecdsa
EXT:
TYPE:
Certificate PEM
SIZE:
492
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:23.981 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:23:02.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x61\x41\x41\x41\x41\x42\x4e\x6c\x59\x32\x52\x7a\x59\x53\x0a\x31\x7a\x61\x47\x45\x79\x4c\x57\x35\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 8
Aug 30 08:32:07 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_ecdsa_sk
EXT:
TYPE:
Certificate PEM
SIZE:
858
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:23.984 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:23:15.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 9
Aug 30 08:32:07 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_ed25519
EXT:
TYPE:
Certificate PEM
SIZE:
387
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:23.985 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:23:28.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 10
Aug 30 08:32:07 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_ed25519_sk
EXT:
TYPE:
Certificate PEM
SIZE:
496
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:23.987 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:23:44.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 11
Aug 30 08:32:07 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_rsa
EXT:
TYPE:
Certificate PEM
SIZE:
1799
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:23.989 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:23:58.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x46\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x63\x6e\x0a\x4e\x68\x41\x41\x41\x41\x41\x77\x45\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 12
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshkey\testdata\dsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
672
FIRSTBYTES:
2d2d2d2d2d424547494e20445341205052495641 / -----BEGIN DSA PRIVA
CREATED:
Thu Aug 29 15:37:24.200 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:20:25.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x44\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x42\x76\x41\x49\x42\x41\x41\x4b\x42\x67\x51" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x44\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x42\x76\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x36\x6b\x75\x74\x4e\x46\x52\x73\x48\x54\x77\x45\x41\x76\x36\x64\x33\x39\x4c\x68\x73\x71\x79\x31\x61\x70\x64\x48\x42\x5a\x39\x63\x32\x48\x66\x79\x52\x72\x37\x57\x6d\x79\x70\x79\x47\x49\x79\x32\x6d"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 13
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshkey\testdata\dsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
1361
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:24.213 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:21:26.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x73\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x5a\x48\x0a\x4e\x7a\x41\x41\x41\x41\x67\x51\x44\x36"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 14
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
227
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
CREATED:
Thu Aug 29 15:37:24.214 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:21:35.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x48\x63\x43\x41\x51\x45\x45\x49\x50\x50\x4e\x79\x55\x41\x6e\x6a\x76\x46\x72\x2b\x65\x54\x2f\x37\x74\x2f\x49\x79\x6a\x75\x51\x51\x64\x2f\x61\x4c\x46\x69\x54\x59\x39\x32\x4c\x42\x39\x67\x49\x6a\x79\x72"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 15
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_2
EXT:
TYPE:
Certificate PEM
SIZE:
365
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
CREATED:
Thu Aug 29 15:37:24.217 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:22:18.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x48\x63\x41\x67\x45\x42\x42\x45\x49\x42\x71\x42\x74\x4e\x37\x65\x36\x45\x73\x73\x64\x33\x64\x6c\x73\x67\x49\x53\x56\x69\x50\x43\x58\x58\x43\x30\x61\x74\x6c\x4e\x6b\x47\x74\x6f\x4d\x67\x53\x51\x64"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 16
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
492
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:24.224 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:22:50.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x61\x41\x41\x41\x41\x42\x4e\x6c\x59\x32\x52\x7a\x59\x53\x0a\x31\x7a\x61\x47\x45\x79\x4c\x57\x35\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 17
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_sk1
EXT:
TYPE:
Certificate PEM
SIZE:
849
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:24.225 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:22:58.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 18
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_sk2
EXT:
TYPE:
Certificate PEM
SIZE:
849
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:24.240 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:23:29.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 19
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshkey\testdata\ed25519_1
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:24.243 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:23:49.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 20
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshkey\testdata\ed25519_2
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:24.248 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:24:23.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 21
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshkey\testdata\ed25519_sk1
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:24.254 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:24:45.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 22
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshkey\testdata\ed25519_sk2
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:24.258 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:25:17.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 23
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Thu Aug 29 15:37:24.261 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:25:39.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 24
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_1_sha1
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Thu Aug 29 15:37:24.266 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:09:43.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 25
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_1_sha512
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Thu Aug 29 15:37:24.268 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:09:57.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 26
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_2
EXT:
TYPE:
Certificate PEM
SIZE:
1679
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Thu Aug 29 15:37:24.270 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:10:10.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x45\x70\x41\x49\x42\x41\x41\x4b\x43\x41\x51\x45\x41\x39\x4e\x45\x55\x58\x70\x37\x38\x53\x41\x6b\x6d\x4c\x34\x2b\x65\x41\x6a\x34\x6d\x42\x7a\x50\x4f\x6a\x6b\x2b\x63\x63\x43\x50\x56\x7a\x6b\x54\x52\x2b"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 27
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
1020
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:24.274 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:10:40.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x6c\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x63\x6e\x0a\x4e\x68\x41\x41\x41\x41\x41\x77\x45\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 28
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshsig\testdata\ecdsa
EXT:
TYPE:
Certificate PEM
SIZE:
227
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
CREATED:
Thu Aug 29 15:37:24.281 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:11:16.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x48\x63\x43\x41\x51\x45\x45\x49\x46\x67\x30\x5a\x43\x53\x45\x42\x35\x4c\x4e\x65\x4c\x73\x58\x59\x4c\x32\x35\x67\x33\x6b\x71\x45\x57\x73\x71\x68\x35\x32\x44\x52\x2b\x79\x4e\x4f\x6a\x79\x51\x4a\x71\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 29
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshsig\testdata\ecdsa_sk
EXT:
TYPE:
Certificate PEM
SIZE:
837
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:24.283 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:11:29.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 30
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshsig\testdata\ed25519
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:24.290 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:11:50.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 31
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshsig\testdata\ed25519_sk
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:24.292 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:12:02.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 32
Aug 30 08:32:08 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.5p1\regress\unittests\sshsig\testdata\rsa
EXT:
TYPE:
Certificate PEM
SIZE:
2455
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Thu Aug 29 15:37:24.294 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:12:19.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x47\x34\x77\x49\x42\x41\x41\x4b\x43\x41\x59\x45\x41\x33\x38\x36\x6c\x6d\x6a\x52\x48\x74\x4a\x70\x79\x6a\x38\x37\x42\x72\x53\x2b\x73\x73\x4d\x6d\x74\x76\x63\x2f\x31\x53\x50\x4e\x30\x67\x58\x54\x50\x73"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 33
Aug 30 08:32:12 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\ed25519_openssh.prv
EXT:
.prv
TYPE:
Certificate PEM
SIZE:
419
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.452 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:18:04.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 34
Aug 30 08:32:12 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\rsa_openssh.prv
EXT:
.prv
TYPE:
Certificate PEM
SIZE:
883
