Phishing Wave - file p0o6543f.exe

Hunt Hypothesis

The detection identifies potential phishing activity involving the file p0o6543f.exe, which may be used to deliver malicious payloads or exfiltrate data. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage phishing campaigns that could escalate into broader network compromises.

YARA Rule

rule PHISH_02Dez2015_dropped_p0o6543f {
	meta:
		description = "Phishing Wave - file p0o6543f.exe"
		author = "Florian Roth"
		reference = "http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/"
		date = "2015-12-02"
		hash = "db788d6d3a8ed1a6dc9626852587f475e7671e12fa9c9faa73b7277886f1e210"
	strings:
		$s1 = "netsh.exe" fullword wide
		$s2 = "routemon.exe" fullword wide
		$s3 = "script=" fullword wide /* Goodware String - occured 4 times */
		$s4 = "disconnect" fullword wide /* Goodware String - occured 14 times */
		$s5 = "GetClusterResourceTypeKey" fullword ascii /* Goodware String - occured 17 times */
		$s6 = "QueryInformationJobObject" fullword ascii /* Goodware String - occured 34 times */
		$s7 = "interface" fullword wide /* Goodware String - occured 52 times */
		$s8 = "connect" fullword wide /* Goodware String - occured 61 times */
		$s9 = "FreeConsole" fullword ascii /* Goodware String - occured 91 times */
	condition:
		uint16(0) == 0x5a4d and filesize < 250KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 9 string patterns in its detection logic.

References

• http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/
• Source Rule

False Positive Guidance

• Scenario: Legitimate Software Update
  Description: A system administrator is deploying a legitimate software update that includes a file named p0o6543f.exe as part of a patch or configuration tool.
  Filter/Exclusion: Exclude files signed by a trusted vendor (e.g., Microsoft, VMware, or Cisco) or filter by file path containing known update directories (e.g., C:\Windows\Temp\, C:\Program Files\).

• Scenario: Scheduled System Maintenance Task
  Description: A scheduled task runs a script or executable named p0o6543f.exe as part of routine system maintenance, such as disk cleanup or log rotation.
  Filter/Exclusion: Exclude processes initiated by the Task Scheduler or filter by user account (e.g., SYSTEM, LocalService) and check for known maintenance scripts.

• Scenario: Admin Tool for Network Configuration
  Description: A network administrator uses a legitimate tool (e.g., Wireshark, tcpdump, or Nslookup) that includes an executable named p0o6543f.exe for packet analysis or DNS resolution.
  Filter/Exclusion: Exclude processes running from known network tools directories (e.g., C:\Program Files\Wireshark\) or filter by process name matching known tools.

• Scenario: User-Initiated File Download
  Description: A user downloads a file named p0o6543f.exe from an internal file share or a trusted repository for use in a development environment.
  Filter/Exclusion: Exclude files downloaded from internal shares (e.g., \\fileserver\dev\) or filter by user context (e.g., users in the Developers group).

• Scenario: Third-Party Application Integration
  *Description