MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server | CISA
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 7bfd05d3-6ffe-4c95-ad52-f4fce0b4e2d6 |
| Fingerprint | d2cd19f545631f49 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | March 15, 2023, noon |
| Added to db | Aug. 13, 2023, 1:29 a.m. |
| Last updated | Nov. 17, 2024, 5:57 p.m. |
| Headline | MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server |
| Title | MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server | CISA |
| Detected Hints/Tags/Attributes | 76/2/72 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.cisa.gov/news-events/analysis-reports/ar23-074a |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 85 | ✔ | — | https://cisa.gov/uscert/ncas/analysis-reports.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 469 | www.cisa.gov |
|
| Details | Domain | 4 | hivnd.com |
|
| Details | Domain | 5 | xegroups.com |
|
| Details | Domain | 4 | xework.com |
|
| Details | Domain | 3 | api.hackertarget.com |
|
| Details | Domain | 154 | us-cert.cisa.gov |
|
| Details | Domain | 84 | malware.us-cert.gov |
|
| Details | Domain | 84 | ftp.malware.us-cert.gov |
|
| Details | 84 | submit@malware.us-cert.gov |
||
| Details | File | 1 | e:\inetpub\temp are scanned recursively for files that end in .config |
|
| Details | md5 | 2 | 8e33e1e407fc9ff537b63be3ab78cb40 |
|
| Details | md5 | 2 | f6f47911ac32afd786a765dcb1f26722 |
|
| Details | md5 | 2 | cd6c11f89b392988e0de3ffe048a561b |
|
| Details | md5 | 2 | cece36ea4e328f093517ff68d0ed085c |
|
| Details | md5 | 2 | 37e173b932596af62fefc4dc10c8551d |
|
| Details | md5 | 2 | 0bcceb4fdfb12db21fdfc3a42b9c4693 |
|
| Details | md5 | 2 | 42d7b2e1bcf75f9c469afa340f078c86 |
|
| Details | md5 | 1 | d85880ad1e87c4266f899eca02207dd4 |
|
| Details | md5 | 2 | eaa579d911b8a47eaaea744d59d14708 |
|
| Details | md5 | 2 | f968639a4840535a6ecda1cbe3065260 |
|
| Details | md5 | 1 | 137423d7b7f5a5684a9b1457f46fdfb2 |
|
| Details | md5 | 1 | 7947ce86923d732e6963c79aea757036 |
|
| Details | md5 | 2 | d3cf1d590b2a63ae6070dd0011390f03 |
|
| Details | md5 | 1 | ce8481189008d7f4a685615508110d88 |
|
| Details | sha256 | 3 | 11415ac829c17bd8a9c4cef12c3fbc23095cbb3113c89405e489ead5138384cd |
|
| Details | sha256 | 2 | 144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851d |
|
| Details | sha256 | 2 | 508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370 |
|
| Details | sha256 | 2 | 707d22cacdbd94a3e6dc884242c0565bdf10a0be42990cd7a5497b124474889b |
|
| Details | sha256 | 2 | 72f7d4d3b9d2e406fa781176bd93e8deee0fb1598b67587e1928455b66b73911 |
|
| Details | sha256 | 2 | 74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730 |
|
| Details | sha256 | 2 | 78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933 |
|
| Details | sha256 | 2 | 833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d |
|
| Details | sha256 | 2 | 853e8388c9a72a7a54129151884da46075d45a5bcd19c37a7857e268137935aa |
