WEBSHELL_Weevly_Variation_Jul22_1

Rule Info

Name
WEBSHELL_Weevly_Variation_Jul22_1
Description
Detects patterns found in Weevly webshells
Date
2022-07-11
Score
75
Tags
['WEBSHELL', 'T1100']
Minimum Yara
1.7
Author
Florian Roth
Av Ratio
8.45
Rule Hash
86d7ee7deae42a273923470750be65ae
Reference
https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/webshell_weevly_variation_jul22_1/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
1
Suspicious (< 10 engines)
29
Clean (0 engines)
0

Rule Matches

Hash
Total
Timestamp
Positives
VT
d19815d1df42a7cd4078e825c0c646e7c76e8e219cc43da59737f49398dfe146
58
2022-08-18 10:00:25
4
af2fb16a0377638243ccdc3c7bf900c0ba3ab15578fd36cda29965f6699cbdc5
59
2022-08-18 08:40:52
4
ec6bfd6eff44c35a5e9e00d7cd600501816d1e04795fb2b6a604f35728546cd9
59
2022-08-16 14:27:55
4
6e08d3e174f4f2639f659b4058524a6b764470b2cd8b99f46ad9543bbfd8cda9
59
2022-08-16 11:41:43
5
1b06265f427c6a0865ef11049bbd70253d84d1029c3cd023720e82764b2c1dff
59
2022-08-13 05:28:57
4
1e0072104409adee13712728e87925703c1a5f6bce4f4274f10666ba45676cff
59
2022-08-08 10:54:29
4
200e5ff3b9cff1481e8889e5ad13b437c3535704c7490e5e672a02c32045f802
59
2022-08-07 19:00:44
5
eb30a0747ab67865d8cb64d86a4b62925bbb135a7ba7cdbf7bc9e960ffe5e227
59
2022-08-07 09:35:11
4
05e90730b832897fdb3a4155a57a6d6d88177e2360a7c3cab1ad1d362e6a2351
59
2022-08-05 12:33:44
5
76e775ef6e12026bbcdfaf89e2ac88878b493951bfb3d2bec935c309dfb20b08
59
2022-08-05 02:37:47
4
4665aa737cfa46dc6a9b475df63c80e8b4e0d23b8b53744b55a368778baea178
59
2022-08-01 22:29:46
5
71b76a19391b5d10bc55ee7faeaae170c24a47e0df1dd08ecf51cbea2ea5b47b
59
2022-08-01 20:14:09
5
e6b43c278453bdbc9c9999baf030f1334b35caf4b92cc170f47ce8ce924da4f5
59
2022-08-01 15:20:46
5
c5bca6bc53f3d3c03ad167c8747f527beda57bda8f6ff97a095a8a779496e5ba
59
2022-08-01 03:23:00
5
6533677d61e528a36d728b85037b1c9b80de8914f4a2871470996510757fadaa
59
2022-07-31 10:18:22
4
81e35c572af319837ca8ff03d37f3fbe3e330f47ff421130ad633cfca1c6b9b8
59
2022-07-31 08:10:36
5
09f284f2a020b13d975f58ba9bd3b8a174cd347a7bcc8b932eee0cadd85b8cd3
59
2022-07-29 08:26:41
5
858ec181ed5101a08608800000816572ee14256509d4993f6d6d14599c96f3ef
59
2022-07-27 23:59:27
5
11e7a515bcb8aa4163501e48cd4efcc3d74793b847a6bafc9593edd9a166a704
59
2022-07-27 19:19:26
5
8c756f2dad0b4e0825d2f4dd68ac6599d5084390ac8404d9376dfe34a93875a8
59
2022-07-27 11:34:34
4
1777efc5512dcfacefa2861c5e8292bf0a4128c4f7b5904cc4294ac247e7a8b4
59
2022-07-27 11:20:21
3
f1bc35f04bf47421c92319ee96f3871cd052ea1556723987e646afd5d6db7520
59
2022-07-26 19:29:14
5
ef51cf3b0d4074e20735fb3117ec99324858e77248a0f9152cbf7f709dd6d542
59
2022-07-26 08:14:19
9
fb6dae02d03efdec4d751a86e429f30446e4f790d557241ab7417f798d0bf5f1
59
2022-07-23 16:58:09
5
2ae8a3a2d7acb4474a5efc812acc81897a1373bb0785190cb72d52e83c7d8242
59
2022-07-23 00:31:42
9
8797467a2a685c0d8bfa68b8207695e2a74a8bba273e991d8e6fb91e3d07460f
58
2022-07-19 22:47:36
4
13f1babd82fcdace08a8183c4fe44a36eb925800015ff2ddae0186c8ca3df879
58
2022-07-19 20:20:00
5
9c75b80f533e30a6409e94d1b4d7bb0b49ba760579f5599228ba7aeb564c2270
58
2022-07-18 16:18:23
4
3847fec41f02d797f35b0f65b387481514212de97797efd8f300d62381c63091
58
2022-07-18 05:21:00
10
8e49b2c6db100ec27362b7c9d35fe43bb72cd36a5b9ace67bf4a690fd2e71664
57
2022-07-13 18:54:36
4

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2020