APT_MAL_ASP_DLL_HAFNIUM_Mar21_1

Rule Info

Name
APT_MAL_ASP_DLL_HAFNIUM_Mar21_1
Minimum Yara
1.7
Date
2021-03-05
Description
Detects HAFNIUM compiled ASP.NET DLLs dropped on compromised servers
Reference
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
Author
Florian Roth
Rule Hash
acba155aa003f9407d91f93955bf4e4f
Tags
['FILE', 'G0125', 'MAL', 'DEMO', 'APT', 'EXE']
Score
65
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/apt_mal_asp_dll_hafnium_mar21_1/comments
Community Rule
https://github.com/Neo23x0/signature-base/search?q=APT_MAL_ASP_DLL_HAFNIUM_Mar21_1

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
9
Suspicious (< 10 engines)
19
Clean (0 engines)
1

Rule Matches

Hash
Timestamp
Total
Positives
VT
daddb85aec5a8407eb08725a4fb2a5960b2a816ba311675319678460f980f143
2022-12-05 02:54:56
60
7
ea1a6496003eaf5b020d855d14757757c788049b2e2c800d806c4eb371f9567b
2022-09-26 22:07:28
61
5
3810b60b1854f3fcfeb2dae1c81a834fb6233e6cd78c391f3e1bfa5f6b7b3746
2022-09-23 01:50:11
61
2
67d515303fbec23f54577636f46eda5294202c656b9d9dc4944d32d2d90c9913
2022-09-22 08:04:00
60
4
8b75c0863ee502cf2ccdb5dea8e17147430e550e2214d9582562cd011f9d5946
2021-07-30 16:10:12
69
31
5640a9b44615f13b2bed8f5d595d8497b43c9e612c3b8da9f9514b0f024d086e
2021-07-27 04:16:14
69
29
aae22f41c418f6f3e91a5485ff02ed233e7b8a4c57df988a6030f33f11418171
2021-07-27 03:11:58
69
24
b90454ced1a27220378450909fc1f2d15faaa7d1fd9f6c5dd7ab715802ff29d8
2021-07-27 02:49:43
69
25
ad73b5e677b9d9b572da6727d46983d2dca6758ecff415c9ebdf9cac9e03e44b
2021-07-26 21:16:11
69
28
33def971d58f494c6db05d2ccbfef25782ca19fd8c7cdd8123334191fbe4ddc6
2021-07-26 21:14:38
69
28
294846fa6462a0d26c9dc459060281368d8e899c367dd507c21f13cb5014050c
2021-04-01 15:37:04
65
17
4d1e58a7abb5bd66c793dbc0228c22bd193f76ce8f96608ad7ef7f9e990ce4f6
2021-03-20 01:35:24
67
5
df4893ab77bfe697e2f77b2a9173e182ea8557fc6761d36c97a0aff44d7403c9
2021-03-20 01:32:14
67
5
c90a0e3eb729b11fa8b0399911b809ef66085ac9c211ba4ec27da97e09b11056
2021-03-19 23:46:18
69
14
6d43a3d22bbbb13cca848d0d98433ee2d081d8b45acd9101ce47ee9a00314105
2021-03-18 23:53:49
69
5
fa1670e2de6eb1dfc476c4d7577f98ad3ebee115c053d50a88535da409fec805
2021-03-13 07:46:39
66
18
d6ec34cdc7aa8c6199e3c017798b1c0fcb9c686a3e1d2c2d90683e1d63a6ae46
2021-03-13 05:04:08
66
2
386f988b13e5022e686acd0c0afb88aff26861a3eeb9b093208998dad0242d18
2021-03-10 01:49:27
67
1
37b8dcd89b1fafdbb0de7471fbff599b0db06f55d7069979881189546310982c
2021-03-10 01:05:55
68
1
15744e767cbaa9b37ff7bb5c036dda9b653fc54fc9a96fe73fbd639150b3daa3
2021-03-09 22:21:37
66
1
6243fd2826c528ee329599153355fd00153dee611ca33ec17effcf00205a6e4e
2021-03-09 21:10:07
67
1
52ae4de2e3f0ef7fe27c699cb60d41129a3acd4a62be60accc85d88c296e1ddb
2021-03-09 21:01:38
66
1
d064dcdf0ae16fccd99317f783785004046e75c1df8910ef1d558eb9a60e4c8b
2021-03-09 19:57:19
68
2
f565f533437fbd9ea69b14e777428791ede8afc69b4597ff9a45f0b98c4856ab
2021-03-08 23:38:30
69
1
5b849a58ecc5df580228d588e3e759b398bd4ec0fca594eafc586467e0a4b718
2021-03-08 17:13:03
69
1
f9d4aaa62d7b08bc861b5f6f04343e138a75a1549055b600914aab5d71506a97
2021-03-08 03:18:36
69
1
ebf6799bb86f0da2b05e66a0fe5a9b42df6dac848f4b951b2ed7b7a4866f19ef
2021-03-06 02:14:55
68
1
5f0480035ee23a12302c88be10e54bf3adbcf271a4bb1106d4975a28234d3af8
2021-03-06 01:16:39
68
1
0e501359f22f3eecc7f20951ff127275a95797401b137d4ad5b59069245daaa1
2021-03-05 22:10:37
69
0

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022