216.73.217.80

Indicator (IOC)

yara Revoked AlienVault · Published 21/12/2025 01:23 · Modified 21/12/2025 01:23

Essential information

Value / Name
5e4b5219a67e0e1c3e874d3cf570b560bf4b9d27
Confidence
100/100
Revoked
Yes
Valid from
07/09/2023 21:24
Valid until
10/12/2024 20:24
Pattern type
yara
Published
21/12/2025 01:23
Modified
21/12/2025 01:23
Author / Source
AlienVault

Description

Detects OWA targeting ASPX Webshell samples

Pattern

rule CISA_10430311_03 : ASPX_WEBSHELL webshell   
      
   				{   
      
   				meta:   
      
   				 author = "CISA Code & Media Analysis"   
      
   				 incident = "10430311"   
      
   				 date = "2023-03-21"   
      
   				 last_modified = "20230404_1230"   
      
   				 actor = "n/a"   
      
   				 family = "ASPX Webshell"   
      
   				 Capabilities = "n/a"   
      
   				 Malware_Type = "webshell"   
      
   				 Tool_Type = "n/a"   
      
   				 description = "Detects OWA targeting ASPX Webshell samples"   
      
   				 sha256_1 = "6dcc7b5e913154abac69687fcfb6a58ac66ec9b8cc7de7afd8832a9066b7bdde"   
      
   				 sha256_1 = "47dacb8f0b157355a4fd59ccbac1c59b8268fe84f3b8a462378b064333920622"   
      
   				strings:   
      
   				 $s1 = { 5a 30 32 6a 77 36 43 36 63 55 }   
      
   				 $s2 = { 5a 38 49 30 32 38 33 6e 77 38 }   
      
   				 $s3 = { 4f 57 41 77 65 62 63 6f 6e 66 69 67 }   
      
   				 $s4 = { 54 55 43 53 4f 4e }   
      
   				 $s5 = { 65 76 61 6c }   
      
   				condition:   
      
   				 3 of them   
      
   				}

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.