|
| Details | sha256 | 2 | 8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505 |
|
| Details | sha256 | 2 | a14e2209136dad4f824c6f5986ec5d73d9cc7c86006fd2ceabe34de801062f6b |
|
| Details | sha256 | 2 | b4222cffcdb9fb0eda5aa1703a067021bedd8cf7180cdfc5454d0f07d7eaf18f |
|
| Details | sha256 | 2 | d69ac887ecc2b714b7f5e59e95a4e8ed2466bed753c4ac328931212c46050b35 |
|
| Details | sha256 | 2 | d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2 |
|
| Details | sha256 | 2 | dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f |
|
| Details | sha256 | 2 | e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913 |
|
| Details | sha256 | 2 | e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a |
|
| Details | sha256 | 2 | f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4 |
|
| Details | sha256 | 2 | 08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415 |
|
| Details | sha256 | 3 | 11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad |
|
| Details | sha256 | 2 | 1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2 |
|
| Details | sha256 | 2 | 5cbba90ba539d4eb6097169b0e9acf40b8c4740a01ddb70c67a8fb1fc3524570 |
|
| Details | sha256 | 3 | 815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f |
|
| Details | sha256 | 3 | a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c |
|
| Details | IPv4 | 4 | 137.184.130.162 |
|
| Details | IPv4 | 3 | 144.96.103.245 |
|
| Details | IPv4 | 4 | 184.168.104.171 |
|
| Details | IPv4 | 4 | 45.77.212.12 |
|
| Details | IPv4 | 1 | 45.76.0.0 |
|
| Details | IPv4 | 1 | 45.77.255.255 |
|
| Details | IPv4 | 1 | 45.77.212.0 |
|
| Details | IPv4 | 1 | 45.77.213.255 |
|
| Details | IPv4 | 1 | 137.184.0.0 |
|
| Details | IPv4 | 1 | 137.184.255.255 |
|
| Details | IPv4 | 1 | 137.184.130.164 |
|
| Details | Url | 43 | http://www.cisa.gov/tlp. |
|
| Details | Url | 1 | https://hivnd.com/thumpxcache |
|
| Details | Url | 53 | https://us-cert.cisa.gov/forms/feedback |
|
| Details | Url | 84 | https://malware.us-cert.gov |
|
| Details | Yara rule | 1 | rule CISA_10413062_04 : wiper compromises_data_availability {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-21"
Last_Modified = "20221123_2000"
Actor = "n/a"
Family = "n/a"
Capabilities = "compromises-data-availability"
Malware_Type = "wiper"
Tool_Type = "n/a"
Description = "Detect portable executable file that deletes .dll files"
MD5 = "8e33e1e407fc9ff537b63be3ab78cb40"
SHA256 = "144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851d"
strings:
$s1 = { ( 43 | 63 ) 3A 5C ( 57 | 77 ) ( 49 | 69 ) ( 4E | 6E ) ( 44 | 64 ) ( 4F | 6F ) ( 57 | 77 ) ( 53 | 73 ) 5C ( 54 | 74 ) ( 65 | 45 ) ( 4D | 6D ) ( 50 | 70 ) }
$s2 = { 43 72 65 61 74 65 54 68 72 65 61 64 }
$s3 = { 54 65 6C 65 72 69 69 6B 2E 64 6C 6C }
condition:
uint16(0) == 0x5a4d and all of ($s*)
} |
|
| Details | Yara rule | 1 | rule CISA_10413062_07 : wiper compromises_data_availability {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-30"
