APT_MAL_ASP_DLL_HAFNIUM_Mar21_1

Rule Info

Name
APT_MAL_ASP_DLL_HAFNIUM_Mar21_1
Author
Florian Roth
Description
Detects HAFNIUM compiled ASP.NET DLLs dropped on compromised servers
Score
65
Reference
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Date
2021-03-05
Minimum Yara
1.7
Rule Hash
acba155aa003f9407d91f93955bf4e4f
Tags
['G0125', 'FILE', 'DEMO', 'APT', 'EXE', 'MAL']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/apt_mal_asp_dll_hafnium_mar21_1/comments
Community Rule
https://github.com/Neo23x0/signature-base/search?q=APT_MAL_ASP_DLL_HAFNIUM_Mar21_1

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
10
Suspicious (< 10 engines)
21
Clean (0 engines)
1

Rule Matches

Timestamp
Positives
Total
Hash
VT
2024-01-10 04:06:40
43
67
2aa9ea190a9d59895ef8a2c06d2cfcea44828f1c9175101623aa54641cfef1b7
2023-11-04 18:29:58
3
61
21a4f1b6230e5d8a091d1309410398f0de6afc2bc0070b0f04eeb76083d5225d
2023-06-14 06:03:56
7
59
dd8f7f31f2e17ef4075f2c3b5b696a2bb569a147e470d30002d8b38996b794a4
2022-12-05 02:54:56
7
60
daddb85aec5a8407eb08725a4fb2a5960b2a816ba311675319678460f980f143
2022-09-26 22:07:28
5
61
ea1a6496003eaf5b020d855d14757757c788049b2e2c800d806c4eb371f9567b
2022-09-23 01:50:11
2
61
3810b60b1854f3fcfeb2dae1c81a834fb6233e6cd78c391f3e1bfa5f6b7b3746
2022-09-22 08:04:00
4
60
67d515303fbec23f54577636f46eda5294202c656b9d9dc4944d32d2d90c9913
2021-07-30 16:10:12
31
69
8b75c0863ee502cf2ccdb5dea8e17147430e550e2214d9582562cd011f9d5946
2021-07-27 04:16:14
29
69
5640a9b44615f13b2bed8f5d595d8497b43c9e612c3b8da9f9514b0f024d086e
2021-07-27 03:11:58
24
69
aae22f41c418f6f3e91a5485ff02ed233e7b8a4c57df988a6030f33f11418171
2021-07-27 02:49:43
25
69
b90454ced1a27220378450909fc1f2d15faaa7d1fd9f6c5dd7ab715802ff29d8
2021-07-26 21:16:11
28
69
ad73b5e677b9d9b572da6727d46983d2dca6758ecff415c9ebdf9cac9e03e44b
2021-07-26 21:14:38
28
69
33def971d58f494c6db05d2ccbfef25782ca19fd8c7cdd8123334191fbe4ddc6
2021-04-01 15:37:04
17
65
294846fa6462a0d26c9dc459060281368d8e899c367dd507c21f13cb5014050c
2021-03-20 01:35:24
5
67
4d1e58a7abb5bd66c793dbc0228c22bd193f76ce8f96608ad7ef7f9e990ce4f6
2021-03-20 01:32:14
5
67
df4893ab77bfe697e2f77b2a9173e182ea8557fc6761d36c97a0aff44d7403c9
2021-03-19 23:46:18
14
69
c90a0e3eb729b11fa8b0399911b809ef66085ac9c211ba4ec27da97e09b11056
2021-03-18 23:53:49
5
69
6d43a3d22bbbb13cca848d0d98433ee2d081d8b45acd9101ce47ee9a00314105
2021-03-13 07:46:39
18
66
fa1670e2de6eb1dfc476c4d7577f98ad3ebee115c053d50a88535da409fec805
2021-03-13 05:04:08
2
66
d6ec34cdc7aa8c6199e3c017798b1c0fcb9c686a3e1d2c2d90683e1d63a6ae46
2021-03-10 01:49:27
1
67
386f988b13e5022e686acd0c0afb88aff26861a3eeb9b093208998dad0242d18
2021-03-10 01:05:55
1
68
37b8dcd89b1fafdbb0de7471fbff599b0db06f55d7069979881189546310982c
2021-03-09 22:21:37
1
66
15744e767cbaa9b37ff7bb5c036dda9b653fc54fc9a96fe73fbd639150b3daa3
2021-03-09 21:10:07
1
67
6243fd2826c528ee329599153355fd00153dee611ca33ec17effcf00205a6e4e
2021-03-09 21:01:38
1
66
52ae4de2e3f0ef7fe27c699cb60d41129a3acd4a62be60accc85d88c296e1ddb
2021-03-09 19:57:19
2
68
d064dcdf0ae16fccd99317f783785004046e75c1df8910ef1d558eb9a60e4c8b
2021-03-08 23:38:30
1
69
f565f533437fbd9ea69b14e777428791ede8afc69b4597ff9a45f0b98c4856ab
2021-03-08 17:13:03
1
69
5b849a58ecc5df580228d588e3e759b398bd4ec0fca594eafc586467e0a4b718
2021-03-08 03:18:36
1
69
f9d4aaa62d7b08bc861b5f6f04343e138a75a1549055b600914aab5d71506a97
2021-03-06 02:14:55
1
68
ebf6799bb86f0da2b05e66a0fe5a9b42df6dac848f4b951b2ed7b7a4866f19ef
2021-03-06 01:16:39
1
68
5f0480035ee23a12302c88be10e54bf3adbcf271a4bb1106d4975a28234d3af8
2021-03-05 22:10:37
0
69
0e501359f22f3eecc7f20951ff127275a95797401b137d4ad5b59069245daaa1

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022