ioc[.]one - OSINT Cyber Threat Intelligence Database

MAR-10297887-1.v2 – Iranian Web Shells | CISA

Tags

maec-delivery-vectors:

attack-pattern:

Data Credentials - T1589.001 Exploits - T1587.004 Exploits - T1588.005 Javascript - T1059.007 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Remote Desktop Protocol - T1021.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Ssh - T1021.004 Web Shell - T1505.003 Tool - T1588.002 Vulnerabilities - T1588.006 Powershell - T1086 Remote Desktop Protocol - T1076 Scripting - T1064 Web Shell - T1100 Scripting

Show in Graph

Common Information

Type	Value
UUID	aa4b4c07-e840-406b-b303-bd41a068548d
Fingerprint	a48dfa0c455b07cd
Analysis status	DONE
Considered CTI value	2
Text language
Published	Sept. 15, 2020, midnight
Added to db	Sept. 11, 2022, 12:38 p.m.
Last updated	Nov. 17, 2024, 6:55 p.m.
Headline	Malware Analysis Report (AR20-259A)
Title	MAR-10297887-1.v2 – Iranian Web Shells \| CISA
Detected Hints/Tags/Attributes	103/2/145

Source URLs

	Redirection	Url
Details	Source	https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a

URL Provider

Details	Provider	Source level domain
Details	cisa.gov	us-cert.cisa.gov

Attributes

Details	Type	#Events	Value
Details	Domain	145	www.us-cert.gov
Details	Domain	397	asp.net
Details	Domain	1	system.web.ui.page
Details	Domain	285	microsoft.net
Details	Domain	6	system.web.security
Details	Domain	1	application.hacktool.tj
Details	Domain	2	deflatedstream.read
Details	Domain	1	keepassprocess.id
Details	Domain	1	tips.pl
Details	Domain	1	themes.pl
Details	Domain	1	navthemes.pl
Details	Domain	1	rmbm.pl
Details	Domain	1	picktheme.pl
Details	Domain	6	newbm.pl
Details	Domain	1	savecolorprefs.pl
Details	Domain	1	subscription.pl
Details	Domain	2	personalbookmark.pl
Details	Domain	469	www.cisa.gov
Details	File	1	site.aspx
Details	File	1	vti_cnf.aspx
Details	File	1	ui-bg.aspx
Details	File	1122	svchost.exe
Details	File	26	0.js
Details	File	2	kee.ps1
Details	File	1	app_web_tcnma5bs.dll
Details	File	3	dllhost.dll
Details	File	1	keetheft.dll
Details	File	1	hacktool.jsp
Details	File	1	_vti_cnf.aspx
Details	File	8	asp.asp
Details	File	41	system.obj
Details	File	1	f:\\inetpub\\wwwroot\\\\aspnet_client\\system_web\\4_0_30319\\_vti_cnf.aspx
Details	File	8	this.ini
Details	File	1	ui.html
Details	File	7	microsoft.js
Details	File	2	eval.js
Details	File	1	try.js
Details	File	1	f:\inetpub\wwwroot\\aspnet_client\system_web\4_0_30319\_vti_cnf.aspx
Details	File	70	web.config
Details	File	7	text.reg
Details	File	19	system.xml
Details	File	9	system.config
Details	File	2	componentmodel.dat
Details	File	1	mvc.html
Details	File	2	userkey.dat
Details	File	1	userkey.pl
Details	File	2	protecteduserkey.bin
Details	File	1	userkey.key
Details	File	1	userkeyobject.ps
Details	File	1	'keepass.key
Details	File	73	trojan.msi
Details	File	2	l.ps
Details	File	1	keetheft.exe
Details	File	1	df5bd34799e200951fcce77c1c0b42af.php
Details	File	1	df5bd34799e200951fcce77c1c0b42af_y.php
Details	File	1	df5bd34799e200951fcce77c1c0b42af_z.php
Details	File	1	tips.pl
Details	File	1	themes.pl
Details	File	1	navthemes.pl
Details	File	1	rmbm.pl
Details	File	1	picktheme.pl
Details	File	6	newbm.pl
Details	File	1	savecolorprefs.pl
Details	File	1	subscription.pl
Details	File	2	personalbookmark.pl