Last_Modified = "20221130_1700"
Actor = "n/a"
Family = "n/a"
Capabilities = "compromises-data-availability"
Malware_Type = "wiper"
Tool_Type = "n/a"
Description = "Detects managed malware code in C# DLL samples"
MD5 = "8e33e1e407fc9ff537b63be3ab78cb40"
SHA256 = "144492284bcbc0110d34a2b9a44bef90ed0d6cda746df6058b49d3789b0f851d"
strings:
$s0 = { 4D 61 69 6E 00 61 72 67 73 00 2E 63 74 6F 72 00 57 72 69 74 65 4C 69 6E 65 }
$s1 = { 46 69 6E 64 46 69 72 73 74 46 69 6C 65 41 00 00 90 01 46 69 6E 64 }
$s2 = { 43 3A 5C 77 69 6E 64 6F 77 73 5C 74 65 6D 70 }
$s3 = { 54 65 6C 65 72 69 69 6B 2E 64 6C 6C }
$s4 = { 76 34 2E 30 2E 33 30 33 31 39 }
condition:
all of them
} |
|
| Details | Yara rule | 1 | rule CISA_10413062_01 : exfiltrates_data {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-21"
Last_Modified = "20221123_2000"
Actor = "n/a"
Family = "n/a"
Capabilities = "exfiltrates-data"
Malware_Type = "n/a"
Tool_Type = "n/a"
Description = "Detect portable executable samples that exfiltrate .config data"
MD5_1 = "f6f47911ac32afd786a765dcb1f26722"
SHA256_1 = "e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913"
MD5_2 = "cd6c11f89b392988e0de3ffe048a561b"
SHA256_2 = "d69ac887ecc2b714b7f5e59e95a4e8ed2466bed753c4ac328931212c46050b35"
strings:
$s1 = { ( 43 | 63 ) 3A 5C ( 49 | 69 ) ( 4E | 6E ) ( 45 | 65 ) ( 54 | 74 ) ( 50 | 70 ) ( 55 | 75 ) ( 62 | 42 ) 5C ( 54 | 74 ) ( 45 | 65 ) ( 4D | 6D ) ( 50 | 70 ) }
$s2 = { ( 44 | 64 ) 3A 5C ( 49 | 69 ) ( 4E | 6E ) ( 45 | 65 ) ( 54 | 74 ) ( 50 | 70 ) ( 55 | 75 ) ( 62 | 42 ) 5C ( 54 | 74 ) ( 45 | 65 ) ( 4D | 6D ) ( 50 | 70 ) }
$s3 = { ( 45 | 65 ) 3A 5C ( 49 | 69 ) ( 4E | 6E ) ( 45 | 65 ) ( 54 | 74 ) ( 50 | 70 ) ( 55 | 75 ) ( 62 | 42 ) 5C ( 54 | 74 ) ( 45 | 65 ) ( 4D | 6D ) ( 50 | 70 ) }
$t4 = { 2E 43 4F ( 4E | 6E ) ( 46 | 66 ) ( 69 | 49 ) ( 47 | 67 ) }
$t5 = { 2E 43 6F ( 4E | 6E ) ( 46 | 66 ) ( 69 | 49 ) ( 47 | 67 ) }
$t6 = { 2E 63 4F ( 4E | 6E ) ( 46 | 66 ) ( 69 | 49 ) ( 47 | 67 ) }
$t7 = { 2E 63 6F ( 4E | 6E ) ( 46 | 66 ) ( 69 | 49 ) ( 47 | 67 ) }
$s8 = { 70 68 79 73 69 63 61 6C 50 61 74 68 3D }
$s9 = { 2F 3E }
$s10 = { 34 35 2E 37 }
$s11 = { 37 2E 32 31 }
$s12 = { 32 2E 31 32 }
$s13 = { 43 72 65 61 74 65 54 68 72 65 61 64 }
condition:
uint16(0) == 0x5a4d and 1 of ($t*) and all of ($s*)
} |
|
| Details | Yara rule | 1 | rule CISA_10413062_06 : exfiltrates_data {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-30"
Last_Modified = "20221130_1700"
Actor = "n/a"
Family = "n/a"
Capabilities = "exfiltrates-data"
Malware_Type = "n/a"
Tool_Type = "n/a"
Description = "Detects managed malware code in C# DLL samples"
MD5 = "f6f47911ac32afd786a765dcb1f26722"
SHA256 = "e044bce06ea49d1eed5e1ec59327316481b8339c3b6e1aecfbb516f56d66e913"
strings:
$s0 = { 4E 65 74 6B 65 6C 2E 64 6C 6C }
$s1 = { 76 34 2E 30 2E 33 30 33 31 39 }
$s2 = { 70 68 79 73 69 63 61 6C 50 61 74 68 3D }
$s3 = { 2E 63 6F 6E 66 69 67 00 2B 5F 2B 5F 2B }
$s4 = { 43 3A 5C 69 6E 65 74 70 75 62 5C 74 65 6D 70 }
