top of page

Exchange CVE-2022-41040, CVE-2022-41082 Indicators of Compromise


Aggregated Indicators of compromise published by gteltsc.


Webshell IOC's

File Name

pxh4HG1v.ashx

Hash (SHA256)

c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1

Path

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx

File Name

RedirSuiteServiceProxy.aspx

Hash (SHA256)

65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5

Path

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx

File Name

RedirSuiteServiceProxy.aspx

Hash (SHA256)

b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca

Path

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx

File Name

Xml.ashx

Hash (SHA256)

c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1

Path

Xml.ashx

File Name

errorEE.aspx

Hash (SHA256)

be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257

Path

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspx

Malicious DLL's

File Name

Dll.dll

Hash (SHA256)

074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82

45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9

9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0

29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3

c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2

File Name

180000000.dll (Dump from Svchost.exe)

Hash (SHA256)

76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e

Attacker IP addresses

125[.]212[.]220[.]48

5[.]180[.]61[.]17

47[.]242[.]39[.]92

61[.]244[.]94[.]85

86[.]48[.]6[.]69

86[.]48[.]12[.]64

94[.]140[.]8[.]48

94[.]140[.]8[.]113

103[.]9[.]76[.]208

103[.]9[.]76[.]211

104[.]244[.]79[.]6

112[.]118[.]48[.]186

122[.]155[.]174[.]188

125[.]212[.]241[.]134

185[.]220[.]101[.]182

194[.]150[.]167[.]88

212[.]119[.]34[.]11


Outbound traffic to download other Binaries

hxxp://206[.]188[.]196[.]77:8080/themes.aspx

Command & Control – C2

137[.]184[.]67[.]33


69 views0 comments

Recent Posts

See All

Comments


bottom of page