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Thu Aug 29 15:37:25.532 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:24:55.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x57\x67\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x73\x69\x6c\x77\x4b\x63\x61\x4b\x4e\x36\x77\x53\x4d\x4e\x64\x31\x57\x67\x51\x39\x2b\x48\x52\x71\x51\x45\x6b\x44\x30\x6b\x43\x54\x56\x74\x74\x72\x61\x7a"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 35
Aug 30 08:32:13 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_dsa
EXT:
TYPE:
Certificate PEM
SIZE:
1361
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.506 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:21:47.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x73\x67\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x5a\x48\x0a\x4e\x7a\x41\x41\x41\x41\x67\x51\x43\x73"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 36
Aug 30 08:32:13 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_ecdsa
EXT:
TYPE:
Certificate PEM
SIZE:
492
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.508 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:22:01.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x61\x41\x41\x41\x41\x42\x4e\x6c\x59\x32\x52\x7a\x59\x53\x0a\x31\x7a\x61\x47\x45\x79\x4c\x57\x35\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 37
Aug 30 08:32:13 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_ecdsa_sk
EXT:
TYPE:
Certificate PEM
SIZE:
858
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.512 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:22:14.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 38
Aug 30 08:32:13 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_ed25519
EXT:
TYPE:
Certificate PEM
SIZE:
387
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.513 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:22:27.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 39
Aug 30 08:32:13 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_ed25519_sk
EXT:
TYPE:
Certificate PEM
SIZE:
496
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.515 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:22:39.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 40
Aug 30 08:32:13 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_rsa
EXT:
TYPE:
Certificate PEM
SIZE:
1799
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.517 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:22:52.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x46\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x63\x6e\x0a\x4e\x68\x41\x41\x41\x41\x41\x77\x45\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 41
Aug 30 08:32:13 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshkey\testdata\dsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
672
FIRSTBYTES:
2d2d2d2d2d424547494e20445341205052495641 / -----BEGIN DSA PRIVA
CREATED:
Thu Aug 29 15:37:25.698 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:19:01.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x44\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x42\x76\x41\x49\x42\x41\x41\x4b\x42\x67\x51" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x44\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x42\x76\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x36\x6b\x75\x74\x4e\x46\x52\x73\x48\x54\x77\x45\x41\x76\x36\x64\x33\x39\x4c\x68\x73\x71\x79\x31\x61\x70\x64\x48\x42\x5a\x39\x63\x32\x48\x66\x79\x52\x72\x37\x57\x6d\x79\x70\x79\x47\x49\x79\x32\x6d"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 42
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshkey\testdata\dsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
1361
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.708 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:20:07.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x73\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x5a\x48\x0a\x4e\x7a\x41\x41\x41\x41\x67\x51\x44\x36"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 43
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
227
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
CREATED:
Thu Aug 29 15:37:25.709 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:20:17.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x48\x63\x43\x41\x51\x45\x45\x49\x50\x50\x4e\x79\x55\x41\x6e\x6a\x76\x46\x72\x2b\x65\x54\x2f\x37\x74\x2f\x49\x79\x6a\x75\x51\x51\x64\x2f\x61\x4c\x46\x69\x54\x59\x39\x32\x4c\x42\x39\x67\x49\x6a\x79\x72"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 44
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_2
EXT:
TYPE:
Certificate PEM
SIZE:
365
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
CREATED:
Thu Aug 29 15:37:25.713 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:21:01.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x48\x63\x41\x67\x45\x42\x42\x45\x49\x42\x71\x42\x74\x4e\x37\x65\x36\x45\x73\x73\x64\x33\x64\x6c\x73\x67\x49\x53\x56\x69\x50\x43\x58\x58\x43\x30\x61\x74\x6c\x4e\x6b\x47\x74\x6f\x4d\x67\x53\x51\x64"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 45
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
492
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.720 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:21:32.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x61\x41\x41\x41\x41\x42\x4e\x6c\x59\x32\x52\x7a\x59\x53\x0a\x31\x7a\x61\x47\x45\x79\x4c\x57\x35\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 46
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_sk1
EXT:
TYPE:
Certificate PEM
SIZE:
849
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.721 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:21:40.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 47
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_sk2
EXT:
TYPE:
Certificate PEM
SIZE:
849
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.725 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:22:10.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 48
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshkey\testdata\ed25519_1
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.727 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:22:27.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 49
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshkey\testdata\ed25519_2
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.732 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:22:58.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 50
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshkey\testdata\ed25519_sk1
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.784 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:23:17.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 51
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshkey\testdata\ed25519_sk2
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.790 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:23:49.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 52
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Thu Aug 29 15:37:25.794 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:24:15.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 53
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_1_sha1
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Thu Aug 29 15:37:25.801 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:25:04.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 54
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_1_sha512
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Thu Aug 29 15:37:25.803 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:25:17.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 55
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_2
EXT:
TYPE:
Certificate PEM
SIZE:
1679
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Thu Aug 29 15:37:25.806 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:25:31.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x45\x70\x41\x49\x42\x41\x41\x4b\x43\x41\x51\x45\x41\x39\x4e\x45\x55\x58\x70\x37\x38\x53\x41\x6b\x6d\x4c\x34\x2b\x65\x41\x6a\x34\x6d\x42\x7a\x50\x4f\x6a\x6b\x2b\x63\x63\x43\x50\x56\x7a\x6b\x54\x52\x2b"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 56
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
1020
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.810 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:09:21.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x6c\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x63\x6e\x0a\x4e\x68\x41\x41\x41\x41\x41\x77\x45\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 57
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshsig\testdata\ecdsa
EXT:
TYPE:
Certificate PEM
SIZE:
227
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
CREATED:
Thu Aug 29 15:37:25.868 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:10:02.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x48\x63\x43\x41\x51\x45\x45\x49\x46\x67\x30\x5a\x43\x53\x45\x42\x35\x4c\x4e\x65\x4c\x73\x58\x59\x4c\x32\x35\x67\x33\x6b\x71\x45\x57\x73\x71\x68\x35\x32\x44\x52\x2b\x79\x4e\x4f\x6a\x79\x51\x4a\x71\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 58
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshsig\testdata\ecdsa_sk
EXT:
TYPE:
Certificate PEM
SIZE:
837
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.871 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:10:18.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 59
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshsig\testdata\ed25519
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.875 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:10:40.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 60
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshsig\testdata\ed25519_sk
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Thu Aug 29 15:37:25.877 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:10:52.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 61
Aug 30 08:32:14 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\BUILD\openssh-8.8p1\regress\unittests\sshsig\testdata\rsa
EXT:
TYPE:
Certificate PEM
SIZE:
2455
