Microsoft Exchange Zero-Day ProxyLogon und HAFNIUM

Indicators of Compromise

The following lists cover indicators of compromise discovered by Truesec.

File

Filename MD5 Hash Path
code A19456A9D930334D7C97A37D202E3CB5 C:\Users\Public\opera\
opera_browser.dll 7A6C605AF4B85954F62F35D648D532BF C:\Users\Public\opera\
opera_browser.png E1AE154461096ADB5EC602FAAD42B72E C:\Users\Public\opera\
RedirSuiteServerProxy.aspx C528278654422CB7339DBF9BFC19397A <exchange install path> \FrontEnd\HttpProxy\owa\auth\
RedirSuiteServerProxy.aspx 817A6ED8578403B1E56C75D41BDC4881 <Exchange Path>\FrontEnd\HttpProxy\owa\auth\
8Lw7tAhF9i1pJnRo.aspx 7EEE73ECAB40ACDE73FE763FB1D79658 <Exchange Path>\FrontEnd\HttpProxy\owa\auth\
vspmsg.dll DA4A376F5F0E771E7AC01AD42FFAFBD0 C:\ProgramData\VSPerfMon
ServiceHub_Host_CLR.config 217B7244D8AC1D7604B0848A9A283945 C:\ProgramData\VSPerfMon
supp0rt.aspx 5CFA1868F0112B1F413CCD527F08EACF C:\inetpub\wwwroot\aspnet_client\
error_page.aspx 354B3C8A54BA3B23C6B899BF5830D777 C:\inetpub\wwwroot\aspnet_client\error_page.aspx
OutlookEN.aspx 819B97326C40F0677C63492451C9B9DD <Exchange Path>\FrontEnd\HttpProxy\owa\auth\
discover.aspx 98E445AB15F91DCBAAEFF3AF517F1842 C:\inetpub\wwwroot\aspnet_client\

IPV4

This list does not contain observed IP addresses that have only done initial scanning and probing activities. It is only IP addresses that have indicated malicious behavior such as C2 communications or direct attempts at exploitation.

185[.]125.231.175
86[.]105.18.116
185[.]224.83.137
107[.]173.83.123
201[.]162.109.184
68[.]2.82.62
182[.]215.181.200
45[.]15.9.45
182[.]18.152.105
141[.]164.40.193
172[.]105.87.139

URL

https[:]//www.licensenest[.]com/list/news/id
https[:]www.licensentest[.]com/list/news/post?newid=<identifying number>

 

Quelle: Microsoft

Quelle: TRUESEC Blog

^SysOP