WEBSHELL_ASPX_Exchange_Webshell_Aug21_1

Rule Info

Av Ratio
16.29
Required Modules
[]
Name
WEBSHELL_ASPX_Exchange_Webshell_Aug21_1
Score
85
Reference
https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
Date
2021-08-09
Minimum Yara
1.7
Author
Florian Roth
Description
Detects standard ASPX webshells
Tags
['T1100', 'WEBSHELL']
Rule Hash
653594b913155caa8e50ce36a0b3f58c
Virustotal Matches
https://www.virustotal.com/gui/search/webshell_aspx_exchange_webshell_aug21_1/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
16
Suspicious (< 10 engines)
27
Clean (0 engines)
0

Rule Matches

Total
Hash
Timestamp
Positives
VT
57
44cc98b1f6d68eb6337ef852bf9bd673f027be0be7d4d47de634e09f2876b511
2021-09-20 18:18:22
13
57
cf7be27fef5ea0d625d17d87aae8c22907612cabca5ddd03eb33b55a1545a0fc
2021-09-20 18:16:05
12
57
9d39585a55e9e6e100a01bb18d30a0da31d280b1c4846be699ac7192ce493cdf
2021-09-14 09:44:35
11
57
149fc40ae7d5bb326f6d79fbdae4bd60508ecf0eff7b4233fe06b74f4c55575d
2021-09-08 23:31:02
2
57
2e9e7b216c0c5f4e2124c57078b9cee9b06b2b706d8c6333908a26a72bd7c8e7
2021-09-08 17:51:08
2
57
5dc9ca45e15a0dc50e156fb083de06d9500fc2cadd9064701a2f137b492bc5b5
2021-09-08 11:11:19
22
57
dc5f25344237b471a25a3e62c7bee921a91a7c0c09578e381c20e5aff7753379
2021-09-06 17:42:53
2
57
340314fd303ac968dda96a15c29e0a3e02164ef1e8c8a812ea91691b62542098
2021-09-06 11:40:37
24
56
d584d5bb264c4eba590a19d50e2ff3232f0032e466e9892aaa08915b5d9d6048
2021-09-04 17:36:38
2
56
01ead86f03132846d2fb9e12bfd90e1f0e5cb2ee9011eae994f1b01d93d0021e
2021-09-03 18:45:43
2
57
9dc437db3042db293333bfc0bbf8a2680b132cd2af471d51587b9342863b5d97
2021-09-02 14:06:05
2
56
28e0dd0d737b0a4472528e3dc56051c95ad555474ce450647eea87978d45b68c
2021-09-02 14:04:58
2
56
85cd9b4fb24a44b598e7a551a956741d85e714232519babd2d465990a2c6a9fb
2021-09-01 17:30:02
2
57
03ce360f3d4da33240643f4792f2739c8d86a8264d2a4b302c75ada206b16873
2021-09-01 13:24:22
2
57
138173b22d52dbd815d76f7e59a781161d9f7d878e61df9927bdac264284ac7d
2021-09-01 13:22:12
2
57
753b2fc86d45759140425d7eeb069c59c74bc1ad5e320b69b5530d363d83d681
2021-09-01 11:18:46
2
57
090907bd3d74c47a229365968459477368579bb7da8dd8e5c4687e68e6f0a082
2021-08-31 16:02:47
2
56
23e73ef9304ddc16376ea33956fc5b3ccbd613717398c84d50725e6bd86b53d8
2021-08-31 11:36:25
2
57
e1f8b085dcddd76dae47fcf239e88c8e09230fac157db1babcf0a711681c74ae
2021-08-31 07:13:54
15
54
b4ed10545f6e1d3981119cb9c7ae2386280011332b8c2170500e38c337155fb8
2021-08-31 07:05:09
17
58
2f2b311ba8d70616b9cc11416ce06e78508339709ed8786db1add2885d6106a2
2021-08-31 07:04:01
26
58
28c481f0ac650bda988f2331d91b77138760df3561e2faa41c354ea919db7324
2021-08-31 07:00:41
25
58
0af43e6bd8e7d074ebd4e3f987b65072bfdd5bd439b8791ccf4ae7bc2360da57
2021-08-31 07:00:39
17
57
20986666b4c40a0a0b56213d2e059ef628ccc16e22ee382c085efc8f1c9068f6
2021-08-31 06:27:39
26
57
fb8138da771c40f3c2d519ec8204f87e0b15a31969c735faccbce706ba64b59e
2021-08-31 06:17:51
19
57
86ee3a29f9fa73857cf3f5baf9145b04e036b085e268f1a7bd07988c2fa9a245
2021-08-30 22:22:12
2
57
f1bad64788f5105c808a29cb633ea80a5a7a43a212abe9fc353611f78ba14a1a
2021-08-30 18:32:12
2
57
9c1da2e884d3925711f91722d5a475aa8a1c4e05cd9e2ff8e6ea61585ff21e39
2021-08-30 05:31:18
4
57
dec82a6585071cbce5a34388ae75d0adf21854fd53e20a98ba23d9d4dfa317dd
2021-08-29 12:46:54
2
57
5651ceba95f8d5ec3a44fe2b59f838197752401a3d11cdf5d9f151d9486b58ff
2021-08-29 12:40:37
2
57
46df018134ab6d632a0fde6cc2cb8e9c5db9f9a92a4a773232ddb68060ffcbfd
2021-08-28 14:43:46
2
57
4166bbd6414a956651375c02c890c5789051b4eafd476bef10ef9c27d76e635e
2021-08-27 08:41:04
2
57
c8e3852ea076a677b11db3ba0bdb469495349734fad4dec3a7466a26b7e89335
2021-08-27 02:58:08
2
57
35c3a7ac7d2617114146f37b653ea5b71ad2e802f7e7dd53aee3042f5a925735
2021-08-26 16:47:41
2
57
da86632602286546dc5b732100ed9a9b1494250d35f193caa0fc3bb0979c9bd9
2021-08-26 16:44:28
2
57
e4c7653db816f269985641c51a5e4e9040292b63b2fa67467451b678b631a8a6
2021-08-26 12:28:01
2
57
5860d03b8ad1b85f1df692bfb2ca2a78d2ea1f0793cc543e3aef1137ea9062ea
2021-08-26 12:00:47
2
58
9281cfcd69f48726581446ade8585e01f52d6c929c4927b8aad544790024eb2f
2021-08-25 05:29:03
32
58
da0e5f7af9c96c2c8d2ba72b393dce05df1ba0bac746010a380a1f0eb11de6d7
2021-08-23 18:34:28
28
58
6d6358a6f48f9582c87e0f55fc785f909c80675bb3a715f21a2c7250ebda2f92
2021-08-20 11:47:01
7
58
e47e339aab48bb54ab370311aecc990d6558047eb015f73615aa0c6ae1a7bfdf
2021-08-19 14:40:47
29
57
5c945a79418e2c1107a348b619d45476f63362e412b75d6519bfc4c70be79dfc
2021-08-18 17:12:18
25
58
666f7b61a808995f3c06123b084020a46e3d8a179406ed734aac9df5538ec98b
2021-08-14 23:09:27
1

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2020