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Thu Aug 29 15:37:25.880 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:11:09.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x47\x34\x77\x49\x42\x41\x41\x4b\x43\x41\x59\x45\x41\x33\x38\x36\x6c\x6d\x6a\x52\x48\x74\x4a\x70\x79\x6a\x38\x37\x42\x72\x53\x2b\x73\x73\x4d\x6d\x74\x76\x63\x2f\x31\x53\x50\x4e\x30\x67\x58\x54\x50\x73"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 62
Aug 30 08:32:16 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_dsa
EXT:
TYPE:
Certificate PEM
SIZE:
1361
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x73\x67\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x5a\x48\x0a\x4e\x7a\x41\x41\x41\x41\x67\x51\x43\x73"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 63
Aug 30 08:32:16 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_ecdsa
EXT:
TYPE:
Certificate PEM
SIZE:
492
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x61\x41\x41\x41\x41\x42\x4e\x6c\x59\x32\x52\x7a\x59\x53\x0a\x31\x7a\x61\x47\x45\x79\x4c\x57\x35\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 64
Aug 30 08:32:16 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_ecdsa_sk
EXT:
TYPE:
Certificate PEM
SIZE:
858
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 65
Aug 30 08:32:16 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_ed25519
EXT:
TYPE:
Certificate PEM
SIZE:
387
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 66
Aug 30 08:32:16 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_ed25519_sk
EXT:
TYPE:
Certificate PEM
SIZE:
496
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 67
Aug 30 08:32:16 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_rsa
EXT:
TYPE:
Certificate PEM
SIZE:
1799
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x46\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x63\x6e\x0a\x4e\x68\x41\x41\x41\x41\x41\x77\x45\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 68
Aug 30 08:32:16 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\rsa_openssh.prv
EXT:
.prv
TYPE:
Certificate PEM
SIZE:
883
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x57\x67\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x73\x69\x6c\x77\x4b\x63\x61\x4b\x4e\x36\x77\x53\x4d\x4e\x64\x31\x57\x67\x51\x39\x2b\x48\x52\x71\x51\x45\x6b\x44\x30\x6b\x43\x54\x56\x74\x74\x72\x61\x7a"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 69
Aug 30 08:32:16 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\dsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
672
FIRSTBYTES:
2d2d2d2d2d424547494e20445341205052495641 / -----BEGIN DSA PRIVA
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x44\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x42\x76\x41\x49\x42\x41\x41\x4b\x42\x67\x51" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x44\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x42\x76\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x36\x6b\x75\x74\x4e\x46\x52\x73\x48\x54\x77\x45\x41\x76\x36\x64\x33\x39\x4c\x68\x73\x71\x79\x31\x61\x70\x64\x48\x42\x5a\x39\x63\x32\x48\x66\x79\x52\x72\x37\x57\x6d\x79\x70\x79\x47\x49\x79\x32\x6d"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 70
Aug 30 08:32:16 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\dsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
1361
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x73\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x5a\x48\x0a\x4e\x7a\x41\x41\x41\x41\x67\x51\x44\x36"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 71
Aug 30 08:32:16 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
227
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x48\x63\x43\x41\x51\x45\x45\x49\x50\x50\x4e\x79\x55\x41\x6e\x6a\x76\x46\x72\x2b\x65\x54\x2f\x37\x74\x2f\x49\x79\x6a\x75\x51\x51\x64\x2f\x61\x4c\x46\x69\x54\x59\x39\x32\x4c\x42\x39\x67\x49\x6a\x79\x72"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 72
Aug 30 08:32:16 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_2
EXT:
TYPE:
Certificate PEM
SIZE:
365
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x48\x63\x41\x67\x45\x42\x42\x45\x49\x42\x71\x42\x74\x4e\x37\x65\x36\x45\x73\x73\x64\x33\x64\x6c\x73\x67\x49\x53\x56\x69\x50\x43\x58\x58\x43\x30\x61\x74\x6c\x4e\x6b\x47\x74\x6f\x4d\x67\x53\x51\x64"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 73
Aug 30 08:32:16 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
492
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x61\x41\x41\x41\x41\x42\x4e\x6c\x59\x32\x52\x7a\x59\x53\x0a\x31\x7a\x61\x47\x45\x79\x4c\x57\x35\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 74
Aug 30 08:32:16 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_sk1
EXT:
TYPE:
Certificate PEM
SIZE:
849
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 75
Aug 30 08:32:16 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_sk2
EXT:
TYPE:
Certificate PEM
SIZE:
849
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 76
Aug 30 08:32:16 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\ed25519_1
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 77
Aug 30 08:32:16 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\ed25519_2
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 78
Aug 30 08:32:17 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\ed25519_sk1
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 79
Aug 30 08:32:17 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\ed25519_sk2
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 80
Aug 30 08:32:17 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 81
Aug 30 08:32:17 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_1_sha1
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 82
Aug 30 08:32:17 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_1_sha512
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 83
Aug 30 08:32:17 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_2
EXT:
TYPE:
Certificate PEM
SIZE:
1679
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x45\x70\x41\x49\x42\x41\x41\x4b\x43\x41\x51\x45\x41\x39\x4e\x45\x55\x58\x70\x37\x38\x53\x41\x6b\x6d\x4c\x34\x2b\x65\x41\x6a\x34\x6d\x42\x7a\x50\x4f\x6a\x6b\x2b\x63\x63\x43\x50\x56\x7a\x6b\x54\x52\x2b"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 84
Aug 30 08:32:17 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
1020
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x6c\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x63\x6e\x0a\x4e\x68\x41\x41\x41\x41\x41\x77\x45\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 85
Aug 30 08:32:17 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshsig\testdata\ecdsa
EXT:
TYPE:
Certificate PEM
SIZE:
227
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x48\x63\x43\x41\x51\x45\x45\x49\x46\x67\x30\x5a\x43\x53\x45\x42\x35\x4c\x4e\x65\x4c\x73\x58\x59\x4c\x32\x35\x67\x33\x6b\x71\x45\x57\x73\x71\x68\x35\x32\x44\x52\x2b\x79\x4e\x4f\x6a\x79\x51\x4a\x71\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 86
Aug 30 08:32:17 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshsig\testdata\ecdsa_sk
EXT:
TYPE:
Certificate PEM
SIZE:
837
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 87
Aug 30 08:32:17 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshsig\testdata\ed25519
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 88
Aug 30 08:32:17 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshsig\testdata\ed25519_sk
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 89
Aug 30 08:32:17 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshsig\testdata\rsa
EXT:
TYPE:
Certificate PEM
SIZE:
2455
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.848 2024
ARCHIVE_MODIFIED:
Tue Oct 19 13:53:34.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:13:50.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x47\x34\x77\x49\x42\x41\x41\x4b\x43\x41\x59\x45\x41\x33\x38\x36\x6c\x6d\x6a\x52\x48\x74\x4a\x70\x79\x6a\x38\x37\x42\x72\x53\x2b\x73\x73\x4d\x6d\x74\x76\x63\x2f\x31\x53\x50\x4e\x30\x67\x58\x54\x50\x73"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 90
Aug 30 08:32:18 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\ed25519_openssh.prv
EXT:
.prv
TYPE:
Certificate PEM
SIZE:
419
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 91
Aug 30 08:32:18 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_dsa
EXT:
TYPE:
Certificate PEM
SIZE:
1361
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x73\x67\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x5a\x48\x0a\x4e\x7a\x41\x41\x41\x41\x67\x51\x43\x73"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 92
Aug 30 08:32:18 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_ecdsa
EXT:
TYPE:
Certificate PEM
SIZE:
492
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x61\x41\x41\x41\x41\x42\x4e\x6c\x59\x32\x52\x7a\x59\x53\x0a\x31\x7a\x61\x47\x45\x79\x4c\x57\x35\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 93
Aug 30 08:32:18 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_ecdsa_sk
EXT:
TYPE:
Certificate PEM
SIZE:
858
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 94
Aug 30 08:32:18 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_ed25519
EXT:
TYPE:
Certificate PEM
SIZE:
387
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 95
Aug 30 08:32:18 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_ed25519_sk
EXT:
TYPE:
Certificate PEM
SIZE:
496
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 96
Aug 30 08:32:18 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_rsa
EXT:
TYPE:
Certificate PEM
SIZE:
1799
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x46\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x63\x6e\x0a\x4e\x68\x41\x41\x41\x41\x41\x77\x45\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 97
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\rsa_openssh.prv
EXT:
.prv
TYPE:
Certificate PEM
SIZE:
883
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x57\x67\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x73\x69\x6c\x77\x4b\x63\x61\x4b\x4e\x36\x77\x53\x4d\x4e\x64\x31\x57\x67\x51\x39\x2b\x48\x52\x71\x51\x45\x6b\x44\x30\x6b\x43\x54\x56\x74\x74\x72\x61\x7a"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 98
