Aggregated Indicators of compromise published by gteltsc.
Webshell IOC's
File Name | pxh4HG1v.ashx |
Hash (SHA256) | c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1 |
Path | C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx |
File Name | RedirSuiteServiceProxy.aspx |
Hash (SHA256) | 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5 |
Path | C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx |
File Name | RedirSuiteServiceProxy.aspx |
Hash (SHA256) | b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca |
Path | C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx |
File Name | Xml.ashx |
Hash (SHA256) | c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1 |
Path | Xml.ashx |
File Name | errorEE.aspx |
Hash (SHA256) | be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257 |
Path | C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspx |
Malicious DLL's
File Name | Dll.dll |
Hash (SHA256) | 074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82 45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9 9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0 29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3 c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2 |
File Name | 180000000.dll (Dump from Svchost.exe) |
Hash (SHA256) | 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e |
Attacker IP addresses | 125[.]212[.]220[.]48 5[.]180[.]61[.]17 47[.]242[.]39[.]92 61[.]244[.]94[.]85 86[.]48[.]6[.]69 86[.]48[.]12[.]64 94[.]140[.]8[.]48 94[.]140[.]8[.]113 103[.]9[.]76[.]208 103[.]9[.]76[.]211 104[.]244[.]79[.]6 112[.]118[.]48[.]186 122[.]155[.]174[.]188 125[.]212[.]241[.]134 185[.]220[.]101[.]182 194[.]150[.]167[.]88 212[.]119[.]34[.]11 |
Outbound traffic to download other Binaries | hxxp://206[.]188[.]196[.]77:8080/themes.aspx |
Command & Control – C2 | 137[.]184[.]67[.]33 |
Comments