condition:
all of them
} |
|
| Details | Yara rule | 1 | rule CISA_10413062_02 : information_stealer information_gathering {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-21"
Last_Modified = "20221123_2000"
Actor = "n/a"
Family = "n/a"
Capabilities = "n/a"
Malware_Type = "n/a"
Tool_Type = "information-gathering"
Description = "Detect portable executable file that creates and deletes a file"
MD5 = "cece36ea4e328f093517ff68d0ed085c"
SHA256 = "853e8388c9a72a7a54129151884da46075d45a5bcd19c37a7857e268137935aa"
strings:
$s1 = { 34 35 2E 37 }
$s2 = { 37 2E 32 31 }
$s3 = { 32 2E 31 32 }
$s4 = { ( 45 | 65 ) 3A 5C ( 57 | 77 ) ( 45 | 65 ) ( 42 | 62 ) ( 53 | 73 ) ( 49 | 69 ) ( 54 | 74 ) ( 45 | 65 ) ( 53 | 73 ) 5C ( 4D | 6D ) ( 45 | 65 ) ( 49 | 69 ) ( 53 | 73 ) 5C }
$s5 = { 43 72 65 61 74 65 46 69 6C 65 }
$s6 = { 57 72 69 74 65 46 69 6C 65 }
$s7 = { 44 65 6C 65 74 65 46 69 6C 65 }
$s8 = { 43 72 65 61 74 65 54 68 72 65 61 64 }
condition:
uint16(0) == 0x5a4d and all of ($s*)
} |
|
| Details | Yara rule | 1 | rule CISA_10413062_08 : information_stealer information_gathering {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-30"
Last_Modified = "20221130_1700"
Actor = "n/a"
Family = "n/a"
Capabilities = "n/a"
Malware_Type = "n/a"
Tool_Type = "information-gathering"
Description = "Detects managed malware code in C# DLL samples"
MD5 = "cece36ea4e328f093517ff68d0ed085c"
SHA256 = "853e8388c9a72a7a54129151884da46075d45a5bcd19c37a7857e268137935aa"
strings:
$s0 = { 43 72 65 61 74 65 46 69 6C 65 20 45 72 72 6F 72 }
$s1 = { 57 72 69 74 65 46 69 6C 65 20 45 72 72 6F 72 }
$s2 = { 44 65 6C 65 74 65 46 69 6C 65 41 20 66 61 69 6C }
$s3 = { 45 3A 5C 77 65 62 73 69 74 65 73 5C 4D 45 49 53 }
$s4 = { 76 34 2E 30 2E 33 30 33 31 39 }
condition:
all of them
} |
|
| Details | Yara rule | 1 | rule CISA_10413062_10 : XEReverseShell trojan backdoor downloader dropper webshell remote_access communicates_with_C2 exfiltrates_data installs_other_components {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-11-23"
Last_Modified = "20221215_1930"
Actor = "n/a"
Family = "XEReverseShell"
Capabilities = "remote-access communicates-with-C2 exfiltrates-data installs-other-components"
Malware_Type = "trojan backdoor downloader dropper webshell"
Tool_Type = "remote-access"
Description = "Detects XEReverseShell samples"
MD5_1 = "37e173b932596af62fefc4dc10c8551d"
SHA256_1 = "815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f"
MD5_2 = "0bcceb4fdfb12db21fdfc3a42b9c4693"
SHA256_2 = "508dd87110cb5bf5d156a13c2430c215035db216f20f546e4acec476e8d55370"
MD5_3 = "42d7b2e1bcf75f9c469afa340f078c86"
SHA256_3 = "d9273a16f979adee1afb6e55697d3b7ab42fd75051786f8c67a6baf46c4c19c2"
MD5_4 = "d85880ad1e87c4266f899eca02207dd4"
SHA256_4 = "1fed0766f564dc05a119bc7fa0b6670f0da23504e23ece94a5ae27787b674cd2"
MD5_5 = "eaa579d911b8a47eaaea744d59d14708"
SHA256_5 = "11d8b9be14097614dedd68839c85e3e8feec08cdab675a5e89c5b055a6a68bad"