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\dsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
672
FIRSTBYTES:
2d2d2d2d2d424547494e20445341205052495641 / -----BEGIN DSA PRIVA
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x44\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x42\x76\x41\x49\x42\x41\x41\x4b\x42\x67\x51" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x44\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x42\x76\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x36\x6b\x75\x74\x4e\x46\x52\x73\x48\x54\x77\x45\x41\x76\x36\x64\x33\x39\x4c\x68\x73\x71\x79\x31\x61\x70\x64\x48\x42\x5a\x39\x63\x32\x48\x66\x79\x52\x72\x37\x57\x6d\x79\x70\x79\x47\x49\x79\x32\x6d"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 99
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\dsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
1361
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x73\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x5a\x48\x0a\x4e\x7a\x41\x41\x41\x41\x67\x51\x44\x36"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 100
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
227
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x48\x63\x43\x41\x51\x45\x45\x49\x50\x50\x4e\x79\x55\x41\x6e\x6a\x76\x46\x72\x2b\x65\x54\x2f\x37\x74\x2f\x49\x79\x6a\x75\x51\x51\x64\x2f\x61\x4c\x46\x69\x54\x59\x39\x32\x4c\x42\x39\x67\x49\x6a\x79\x72"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 101
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_2
EXT:
TYPE:
Certificate PEM
SIZE:
365
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x48\x63\x41\x67\x45\x42\x42\x45\x49\x42\x71\x42\x74\x4e\x37\x65\x36\x45\x73\x73\x64\x33\x64\x6c\x73\x67\x49\x53\x56\x69\x50\x43\x58\x58\x43\x30\x61\x74\x6c\x4e\x6b\x47\x74\x6f\x4d\x67\x53\x51\x64"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 102
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
492
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x61\x41\x41\x41\x41\x42\x4e\x6c\x59\x32\x52\x7a\x59\x53\x0a\x31\x7a\x61\x47\x45\x79\x4c\x57\x35\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 103
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_sk1
EXT:
TYPE:
Certificate PEM
SIZE:
849
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 104
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_sk2
EXT:
TYPE:
Certificate PEM
SIZE:
849
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 105
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\ed25519_1
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 106
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\ed25519_2
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 107
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\ed25519_sk1
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 108
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\ed25519_sk2
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 109
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 110
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_1_sha1
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 111
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_1_sha512
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 112
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_2
EXT:
TYPE:
Certificate PEM
SIZE:
1679
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x45\x70\x41\x49\x42\x41\x41\x4b\x43\x41\x51\x45\x41\x39\x4e\x45\x55\x58\x70\x37\x38\x53\x41\x6b\x6d\x4c\x34\x2b\x65\x41\x6a\x34\x6d\x42\x7a\x50\x4f\x6a\x6b\x2b\x63\x63\x43\x50\x56\x7a\x6b\x54\x52\x2b"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 113
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
1020
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x6c\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x63\x6e\x0a\x4e\x68\x41\x41\x41\x41\x41\x77\x45\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 114
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshsig\testdata\ecdsa
EXT:
TYPE:
Certificate PEM
SIZE:
227
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x48\x63\x43\x41\x51\x45\x45\x49\x46\x67\x30\x5a\x43\x53\x45\x42\x35\x4c\x4e\x65\x4c\x73\x58\x59\x4c\x32\x35\x67\x33\x6b\x71\x45\x57\x73\x71\x68\x35\x32\x44\x52\x2b\x79\x4e\x4f\x6a\x79\x51\x4a\x71\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 115
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshsig\testdata\ecdsa_sk
EXT:
TYPE:
Certificate PEM
SIZE:
837
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 116
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshsig\testdata\ed25519
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 117
Aug 30 08:32:19 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshsig\testdata\ed25519_sk
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 118
Aug 30 08:32:20 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshsig\testdata\rsa
EXT:
TYPE:
Certificate PEM
SIZE:
2455
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\home\rpmbuilder\rpmbuild\SOURCES\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Thu Aug 29 15:37:22.890 2024
ARCHIVE_MODIFIED:
Tue Oct 19 14:06:19.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:25:11.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x47\x34\x77\x49\x42\x41\x41\x4b\x43\x41\x59\x45\x41\x33\x38\x36\x6c\x6d\x6a\x52\x48\x74\x4a\x70\x79\x6a\x38\x37\x42\x72\x53\x2b\x73\x73\x4d\x6d\x74\x76\x63\x2f\x31\x53\x50\x4e\x30\x67\x58\x54\x50\x73"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 119
Aug 30 08:32:21 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_dsa
EXT:
TYPE:
Certificate PEM
SIZE:
1361
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x73\x67\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x5a\x48\x0a\x4e\x7a\x41\x41\x41\x41\x67\x51\x43\x73"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 120
Aug 30 08:32:21 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_ecdsa
EXT:
TYPE:
Certificate PEM
SIZE:
492
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x61\x41\x41\x41\x41\x42\x4e\x6c\x59\x32\x52\x7a\x59\x53\x0a\x31\x7a\x61\x47\x45\x79\x4c\x57\x35\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 121
Aug 30 08:32:21 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_ecdsa_sk
EXT:
TYPE:
Certificate PEM
SIZE:
858
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 122
Aug 30 08:32:21 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_ed25519
EXT:
TYPE:
Certificate PEM
SIZE:
387
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 123
Aug 30 08:32:21 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_ed25519_sk
EXT:
TYPE:
Certificate PEM
SIZE:
496
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 124
Aug 30 08:32:21 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_rsa
EXT:
TYPE:
Certificate PEM
SIZE:
1799
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x46\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x63\x6e\x0a\x4e\x68\x41\x41\x41\x41\x41\x77\x45\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 125
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\rsa_openssh.prv
EXT:
.prv
TYPE:
Certificate PEM
SIZE:
883
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x57\x67\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x73\x69\x6c\x77\x4b\x63\x61\x4b\x4e\x36\x77\x53\x4d\x4e\x64\x31\x57\x67\x51\x39\x2b\x48\x52\x71\x51\x45\x6b\x44\x30\x6b\x43\x54\x56\x74\x74\x72\x61\x7a"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 126
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\dsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
672
FIRSTBYTES:
2d2d2d2d2d424547494e20445341205052495641 / -----BEGIN DSA PRIVA
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x44\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x42\x76\x41\x49\x42\x41\x41\x4b\x42\x67\x51" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x44\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x42\x76\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x36\x6b\x75\x74\x4e\x46\x52\x73\x48\x54\x77\x45\x41\x76\x36\x64\x33\x39\x4c\x68\x73\x71\x79\x31\x61\x70\x64\x48\x42\x5a\x39\x63\x32\x48\x66\x79\x52\x72\x37\x57\x6d\x79\x70\x79\x47\x49\x79\x32\x6d"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 127
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\dsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
1361
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x73\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x5a\x48\x0a\x4e\x7a\x41\x41\x41\x41\x67\x51\x44\x36"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 128
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
227
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x48\x63\x43\x41\x51\x45\x45\x49\x50\x50\x4e\x79\x55\x41\x6e\x6a\x76\x46\x72\x2b\x65\x54\x2f\x37\x74\x2f\x49\x79\x6a\x75\x51\x51\x64\x2f\x61\x4c\x46\x69\x54\x59\x39\x32\x4c\x42\x39\x67\x49\x6a\x79\x72"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 129
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_2
EXT:
TYPE:
Certificate PEM
SIZE:
365
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x48\x63\x41\x67\x45\x42\x42\x45\x49\x42\x71\x42\x74\x4e\x37\x65\x36\x45\x73\x73\x64\x33\x64\x6c\x73\x67\x49\x53\x56\x69\x50\x43\x58\x58\x43\x30\x61\x74\x6c\x4e\x6b\x47\x74\x6f\x4d\x67\x53\x51\x64"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 130
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
492
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x61\x41\x41\x41\x41\x42\x4e\x6c\x59\x32\x52\x7a\x59\x53\x0a\x31\x7a\x61\x47\x45\x79\x4c\x57\x35\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 131
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_sk1
EXT:
TYPE:
Certificate PEM
SIZE:
849
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 132
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_sk2
EXT:
TYPE:
Certificate PEM
SIZE:
849
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 133
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\ed25519_1
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 134
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\ed25519_2
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 135
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\ed25519_sk1
