WEBSHELL_ASPX_Exchange_Encoded_Mailbox_Attachment_Aug21

Rule Info

Name
WEBSHELL_ASPX_Exchange_Encoded_Mailbox_Attachment_Aug21
Author
Max Altgelt
Description
Detects an attachment in Exchange that is an encoded ASPX webshell which might be decoded by saving it as PST
Score
75
Reference
https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
Date
2021-08-09
Modified
2021-08-13
Minimum Yara
1.7
Rule Hash
4898f32e4f973938f3d336f83dd5aa85
Tags
['T1505_003', 'WEBSHELL']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/webshell_aspx_exchange_encoded_mailbox_attachment_aug21/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
0
Suspicious (< 10 engines)
2
Clean (0 engines)
65

Rule Matches

Timestamp
Positives
Total
Hash
VT
2025-05-08 18:42:42
0
62
3ab4565c5ec7cd124579a82596205b19d402c967732c01be075a954991064ce9
2024-02-24 13:03:23
2
61
f4a60c753c4efed3932590472bd02f59331faeb8c98764a80b196f4a2021fcf8
2023-02-03 11:51:31
0
60
0e8f3491650d4503d6e7db42953b64312abd1170af8eff193435cea8f2310914
2022-07-17 10:27:40
1
58
8445b940e663ad3100e8d9be78a93038aadce14a7c77928970c3a4e4e4a087cb
2022-05-10 08:10:22
0
58
58cd8c114655d4de56269e9e19dc08b88e93bcb6a7cc5269f553776cb6c79fe7
2022-05-09 13:41:03
0
57
abbbf85f88764140cede1e70ec08a12455c1157353c9192c114272b74e28b60d
2022-03-22 03:07:33
0
56
352181a479e48bd753771b73d1b1706cdbdfe32ceb5e143af65a8f1af26dd8e9
2022-03-15 09:42:54
0
54
5d101ca60a42e7363d463f4c6580b362ff7f282e2ea5bde75f67b94719b55785
2022-02-04 16:47:50
0
55
81ef2e86310ea994ab7f5e23a6d6d30a8f0a6b0f3b31a85a343b81a99bd0c856
2022-01-18 18:26:43
0
57
ecd3d632b32a59c4b95e3c636f7e34a0370497fbf37ea947b8e30c122ba3d11e
2022-01-01 01:44:27
0
55
f4825bd3d5aad88851d835e0cac45b84f7bbdaaff303a046f12929211fd5f25a
2021-12-27 07:18:03
0
57
873db36664284c2bf2d86e196767a16c6877d4d5f9a66974baf34a0d08ed9c95
2021-12-08 22:17:59
0
55
7f2a298f612e80f1c231796b81ad3670905c964fafc53e0fb92ad74866632a6c
2021-12-08 12:06:33
0
56
b66e0832f4dcbde4983e39e8a0bdf87c442c420b3d5c70c77e9a3ab787ffdb2c
2021-12-01 05:34:48
0
57
82f07469f469185d6e99850d3baffa7c335db10bf6f1570ddc29938b6594ccf0
2021-11-25 11:44:38
0
56
5d21beb6eca54919b40d9155c833df9ce83094e09dababee7aba3d9b20cf1e78
2021-11-17 18:40:35
0
49
e7bde54660a82638c0e25991a389e67b479a1691cb1dead533b41d347f78ee14
2021-11-08 23:06:59
0
56
8c8e0899579f76eb9aa38a02b97f141649f6760ceb3af1bb80fe1a82d3d82b77
2021-11-08 15:40:59
0
58
30c45b53432e749569cbd5d1634070da325eeec78120423b8be466d9a0cce64c
2021-11-08 09:47:28
0
57
fbdff67eeaae4d5d115d092f64fb0ce58b3fde9fba55b162ae1266320d207518
2021-11-05 13:12:24
0
57
c451c6976072dd3b459740d4cf4fb3534a2583bee242268b63180023c4ba5d62
2021-10-25 19:34:38
0
58
78e81907591547e1d064e2399aa9e1b7fd7551b171a4e2159f62358c2a4160c4
2021-10-22 14:52:34
0
56
26ccead1e1aeaea3dc0d3bdc5f6d23a30d90c107e2e4597a7e83c1493bc65166
2021-10-20 19:14:33
0
57
629bef93b5d8ecc4b3fe5a286d8d3d190fce82967fe9efa2ec66536bcfaaa896
2021-10-20 12:07:12
0
57
4516d0c3be0255498f8ecf38867871d9c00786813445becba80ef1295d28dfe5
2021-10-18 11:09:12
0
57
c821e796f7ca07559597885761b7439bc9c5c44e149109beffac99a776a6fc71
2021-10-14 13:27:11
0
57
fe109b94c1a27e433a8a31b4ac951c85df354643dc7487a19a0c6c8e1f66404a
2021-10-14 12:56:59
0
53
9dac86effab2b9226e4dc4d6d85ad20a2817afe90237f1b7a8ceda29ef9c5a7d
2021-10-13 09:54:21
0
58
48a2b410e058f323e1ceddf13e44650afabebb1181c502c69af6d63d7042bcc4
2021-10-13 09:53:09
0
59
8966d4870fd82ac8cbec6419603fb7a71aa4d72ed9835d850cd49af20de53456
