Microsoft Exchange Zero-Day ProxyLogon und HAFNIUM
Indicators of Compromise
The following lists cover indicators of compromise discovered by Truesec.
File
| Filename | MD5 Hash | Path |
| code | A19456A9D930334D7C97A37D202E3CB5 | C:\Users\Public\opera\ |
| opera_browser.dll | 7A6C605AF4B85954F62F35D648D532BF | C:\Users\Public\opera\ |
| opera_browser.png | E1AE154461096ADB5EC602FAAD42B72E | C:\Users\Public\opera\ |
| RedirSuiteServerProxy.aspx | C528278654422CB7339DBF9BFC19397A | <exchange install path> \FrontEnd\HttpProxy\owa\auth\ |
| RedirSuiteServerProxy.aspx | 817A6ED8578403B1E56C75D41BDC4881 | <Exchange Path>\FrontEnd\HttpProxy\owa\auth\ |
| 8Lw7tAhF9i1pJnRo.aspx | 7EEE73ECAB40ACDE73FE763FB1D79658 | <Exchange Path>\FrontEnd\HttpProxy\owa\auth\ |
| vspmsg.dll | DA4A376F5F0E771E7AC01AD42FFAFBD0 | C:\ProgramData\VSPerfMon |
| ServiceHub_Host_CLR.config | 217B7244D8AC1D7604B0848A9A283945 | C:\ProgramData\VSPerfMon |
| supp0rt.aspx | 5CFA1868F0112B1F413CCD527F08EACF | C:\inetpub\wwwroot\aspnet_client\ |
| error_page.aspx | 354B3C8A54BA3B23C6B899BF5830D777 | C:\inetpub\wwwroot\aspnet_client\error_page.aspx |
| OutlookEN.aspx | 819B97326C40F0677C63492451C9B9DD | <Exchange Path>\FrontEnd\HttpProxy\owa\auth\ |
| discover.aspx | 98E445AB15F91DCBAAEFF3AF517F1842 | C:\inetpub\wwwroot\aspnet_client\ |
IPV4
This list does not contain observed IP addresses that have only done initial scanning and probing activities. It is only IP addresses that have indicated malicious behavior such as C2 communications or direct attempts at exploitation.
| 185[.]125.231.175 |
| 86[.]105.18.116 |
| 185[.]224.83.137 |
| 107[.]173.83.123 |
| 201[.]162.109.184 |
| 68[.]2.82.62 |
| 182[.]215.181.200 |
| 45[.]15.9.45 |
| 182[.]18.152.105 |
| 141[.]164.40.193 |
| 172[.]105.87.139 |
URL
| https[:]//www.licensenest[.]com/list/news/id |
| https[:]www.licensentest[.]com/list/news/post?newid=<identifying number> |
Quelle: Microsoft
Quelle: TRUESEC Blog
^SysOP