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 136
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\ed25519_sk2
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 137
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 138
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_1_sha1
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 139
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_1_sha512
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 140
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_2
EXT:
TYPE:
Certificate PEM
SIZE:
1679
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x45\x70\x41\x49\x42\x41\x41\x4b\x43\x41\x51\x45\x41\x39\x4e\x45\x55\x58\x70\x37\x38\x53\x41\x6b\x6d\x4c\x34\x2b\x65\x41\x6a\x34\x6d\x42\x7a\x50\x4f\x6a\x6b\x2b\x63\x63\x43\x50\x56\x7a\x6b\x54\x52\x2b"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 141
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
1020
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x6c\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x63\x6e\x0a\x4e\x68\x41\x41\x41\x41\x41\x77\x45\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 142
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshsig\testdata\ecdsa
EXT:
TYPE:
Certificate PEM
SIZE:
227
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x48\x63\x43\x41\x51\x45\x45\x49\x46\x67\x30\x5a\x43\x53\x45\x42\x35\x4c\x4e\x65\x4c\x73\x58\x59\x4c\x32\x35\x67\x33\x6b\x71\x45\x57\x73\x71\x68\x35\x32\x44\x52\x2b\x79\x4e\x4f\x6a\x79\x51\x4a\x71\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 143
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshsig\testdata\ecdsa_sk
EXT:
TYPE:
Certificate PEM
SIZE:
837
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 144
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshsig\testdata\ed25519
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 145
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshsig\testdata\ed25519_sk
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 146
Aug 30 08:32:22 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz\openssh-8.5p1\regress\unittests\sshsig\testdata\rsa
EXT:
TYPE:
Certificate PEM
SIZE:
2455
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Tue Mar 2 10:31:47.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1779733
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbde976db48962e5a7f / vH.Z
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.477 2024
ARCHIVE_MODIFIED:
Wed Mar 3 00:46:27.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:27:15.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x47\x34\x77\x49\x42\x41\x41\x4b\x43\x41\x59\x45\x41\x33\x38\x36\x6c\x6d\x6a\x52\x48\x74\x4a\x70\x79\x6a\x38\x37\x42\x72\x53\x2b\x73\x73\x4d\x6d\x74\x76\x63\x2f\x31\x53\x50\x4e\x30\x67\x58\x54\x50\x73"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 147
Aug 30 08:32:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\ed25519_openssh.prv
EXT:
.prv
TYPE:
Certificate PEM
SIZE:
419
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 148
Aug 30 08:32:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_dsa
EXT:
TYPE:
Certificate PEM
SIZE:
1361
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x73\x67\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x5a\x48\x0a\x4e\x7a\x41\x41\x41\x41\x67\x51\x43\x73"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 149
Aug 30 08:32:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_ecdsa
EXT:
TYPE:
Certificate PEM
SIZE:
492
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x61\x41\x41\x41\x41\x42\x4e\x6c\x59\x32\x52\x7a\x59\x53\x0a\x31\x7a\x61\x47\x45\x79\x4c\x57\x35\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 150
Aug 30 08:32:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_ecdsa_sk
EXT:
TYPE:
Certificate PEM
SIZE:
858
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 151
Aug 30 08:32:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_ed25519
EXT:
TYPE:
Certificate PEM
SIZE:
387
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 152
Aug 30 08:32:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_ed25519_sk
EXT:
TYPE:
Certificate PEM
SIZE:
496
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 153
Aug 30 08:32:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_rsa
EXT:
TYPE:
Certificate PEM
SIZE:
1799
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x46\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x63\x6e\x0a\x4e\x68\x41\x41\x41\x41\x41\x77\x45\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 154
Aug 30 08:32:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\rsa_openssh.prv
EXT:
.prv
TYPE:
Certificate PEM
SIZE:
883
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x57\x67\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x73\x69\x6c\x77\x4b\x63\x61\x4b\x4e\x36\x77\x53\x4d\x4e\x64\x31\x57\x67\x51\x39\x2b\x48\x52\x71\x51\x45\x6b\x44\x30\x6b\x43\x54\x56\x74\x74\x72\x61\x7a"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 155
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\dsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
672
FIRSTBYTES:
2d2d2d2d2d424547494e20445341205052495641 / -----BEGIN DSA PRIVA
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x44\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x42\x76\x41\x49\x42\x41\x41\x4b\x42\x67\x51" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x44\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x42\x76\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x36\x6b\x75\x74\x4e\x46\x52\x73\x48\x54\x77\x45\x41\x76\x36\x64\x33\x39\x4c\x68\x73\x71\x79\x31\x61\x70\x64\x48\x42\x5a\x39\x63\x32\x48\x66\x79\x52\x72\x37\x57\x6d\x79\x70\x79\x47\x49\x79\x32\x6d"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 156
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\dsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
1361
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x73\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x5a\x48\x0a\x4e\x7a\x41\x41\x41\x41\x67\x51\x44\x36"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 157
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
227
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x48\x63\x43\x41\x51\x45\x45\x49\x50\x50\x4e\x79\x55\x41\x6e\x6a\x76\x46\x72\x2b\x65\x54\x2f\x37\x74\x2f\x49\x79\x6a\x75\x51\x51\x64\x2f\x61\x4c\x46\x69\x54\x59\x39\x32\x4c\x42\x39\x67\x49\x6a\x79\x72"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 158
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_2
EXT:
TYPE:
Certificate PEM
SIZE:
365
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x48\x63\x41\x67\x45\x42\x42\x45\x49\x42\x71\x42\x74\x4e\x37\x65\x36\x45\x73\x73\x64\x33\x64\x6c\x73\x67\x49\x53\x56\x69\x50\x43\x58\x58\x43\x30\x61\x74\x6c\x4e\x6b\x47\x74\x6f\x4d\x67\x53\x51\x64"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 159
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
492
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x61\x41\x41\x41\x41\x42\x4e\x6c\x59\x32\x52\x7a\x59\x53\x0a\x31\x7a\x61\x47\x45\x79\x4c\x57\x35\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 160
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_sk1
EXT:
TYPE:
Certificate PEM
SIZE:
849
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 161
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_sk2
EXT:
TYPE:
Certificate PEM
SIZE:
849
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 162
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\ed25519_1
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 163
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\ed25519_2
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 164
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\ed25519_sk1
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 165
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\ed25519_sk2
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 166
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 167
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_1_sha1
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 168
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_1_sha512
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 169
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_2
EXT:
TYPE:
Certificate PEM
SIZE:
1679
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x45\x70\x41\x49\x42\x41\x41\x4b\x43\x41\x51\x45\x41\x39\x4e\x45\x55\x58\x70\x37\x38\x53\x41\x6b\x6d\x4c\x34\x2b\x65\x41\x6a\x34\x6d\x42\x7a\x50\x4f\x6a\x6b\x2b\x63\x63\x43\x50\x56\x7a\x6b\x54\x52\x2b"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 170
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
1020
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x6c\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x63\x6e\x0a\x4e\x68\x41\x41\x41\x41\x41\x77\x45\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 171
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshsig\testdata\ecdsa
EXT:
TYPE:
Certificate PEM
SIZE:
227
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x48\x63\x43\x41\x51\x45\x45\x49\x46\x67\x30\x5a\x43\x53\x45\x42\x35\x4c\x4e\x65\x4c\x73\x58\x59\x4c\x32\x35\x67\x33\x6b\x71\x45\x57\x73\x71\x68\x35\x32\x44\x52\x2b\x79\x4e\x4f\x6a\x79\x51\x4a\x71\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 172
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshsig\testdata\ecdsa_sk
EXT:
TYPE:
Certificate PEM
SIZE:
837
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 173
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshsig\testdata\ed25519
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 174
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshsig\testdata\ed25519_sk
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 175
Aug 30 08:32:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz\openssh-8.8p1\regress\unittests\sshsig\testdata\rsa
EXT:
TYPE:
Certificate PEM
SIZE:
2455
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
MODIFIED:
Sun Sep 26 14:03:19.000 2021
PERMISSIONS:
ARCHIVE_FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1.tar.gz
ARCHIVE_TYPE:
GZIP
ARCHIVE_SIZE:
1815060
ARCHIVE_FIRSTBYTES:
1f8b0800000000000003ecbdeb76db46b62eda7f / vF.