2021-10-12 13:46:00
0
57
52167c1f1af493d4059808f7be12f52589924083d95c077ea4109821cf1d6c2e
2021-10-08 17:48:44
0
57
fc28bf22524574d12e9fa841771fbc8a8fe55212082c0878002e608c997e109d
2021-10-05 13:54:06
0
57
c2f9dbf4029f30497c8b8a2f8b8db49696add4da10d98b94d855510ad5f648fb
2021-10-04 17:41:28
0
58
25c9af1ec8e1804cb5558620617e861283b5fc0a798a643416be6c819bac33d0
2021-10-04 03:41:38
0
58
1de5e04521c3f6619da373632d2d941d0c6663609e4bf9dfa76fc692fb2c03c4
2021-10-04 03:41:38
0
57
431dded9b4aa82dd4b249003dc30fee4a3c08280f51723a2f1484aa198045179
2021-10-01 00:11:06
0
57
eda8cc7f688a7d13389e1c0d1f95566391c35931ae622ea738461a267174311c
2021-09-28 20:40:09
0
58
72b654fe9184e5702a45a96fedff55932ede1cd45c71b05a3ad1e6f3ab4c638a
2021-09-24 15:02:22
0
57
e38a26573f965a25caf0f1e7e1b8497a3a2d8769c6fb662096b6d12873ec6cb0
2021-09-22 13:26:12
0
58
1f5de5bd8e70a96a3fc6af20a5752f2305787a2ecd57e27f3b1e12931a8658c3
2021-09-20 20:41:19
0
58
eb515e89bb2a6553d515a9c79fcb325d0e68723931dd7f97d3de42fd961c9cdd
2021-09-20 10:06:09
0
57
806badaa4f265c7c4552343b40a903ff90a1c405b5660b4f144df8d4faeec1d1
2021-09-16 21:22:57
0
58
9441e173f8161fb0a7bd9219fc4709d87885ec3a56fc223f5d0b46077245c2b0
2021-09-15 16:35:21
0
58
e03f6859fd9ad56645cae2cf03a57f9ca2b7f8e8ab96d1c684d8edc7d277edd4
2021-09-15 12:26:50
0
57
b8f31c21f12e9c7b33a7a8bb78f5a67afc77a2289c08314275a3588215c663c4
2021-09-14 21:21:28
0
57
2c3c8e5b7a6169285c37e9a1f3b4896276267a0f49de2b402c50d693f66d36b3
2021-09-14 15:22:08
0
57
870508e7edfd117aa4ad90a94acf21ada4a84797c4de07b35768f021a4f0f074
2021-09-14 12:07:10
0
58
fe1a967883be0d6537d6b586581bbbea2636c70bf2eb1722c772104089fecea9
2021-09-14 12:05:14
0
58
970fe47c6334d912f0b86cc26c88af93b61ca364712a9eaeb4894696f481306e
2021-09-14 10:16:47
0
58
5efb5e3fd4f74bbefe1ec7a38d73957dc0a83789a1e909e381e4a83451939dfa
2021-09-11 15:01:19
0
58
4a34fea29c2763d5a9a28d1b17daddf110d21675c88f0e5aa577222fb9d840a4
2021-09-08 19:38:16
0
58
33b89a0857c892564f03d59e8202b8a165c03f73eeb69166c128574d39f16c00
2021-09-03 12:06:02
0
57
29976057e455814dd11a96ed9a9af974e7ca2752412ca325b3f89bcd004f57b1
2021-09-03 11:36:15
0
57
08eb9ee68bb98582095fd5b1bebbac678f1eab124d106cade27db095979bd587
2021-09-03 07:02:12
0
56
77be776f3b2fba38539987866795488115693daef21c78ea8dc315bdad7d463d
2021-09-02 15:05:13
0
58
6c8699ae2028c2d019994523f0d75861f9530256da8f04556f0862b13c26b401
2021-08-31 21:33:38
0
57
207a67ae60aaa615bc1d774ced6b44850d287cac4d8aa1e6ea99ec705f80c130
2021-08-31 21:07:23
0
57
9155aa6f728d0e4513b52d81c0f1ecd891e5799b3291ac21c920c37b5815ff17
2021-08-31 11:18:24
0
58
36bd9b4396a3cc5bd6992533b6289229fad0a5919c565432a8f2b26981b91e23
2021-08-31 10:35:26
0
58
50807217147491af55229836f153f132c5062dc442765c25378069dd6ccb4ef3
2021-08-31 08:16:52
0
58
37f49c49f4b0eb8d8304f1ee2d9c94d2a71fe1d2fb1a5fd786d130c34377f30b
2021-08-30 15:36:33
0
58
97b84e02d361d174ab44192ec4100469a9e6183c2ccef6e585c5063df463db9c
2021-08-30 12:11:53
0
57
889a032740c1f19d22e4972db78cd5d9325f4400bf5428a67a6aef181c805615
2021-08-30 06:56:45
0
57
a39c16eb5035f14a22b5eda8f7f245f256657951c354ddc3a928e830b25fae76
2021-08-26 19:31:48
0
57
480900a8b7dbd34973302842b470afc09446057b165bb6e6fd7eec20528746c0
2021-08-18 20:07:32
0
39
bc26218ac35f1590b4c8dc845d5e936d58b1732e43f0e7448e3bf7e0a31cb8b9
2021-08-16 16:01:39
0
52
9d62a16a38e3849f74dd842f379fd9c92c1f8e2f6c798887b4de88063801dfb2

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022