MD5_6 = "f968639a4840535a6ecda1cbe3065260"
SHA256_6 = "a0ab222673d35d750a0290db1b0ce890b9d40c2ab67bfebb62e1a006e9f2479c"
MD5_7 = "137423d7b7f5a5684a9b1457f46fdfb2"
SHA256_7 = "e45ad91f12188a7c3d4891b70e1ee87a3f23eb981804ea72cd23f1d5e331ff5a"
MD5_8 = "7947ce86923d732e6963c79aea757036"
SHA256_8 = "8a5fc2b8ecb7ac6c0db76049d7e09470dbc24f1a90026a431285244818866505"
MD5_9 = "d3cf1d590b2a63ae6070dd0011390f03"
SHA256_9 = "78a926f899320ee6f05ab96f17622fb68e674296689e8649c95f95dade91e933"
strings:
$s1 = { 50 67 42 59 52 56 4A 6C 64 6D 56 79 63 32 56 54 61 47 56 73 }
$s2 = { 54 56 71 51 41 41 4D 41 41 41 41 45 41 41 41 }
$s3 = { 78 65 73 76 72 73 2E 65 78 65 }
$s4 = { 58 45 52 65 76 65 72 73 65 53 68 65 6C 6C }
$s5 = { 57 45 56 53 5A 58 5A 6C 63 6E 4E 6C 55 32 }
$s6 = { 59 00 32 00 31 00 6B 00 4C 00 6D 00 56 00 34 00 5A 00 51 00 3D 00 3D }
condition:
2 of them
} |
|
| Details | Yara rule | 1 | rule CISA_10413062_09 : trojan webshell {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-12-05"
Last_Modified = "20221215_1930"
Actor = "n/a"
Family = "n/a"
Capabilities = "n/a"
Malware_Type = "trojan downloader webshell"
Tool_Type = "n/a"
Description = "Detects ASPX Webshell samples"
MD5_1 = "ce8481189008d7f4a685615508110d88"
SHA256_1 = "08375e2d187ee53ed263ee6529645e03ead1a8e77afd723a3e0495201452d415"
strings:
$s1 = { 50 61 67 65 20 4C 61 6E 67 75 61 67 65 3D 22 43 23 22 }
$s2 = { 72 75 6E 61 74 3D 22 73 65 72 76 65 72 22 }
$s3 = { 44 72 69 76 65 49 6E 66 6F }
$s4 = { 74 78 74 43 6D 64 49 6E }
$s5 = { 63 6D 64 55 70 6C 6F 61 64 }
$s6 = { 50 61 73 73 54 68 72 6F 75 67 68 }
condition:
all of them
} |
|
| Details | Yara rule | 1 | rule CISA_10413062_13 : wiper information_gathering {
meta:
Author = "CISA Code & Media Analysis"
Incident = "10413062"
Date = "2022-12-21"
Last_Modified = "20230106_1400"
Actor = "n/a"
Family = "n/a"
Capabilities = "information-gathering"
Malware_Type = "wiper"
Tool_Type = "n/a"
Description = "Detects PE information gathering samples"
SHA256_1 = "dedf082f523dfcb75dee0480a2d8a087e3231f89fa34fcd2b7f74866a7b6608f"
SHA256_2 = "f5cafe99bccb9d813909876fa536cc980c45687d0f411c5f4b5346dcf6b304e4"
SHA256_3 = "74544d31cbbf003bc33e7099811f62a37110556b6c1a644393fddd0bac753730"
SHA256_4 = "833e9cf75079ce796ef60fc7039a0b098be4ce8d259ffa53fe2855df110b2e5d"
strings:
$a1 = { 46 69 6E 64 46 69 72 73 74 46 69 6C 65 45 78 57 }
$a2 = { 46 69 6E 64 4E 65 78 74 46 69 6C 65 57 }
$a3 = { 47 65 74 41 43 50 }
$a4 = { 47 65 74 4F 45 4D 43 50 }
$a5 = { 47 65 74 43 50 49 6E 66 6F }
$a6 = { 47 65 74 43 6F 6D 6D 61 6E 64 4C 69 6E 65 41 }
$a7 = { 47 65 74 45 6E 76 69 72 6F 6E 6D 65 6E 74 53 74 72 69 6E 67 73 57 }
$a8 = { 44 65 6C 65 74 65 46 69 6C 65 41 }
$m1 = { 76 34 2E 30 2E 33 30 33 31 39 }
$m2 = { 61 6D 64 36 34 }
$m3 = { 2E 64 6C 6C }
$m4 = { 64 65 6C 65 74 65 }
$s1 = { 3C 4D 6F 64 75 6C 65 }
$s2 = { 25 73 5C 25 73 }
$s3 = { 25 73 5C 2A }
$s4 = { 63 3A 3E }
condition:
uint16(0) == 0x5a4d and all of them
} |