ARCHIVE_CREATED:
Fri Aug 30 07:32:13.502 2024
ARCHIVE_MODIFIED:
Sun Sep 26 14:39:51.000 2021
ARCHIVE_ACCESSED:
Tue May 14 16:26:04.000 2024
ARCHIVE_PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
ARCHIVE_OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x47\x34\x77\x49\x42\x41\x41\x4b\x43\x41\x59\x45\x41\x33\x38\x36\x6c\x6d\x6a\x52\x48\x74\x4a\x70\x79\x6a\x38\x37\x42\x72\x53\x2b\x73\x73\x4d\x6d\x74\x76\x63\x2f\x31\x53\x50\x4e\x30\x67\x58\x54\x50\x73"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 176
Aug 30 08:32:26 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
40
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\smtp.pcap
EXT:
.pcap
TYPE:
WINPCAP
SIZE:
28256
FIRSTBYTES:
d4c3b2a102000400000000000000000000000400 / ò
CREATED:
Fri Aug 30 07:32:13.607 2024
MODIFIED:
Thu Feb 11 15:04:38.000 2021
ACCESSED:
Tue May 14 16:15:54.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule SUSP_WinPCap_Nov21 / WinPCap file found
SUBSCORE_1:
40
REF_1:
Internal Research
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • (none)
RULEDATE_1:
2021-11-12
TAGS_1:
EXTVAR, FILE, METARULE, SUSP
RULENAME_1:
SUSP_WinPCap_Nov21
AUTHOR_1:
Max Altgelt
REASONS_COUNT:
1
Notice 177
Aug 30 08:34:23 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\rsa_openssh.prv
EXT:
.prv
TYPE:
Certificate PEM
SIZE:
883
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Fri Aug 30 07:33:06.031 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:23:57.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x57\x67\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x73\x69\x6c\x77\x4b\x63\x61\x4b\x4e\x36\x77\x53\x4d\x4e\x64\x31\x57\x67\x51\x39\x2b\x48\x52\x71\x51\x45\x6b\x44\x30\x6b\x43\x54\x56\x74\x74\x72\x61\x7a"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 178
Aug 30 08:34:23 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_dsa
EXT:
TYPE:
Certificate PEM
SIZE:
1361
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:06.014 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:19:37.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x73\x67\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x5a\x48\x0a\x4e\x7a\x41\x41\x41\x41\x67\x51\x43\x73"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 179
Aug 30 08:34:23 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_ecdsa
EXT:
TYPE:
Certificate PEM
SIZE:
492
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:06.015 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:19:54.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x61\x41\x41\x41\x41\x42\x4e\x6c\x59\x32\x52\x7a\x59\x53\x0a\x31\x7a\x61\x47\x45\x79\x4c\x57\x35\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 180
Aug 30 08:34:23 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_ecdsa_sk
EXT:
TYPE:
Certificate PEM
SIZE:
858
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:06.016 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:20:12.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 181
Aug 30 08:34:23 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_ed25519
EXT:
TYPE:
Certificate PEM
SIZE:
387
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:06.018 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:20:29.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 182
Aug 30 08:34:23 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_ed25519_sk
EXT:
TYPE:
Certificate PEM
SIZE:
496
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:06.019 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:20:45.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 183
Aug 30 08:34:23 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\misc\fuzz-harness\testdata\id_rsa
EXT:
TYPE:
Certificate PEM
SIZE:
1799
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:06.021 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:21:03.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x46\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x63\x6e\x0a\x4e\x68\x41\x41\x41\x41\x41\x77\x45\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 184
Aug 30 08:34:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshkey\testdata\dsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
672
FIRSTBYTES:
2d2d2d2d2d424547494e20445341205052495641 / -----BEGIN DSA PRIVA
CREATED:
Fri Aug 30 07:33:06.106 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:23:16.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x44\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x42\x76\x41\x49\x42\x41\x41\x4b\x42\x67\x51" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x44\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x42\x76\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x36\x6b\x75\x74\x4e\x46\x52\x73\x48\x54\x77\x45\x41\x76\x36\x64\x33\x39\x4c\x68\x73\x71\x79\x31\x61\x70\x64\x48\x42\x5a\x39\x63\x32\x48\x66\x79\x52\x72\x37\x57\x6d\x79\x70\x79\x47\x49\x79\x32\x6d"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 185
Aug 30 08:34:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshkey\testdata\dsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
1361
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:06.123 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:25:22.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x73\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x5a\x48\x0a\x4e\x7a\x41\x41\x41\x41\x67\x51\x44\x36"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 186
Aug 30 08:34:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
227
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
CREATED:
Fri Aug 30 07:33:06.124 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:25:39.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x48\x63\x43\x41\x51\x45\x45\x49\x50\x50\x4e\x79\x55\x41\x6e\x6a\x76\x46\x72\x2b\x65\x54\x2f\x37\x74\x2f\x49\x79\x6a\x75\x51\x51\x64\x2f\x61\x4c\x46\x69\x54\x59\x39\x32\x4c\x42\x39\x67\x49\x6a\x79\x72"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 187
Aug 30 08:34:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_2
EXT:
TYPE:
Certificate PEM
SIZE:
365
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
CREATED:
Fri Aug 30 07:33:06.126 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:27:24.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x48\x63\x41\x67\x45\x42\x42\x45\x49\x42\x71\x42\x74\x4e\x37\x65\x36\x45\x73\x73\x64\x33\x64\x6c\x73\x67\x49\x53\x56\x69\x50\x43\x58\x58\x43\x30\x61\x74\x6c\x4e\x6b\x47\x74\x6f\x4d\x67\x53\x51\x64"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 188
Aug 30 08:34:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
492
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:06.130 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:11:55.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x61\x41\x41\x41\x41\x42\x4e\x6c\x59\x32\x52\x7a\x59\x53\x0a\x31\x7a\x61\x47\x45\x79\x4c\x57\x35\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 189
Aug 30 08:34:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_sk1
EXT:
TYPE:
Certificate PEM
SIZE:
849
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:06.131 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:12:16.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 190
Aug 30 08:34:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshkey\testdata\ecdsa_sk2
EXT:
TYPE:
Certificate PEM
SIZE:
849
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:06.133 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:13:14.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 191
Aug 30 08:34:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshkey\testdata\ed25519_1
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:06.134 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:13:47.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 192
Aug 30 08:34:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshkey\testdata\ed25519_2
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:06.137 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:14:42.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 193
Aug 30 08:34:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshkey\testdata\ed25519_sk1
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:06.146 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:15:14.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 194
Aug 30 08:34:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshkey\testdata\ed25519_sk2
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:06.149 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:16:20.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 195
Aug 30 08:34:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Fri Aug 30 07:33:06.150 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:17:05.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 196
Aug 30 08:34:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_1_sha1
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Fri Aug 30 07:33:06.153 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:18:14.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 197
Aug 30 08:34:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_1_sha512
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Fri Aug 30 07:33:06.154 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:18:40.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 198
Aug 30 08:34:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_2
EXT:
TYPE:
Certificate PEM
SIZE:
1679
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Fri Aug 30 07:33:06.156 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:19:10.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x45\x70\x41\x49\x42\x41\x41\x4b\x43\x41\x51\x45\x41\x39\x4e\x45\x55\x58\x70\x37\x38\x53\x41\x6b\x6d\x4c\x34\x2b\x65\x41\x6a\x34\x6d\x42\x7a\x50\x4f\x6a\x6b\x2b\x63\x63\x43\x50\x56\x7a\x6b\x54\x52\x2b"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 199
Aug 30 08:34:24 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshkey\testdata\rsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
1020
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:06.158 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:20:03.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x6c\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x63\x6e\x0a\x4e\x68\x41\x41\x41\x41\x41\x77\x45\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 200
