Microsoft Exchange Zero-Day ProxyLogon und HAFNIUM
Indicators of Compromise
The following lists cover indicators of compromise discovered by Truesec.
File
Filename | MD5 Hash | Path |
code | A19456A9D930334D7C97A37D202E3CB5 | C:\Users\Public\opera\ |
opera_browser.dll | 7A6C605AF4B85954F62F35D648D532BF | C:\Users\Public\opera\ |
opera_browser.png | E1AE154461096ADB5EC602FAAD42B72E | C:\Users\Public\opera\ |
RedirSuiteServerProxy.aspx | C528278654422CB7339DBF9BFC19397A | <exchange install path> \FrontEnd\HttpProxy\owa\auth\ |
RedirSuiteServerProxy.aspx | 817A6ED8578403B1E56C75D41BDC4881 | <Exchange Path>\FrontEnd\HttpProxy\owa\auth\ |
8Lw7tAhF9i1pJnRo.aspx | 7EEE73ECAB40ACDE73FE763FB1D79658 | <Exchange Path>\FrontEnd\HttpProxy\owa\auth\ |
vspmsg.dll | DA4A376F5F0E771E7AC01AD42FFAFBD0 | C:\ProgramData\VSPerfMon |
ServiceHub_Host_CLR.config | 217B7244D8AC1D7604B0848A9A283945 | C:\ProgramData\VSPerfMon |
supp0rt.aspx | 5CFA1868F0112B1F413CCD527F08EACF | C:\inetpub\wwwroot\aspnet_client\ |
error_page.aspx | 354B3C8A54BA3B23C6B899BF5830D777 | C:\inetpub\wwwroot\aspnet_client\error_page.aspx |
OutlookEN.aspx | 819B97326C40F0677C63492451C9B9DD | <Exchange Path>\FrontEnd\HttpProxy\owa\auth\ |
discover.aspx | 98E445AB15F91DCBAAEFF3AF517F1842 | C:\inetpub\wwwroot\aspnet_client\ |
IPV4
This list does not contain observed IP addresses that have only done initial scanning and probing activities. It is only IP addresses that have indicated malicious behavior such as C2 communications or direct attempts at exploitation.
185[.]125.231.175 |
86[.]105.18.116 |
185[.]224.83.137 |
107[.]173.83.123 |
201[.]162.109.184 |
68[.]2.82.62 |
182[.]215.181.200 |
45[.]15.9.45 |
182[.]18.152.105 |
141[.]164.40.193 |
172[.]105.87.139 |
URL
https[:]//www.licensenest[.]com/list/news/id |
https[:]www.licensentest[.]com/list/news/post?newid=<identifying number> |
Quelle: Microsoft
Quelle: TRUESEC Blog
^SysOP