Aug 30 08:34:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshsig\testdata\ecdsa
EXT:
TYPE:
Certificate PEM
SIZE:
227
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
CREATED:
Fri Aug 30 07:33:06.161 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:20:51.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x48\x63\x43\x41\x51\x45\x45\x49\x46\x67\x30\x5a\x43\x53\x45\x42\x35\x4c\x4e\x65\x4c\x73\x58\x59\x4c\x32\x35\x67\x33\x6b\x71\x45\x57\x73\x71\x68\x35\x32\x44\x52\x2b\x79\x4e\x4f\x6a\x79\x51\x4a\x71\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 201
Aug 30 08:34:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshsig\testdata\ecdsa_sk
EXT:
TYPE:
Certificate PEM
SIZE:
837
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:06.162 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:21:09.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 202
Aug 30 08:34:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshsig\testdata\ed25519
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:06.166 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:21:45.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 203
Aug 30 08:34:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshsig\testdata\ed25519_sk
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:06.167 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:22:04.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 204
Aug 30 08:34:25 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.5p1\regress\unittests\sshsig\testdata\rsa
EXT:
TYPE:
Certificate PEM
SIZE:
2455
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Fri Aug 30 07:33:06.169 2024
MODIFIED:
Tue Mar 2 10:31:47.000 2021
ACCESSED:
Tue May 14 16:22:29.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x47\x34\x77\x49\x42\x41\x41\x4b\x43\x41\x59\x45\x41\x33\x38\x36\x6c\x6d\x6a\x52\x48\x74\x4a\x70\x79\x6a\x38\x37\x42\x72\x53\x2b\x73\x73\x4d\x6d\x74\x76\x63\x2f\x31\x53\x50\x4e\x30\x67\x58\x54\x50\x73"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 205
Aug 30 08:34:27 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\ed25519_openssh.prv
EXT:
.prv
TYPE:
Certificate PEM
SIZE:
419
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:07.473 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:18:06.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 206
Aug 30 08:34:28 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\rsa_openssh.prv
EXT:
.prv
TYPE:
Certificate PEM
SIZE:
883
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Fri Aug 30 07:33:07.565 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:13:26.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x57\x67\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x73\x69\x6c\x77\x4b\x63\x61\x4b\x4e\x36\x77\x53\x4d\x4e\x64\x31\x57\x67\x51\x39\x2b\x48\x52\x71\x51\x45\x6b\x44\x30\x6b\x43\x54\x56\x74\x74\x72\x61\x7a"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 207
Aug 30 08:34:28 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_dsa
EXT:
TYPE:
Certificate PEM
SIZE:
1361
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:07.518 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:24:05.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x73\x67\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x5a\x48\x0a\x4e\x7a\x41\x41\x41\x41\x67\x51\x43\x73"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 208
Aug 30 08:34:28 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_ecdsa
EXT:
TYPE:
Certificate PEM
SIZE:
492
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:07.520 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:24:25.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x61\x41\x41\x41\x41\x42\x4e\x6c\x59\x32\x52\x7a\x59\x53\x0a\x31\x7a\x61\x47\x45\x79\x4c\x57\x35\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 209
Aug 30 08:34:28 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_ecdsa_sk
EXT:
TYPE:
Certificate PEM
SIZE:
858
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:07.522 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:24:49.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 210
Aug 30 08:34:28 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_ed25519
EXT:
TYPE:
Certificate PEM
SIZE:
387
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:07.524 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:25:23.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 211
Aug 30 08:34:28 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_ed25519_sk
EXT:
TYPE:
Certificate PEM
SIZE:
496
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:07.525 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:25:49.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 212
Aug 30 08:34:28 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\misc\fuzz-harness\testdata\id_rsa
EXT:
TYPE:
Certificate PEM
SIZE:
1799
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:07.527 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:26:10.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x46\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x63\x6e\x0a\x4e\x68\x41\x41\x41\x41\x41\x77\x45\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 213
Aug 30 08:34:29 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshkey\testdata\dsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
672
FIRSTBYTES:
2d2d2d2d2d424547494e20445341205052495641 / -----BEGIN DSA PRIVA
CREATED:
Fri Aug 30 07:33:07.987 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:15:29.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x44\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x42\x76\x41\x49\x42\x41\x41\x4b\x42\x67\x51" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x44\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x42\x76\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x36\x6b\x75\x74\x4e\x46\x52\x73\x48\x54\x77\x45\x41\x76\x36\x64\x33\x39\x4c\x68\x73\x71\x79\x31\x61\x70\x64\x48\x42\x5a\x39\x63\x32\x48\x66\x79\x52\x72\x37\x57\x6d\x79\x70\x79\x47\x49\x79\x32\x6d"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 214
Aug 30 08:34:29 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshkey\testdata\dsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
1361
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:07.994 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:17:10.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x42\x73\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x5a\x48\x0a\x4e\x7a\x41\x41\x41\x41\x67\x51\x44\x36"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 215
Aug 30 08:34:29 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
227
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
CREATED:
Fri Aug 30 07:33:07.995 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:17:25.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x48\x63\x43\x41\x51\x45\x45\x49\x50\x50\x4e\x79\x55\x41\x6e\x6a\x76\x46\x72\x2b\x65\x54\x2f\x37\x74\x2f\x49\x79\x6a\x75\x51\x51\x64\x2f\x61\x4c\x46\x69\x54\x59\x39\x32\x4c\x42\x39\x67\x49\x6a\x79\x72"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 216
Aug 30 08:34:29 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_2
EXT:
TYPE:
Certificate PEM
SIZE:
365
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
CREATED:
Fri Aug 30 07:33:07.902 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:18:58.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x48\x63\x41\x67\x45\x42\x42\x45\x49\x42\x71\x42\x74\x4e\x37\x65\x36\x45\x73\x73\x64\x33\x64\x6c\x73\x67\x49\x53\x56\x69\x50\x43\x58\x58\x43\x30\x61\x74\x6c\x4e\x6b\x47\x74\x6f\x4d\x67\x53\x51\x64"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 217
Aug 30 08:34:29 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
492
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:07.920 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:19:58.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x61\x41\x41\x41\x41\x42\x4e\x6c\x59\x32\x52\x7a\x59\x53\x0a\x31\x7a\x61\x47\x45\x79\x4c\x57\x35\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 218
Aug 30 08:34:29 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_sk1
EXT:
TYPE:
Certificate PEM
SIZE:
849
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:07.921 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:20:16.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 219
Aug 30 08:34:29 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshkey\testdata\ecdsa_sk2
EXT:
TYPE:
Certificate PEM
SIZE:
849
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:07.929 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:21:18.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 220
Aug 30 08:34:29 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshkey\testdata\ed25519_1
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:07.933 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:21:48.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 221
Aug 30 08:34:29 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshkey\testdata\ed25519_2
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:07.939 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:22:36.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 222
Aug 30 08:34:29 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshkey\testdata\ed25519_sk1
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:07.942 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:23:06.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 223
Aug 30 08:34:29 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshkey\testdata\ed25519_sk2
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:07.946 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:23:57.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 224
Aug 30 08:34:29 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_1
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Fri Aug 30 07:33:07.948 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:24:26.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 225
Aug 30 08:34:30 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_1_sha1
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Fri Aug 30 07:33:07.976 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:25:48.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 226
Aug 30 08:34:30 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_1_sha512
EXT:
TYPE:
Certificate PEM
SIZE:
887
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Fri Aug 30 07:33:07.979 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:26:23.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x58\x41\x49\x42\x41\x41\x4b\x42\x67\x51\x44\x4c\x56\x35\x6c\x55\x54\x74\x37\x46\x72\x41\x44\x73\x65\x42\x2f\x43\x47\x68\x45\x5a\x7a\x70\x6f\x6f\x6a\x6a\x45\x57\x35\x79\x38\x2b\x65\x50\x76\x4c\x70"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 227
Aug 30 08:34:30 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_2
EXT:
TYPE:
Certificate PEM
SIZE:
1679
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Fri Aug 30 07:33:07.981 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:26:50.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x45\x70\x41\x49\x42\x41\x41\x4b\x43\x41\x51\x45\x41\x39\x4e\x45\x55\x58\x70\x37\x38\x53\x41\x6b\x6d\x4c\x34\x2b\x65\x41\x6a\x34\x6d\x42\x7a\x50\x4f\x6a\x6b\x2b\x63\x63\x43\x50\x56\x7a\x6b\x54\x52\x2b"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 228
Aug 30 08:34:30 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshkey\testdata\rsa_n
EXT:
TYPE:
Certificate PEM
SIZE:
1020
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:07.986 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:11:10.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x6c\x77\x41\x41\x41\x41\x64\x7a\x63\x32\x67\x74\x63\x6e\x0a\x4e\x68\x41\x41\x41\x41\x41\x77\x45\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 229
Aug 30 08:34:30 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshsig\testdata\ecdsa
EXT:
TYPE:
Certificate PEM
SIZE:
227
FIRSTBYTES:
2d2d2d2d2d424547494e20454320505249564154 / -----BEGIN EC PRIVAT
CREATED:
Fri Aug 30 07:33:08.003 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:12:17.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x45\x43\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x48\x63\x43\x41\x51\x45\x45\x49\x46\x67\x30\x5a\x43\x53\x45\x42\x35\x4c\x4e\x65\x4c\x73\x58\x59\x4c\x32\x35\x67\x33\x6b\x71\x45\x57\x73\x71\x68\x35\x32\x44\x52\x2b\x79\x4e\x4f\x6a\x79\x51\x4a\x71\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 230
Aug 30 08:34:30 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshsig\testdata\ecdsa_sk
EXT:
TYPE:
Certificate PEM
SIZE:
837
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:08.013 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:12:39.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x66\x77\x41\x41\x41\x43\x4a\x7a\x61\x79\x31\x6c\x59\x32\x0a\x52\x7a\x59\x53\x31\x7a\x61\x47\x45\x79"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 231
Aug 30 08:34:30 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshsig\testdata\ed25519
EXT:
TYPE:
Certificate PEM
SIZE:
411
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:08.033 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:13:13.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x4d\x77\x41\x41\x41\x41\x74\x7a\x63\x32\x67\x74\x5a\x57\x0a\x51\x79\x4e\x54\x55\x78\x4f\x51\x41\x41"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 232
Aug 30 08:34:30 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshsig\testdata\ed25519_sk
EXT:
TYPE:
Certificate PEM
SIZE:
484
FIRSTBYTES:
2d2d2d2d2d424547494e204f50454e5353482050 / -----BEGIN OPENSSH P
CREATED:
Fri Aug 30 07:33:08.035 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:13:41.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x4f\x50\x45\x4e\x53\x53\x48\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x62\x33\x42\x6c\x62\x6e\x4e\x7a\x61\x43\x31\x72\x5a\x58\x6b\x74\x64\x6a\x45\x41\x41\x41\x41\x41\x42\x47\x35\x76\x62\x6d\x55\x41\x41\x41\x41\x45\x62\x6d\x39\x75\x5a\x51\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x41\x41\x41\x41\x53\x67\x41\x41\x41\x42\x70\x7a\x61\x79\x31\x7a\x63\x32\x0a\x67\x74\x5a\x57\x51\x79\x4e\x54\x55\x78"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 233
Aug 30 08:34:30 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Filescan
MESSAGE:
Suspicious file found
SCORE:
45
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\root\openssh-8.8p1\regress\unittests\sshsig\testdata\rsa
EXT:
TYPE:
Certificate PEM
SIZE:
2455
FIRSTBYTES:
2d2d2d2d2d424547494e20525341205052495641 / -----BEGIN RSA PRIVA
CREATED:
Fri Aug 30 07:33:08.038 2024
MODIFIED:
Sun Sep 26 14:03:19.000 2021
ACCESSED:
Tue May 14 16:14:16.000 2024
PERMISSIONS:
BUILTIN\Administrators:F / BUILTIN\Users:R / NT AUTHORITY\SYSTEM:F
OWNER:
BUILTIN\Administrators
REASON_1:
YARA rule EXT_VULN_Unencrypted_SSH_Private_Key / Detects unencrypted SSH private keys with DSA, RSA, ECDSA and ED25519 of openssh or Putty
SUBSCORE_1:
45
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49" at 0x0 in
    "\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x52\x53\x41\x20\x50\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x47\x34\x77\x49\x42\x41\x41\x4b\x43\x41\x59\x45\x41\x33\x38\x36\x6c\x6d\x6a\x52\x48\x74\x4a\x70\x79\x6a\x38\x37\x42\x72\x53\x2b\x73\x73\x4d\x6d\x74\x76\x63\x2f\x31\x53\x50\x4e\x30\x67\x58\x54\x50\x73"
RULEDATE_1:
2023-01-06
TAGS_1:
EXTVAR, T1021_004, T1552_004, T1572, VENDOR
AUTHOR_1:
Arnim Rupp
REASONS_COUNT:
1
Notice 234
Aug 30 08:34:58 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
2022.03.22 07:09:28.805 2253 INF CreateUrlMatcher: { applyToWholeDomainForEach: 0, masks: clients2.google.com, clients2.googleusercontent.com, ds.kaspersky.com, web.ucp.kaspersky.com, backend.ucp.kaspersky.com, rnd-infrastructure.ucp.kaspersky.com, management.azure.ucp.kaspersky.com, dis.azure.ucp.kaspersky.com, ns-dis.azure.ucp.kaspersky.com, test-activation.azure.ucp.kaspersky.com, activation.azure.ucp.kaspersky.com, uisucp.kaspersky.com, rdp.azure.ucp.kaspersky.com, svcuisucpit, monitoring.backend.it.ucp.kaspersky.com, backup.backend.it.ucp.kaspersky.com, logging.azure.ucp.kaspersky.com, services.ucp.kaspersky-labs.com, tpis.monitoring.azure.ucp.kaspersky.com, bis.monitoring.azure.ucp.kaspersky.com, korm.client.ucp.kaspersky-labs.com, pdc.client.ucp.kaspersky-labs.com, center.kaspersky-labs.com, *ucp-ntfy.kaspersky-labs.com, uis.kaspersky.com, register-account.kaspersky-labs.com, special.s.kaspersky-labs.com, ipm-klca.kaspersky.com, ksn-cp.kaspers[...]om, autoupdate.opera.com, kdc.uas.aol.com, secure.logmein.com, *.evernote.com, *.filezilla-project.org, gfe.nvi[...]ki.or.jp, upload*.mixcloud.com, certificado.sso.acesso.gov.br, sog-vault.avp.ru, vdi.kaspersky.com, *.tomtom.com, *.g*, *.googleapis.com, meetings.clients6.google.com, *, cloud.radar.imgsmail.ru, *.y*, *.y*, *, *, *mega*.nz, *.elster.de, *.de, *.starfinanz.de, *dropbox*.com, *dropbox*.com, *.surfeasy.*, *.opera-proxy.*, *.sec-tunnel.com, *, *, *, *.adobe.com, get.adobe.com, platformdl.adobe.com, fpdownload.adobe.com, *.branch.io, *.itau.com.br, gfwsl.geforce.com, gfwsl.geforce.com, www.autentapp.de, edge.activity.windows.com, activity.windows.com, enterprise.activity.windows.com, edge-enterprise.activity.windows.com, *.autodesk.com, mnsews.infocamere.it, webtelemaco.infocamere.it, r.manage.microsoft.com, *, *.*.*, *mail.ru, *.ya*, *.ya*, *.dropbox.com, *.de, gil.apple.com, *-keyvalueservice.icloud.com, *-setup.icloud.com, gateway.icloud.com, www.apple.com, *.mzstatic.com, api.apps.apple.com, bag.itunes.apple.com, *.push.apple.com, itunes.apple.com }
SCORE:
50
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\var\log\kaspersky\kesl\kesl.1040.2022-03-22T100924.log
LOG_MODIFIED:
Tue Mar 22 07:12:53 2022
LOG_ACCESSED:
Tue May 14 16:28:42 2024
LOG_CREATED:
Thu Aug 29 15:29:28 2024
REASON_1:
YARA rule yara_c2_logmein_com / Suspicious Domain Name / FQDN used by Remote Access Software 2023-09-16 https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md (SUSPICIOUS, REMOTE_CONTROL)
SUBSCORE_1:
50
REF_1:
not set
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • logmein.com
RULENAME_1:
yara_c2_logmein_com
AUTHOR_1:
unknown
REASONS_COUNT:
1
FILE_1:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\var\log\kaspersky\kesl\kesl.1040.2022-03-22T100924.log
EXISTS_1:
yes
TYPE_1:
UNKNOWN
SIZE_1:
6955786
FIRSTBYTES_1:
4156502054524143452046494c45092020555443 / AVP TRACE FILE UTC
CREATED_1:
Thu Aug 29 15:29:28.919 2024
OWNER_1:
BUILTIN\Administrators
Notice 235
Aug 30 08:35:01 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
10.16.6.250 - - [06/May/2024:11:56:51 +0300] "GET /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com HTTP/1.1" 403 199 "-" "-"
SCORE:
50
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\var\var\httpd\access_log
LOG_MODIFIED:
Tue May 7 07:55:38 2024
LOG_ACCESSED:
Tue May 14 16:36:08 2024
LOG_CREATED:
Fri Aug 30 07:36:47 2024
REASON_1:
YARA rule LOG_EXPL_Exchange_ProxyShell_Attempt_Aug21_1 / Detects ProxyShell exploitation attempts in log files
SUBSCORE_1:
50
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@
RULEDATE_1:
2021-08-09
TAGS_1:
EXPLOIT, LOG
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
Notice 236
Aug 30 08:35:02 WIN-LRTT94FA08M/10.100.5.12
MODULE:
LogScan
MESSAGE:
Notable Log Entry found
ENTRY:
10.16.6.250 - - [07/May/2024:10:31:56 +0300] "GET /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com HTTP/1.1" 403 199 "-" "-"
SCORE:
50
FILE:
D:\CASES\Irkut\msk1-cas-1\msk1-cas-1\export_from_image\var\var\httpd\access_log
LOG_MODIFIED:
Tue May 7 07:55:38 2024
LOG_ACCESSED:
Tue May 14 16:36:08 2024
LOG_CREATED:
Fri Aug 30 07:36:47 2024
REASON_1:
YARA rule LOG_EXPL_Exchange_ProxyShell_Attempt_Aug21_1 / Detects ProxyShell exploitation attempts in log files
SUBSCORE_1:
50
SIGTYPE_1:
internal
SIGCLASS_1:
YARA Rule
MATCHED_1
  • /autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@
RULEDATE_1:
2021-08-09
TAGS_1:
EXPLOIT, LOG
AUTHOR_1:
Florian Roth
REASONS_COUNT:
1
Notice 237
Aug 30 08:35:02 WIN-LRTT94FA08M/10.100.5.12
MODULE:
Report
MESSAGE:
Thor Scan finished
END_TIME:
Fri Aug 30 08:35:02 2024
ALERTS:
9
WARNINGS:
8
NOTICES:
236
ERRORS:
0