Details	File	5	username.php
Details	File	6	password.php
Details	File	19	trojan.html
Details	md5	1	d7b7a8c120b69166643ee05bf70b37e5
Details	md5	1	20d89fa1df155632fafb2c9fe1a6a038
Details	md5	1	de1cd1c54711544508d157214323af85
Details	md5	1	8495abfd7356f75ad7006d2ab42d4bee
Details	md5	1	18f2cf11b940a62d63fd757e20564ec6
Details	md5	5	dae02f32a21e03ce65412f6e56942daa
Details	md5	1	83b4ba5ffed3f61f2c3c07cbfb9e4645
Details	md5	1	9f9a21c74d71b03386ee22a566a1170d
Details	md5	1	cb5b712bb6ddf459a6a953c98373b5f6
Details	md5	1	dbd0e57bcdedc0733290c5195a01ad35
Details	md5	1	3be9b7030389ad5e106f169fbe7b7458
Details	md5	2	c8bc262d7126c3399baaec3bee89d542
Details	md5	2	91802a615b3a5c4bcc05bc5f66a5b219
Details	md5	1	86ff3a53ecd56eaa856f8c7c28d0a8f1
Details	md5	1	26ef590b60778bfdd9bfcbb24d832f94
Details	md5	1	abdb24e1a410aa5fba49a4d1fe6a21bb
Details	md5	1	2e993dbff4bcb21d52aa1897a4e2604e
Details	md5	1	f006061c21d3eee457ffe5e2c69cba8e
Details	md5	2	07b5472d347d42780469fb2654b7fc54
Details	md5	2	14df2e509b6ee8deb3ce6ba3b88e3de0
Details	md5	1	3a83cad860a688e1f40683142280a67b
Details	md5	1	dc8a91125f273090cd8d76e9e588a074
Details	md5	22	f34d5f2d4577ed6d9ceec516c1f5a744
Details	md5	1	cb77191ad61291924938362fbb902f32
Details	md5	1	1fb4a5b09d9141362ed994c8a99b3cf5
Details	md5	1	2801de31bb6a6306f169ef81e5589521
Details	md5	1	ecf88595c12869be20d521f1934da506
Details	md5	1	df5bd34799e200951fcce77c1c0b42af
Details	md5	1	b3b1dea400464ab5dd55e44766357957
Details	md5	1	e11f9350ced37173d1e957ffe7d659b9
Details	md5	1	8f9567ca566ab5f79081d5d17c79ee41
Details	md5	1	ac07005f06ac63e5b1b0c1cd15a7a060
Details	md5	1	82e6e545c9863ed9f0df1e78d2457d13
Details	md5	1	ce868f9ed3ebd9036456da37749ab7b9
Details	md5	1	750b1bf7269ffc5860166efa8af6b34e
Details	md5	2	fd6c1e1fbe93a6c1ae97da3ddc3a381f
Details	sha1	1	2ac99374cab70f8be83c48bbf3258eae78676f65
Details	sha1	1	c9cf494475de81dae5a2c54c678b4a518f46b1fe
Details	sha1	1	c33a07965e06280c53e19a5d093983205433843f
Details	sha1	1	3736a085f9fe515dc7d12bbf2a1474bdd3d8d4d2
Details	sha1	1	6fbd38aff374974c59ccca7efd8e1a3205c69ce9
Details	sha1	1	224448b5840b71ca07c144d3f525b8971c17d4a7
Details	sha1	2	c94a0f902b3b8cc4ca5e4cc9004ac9eaa4614699
Details	sha1	2	80190bdddf70a79a1735136f81309219c937458d
Details	sha1	1	d8ad2de372296501c3eb3aa0e053708eb3914113
Details	sha1	1	3455ecca61a280a1056adb69077e0c652daa3516
Details	sha1	1	507a04d3faed99cee089da042913d63f1813fc2a
Details	sha1	1	ec6d63fd5695c470bc3daea500b270eca85e81f4
Details	sha1	1	01c3da91407c43d9edee751bbd2e30e081165fdc
Details	sha1	1	74fe38fb9b63e3d1ff112567d770aef118a31195
Details	sha1	1	fdc411014e747715a2d6de93723865ac5134b600
Details	sha1	1	6099d6e21fd81c2fb85e9b157f64d2cad8fec310
Details	sha1	1	f4d152a700d93703592dc3652ff7b52ef00b4f7e
Details	sha1	2	a5225159267538863f8625050de94d880d54d2d4
Details	sha256	1	134ef25d48b8873514f84a0922ec9d835890bda16cc7648372e014c1f90a4e13
Details	sha256	1	17f5b6d74759620f14902a5cc8bba8753df8a17da33f4ea126b98c7e2427e79c
Details	sha256	1	28bc161df8406a6acf4b052a986e29ad1f60cbb19983fc17931983261b18d4ea
Details	sha256	1	2944ea7d0045a1d64f3584e5803cbf3a026bd0e22bdf2e4ba1d28c6ad9e57849
Details	sha256	1	3b14d5eafcdb9e90326cb4146979706c85a58be3fc4706779f0ae8d744d9e63c
Details	sha256	2	4a1fc30ffeee48f213e256fa7bff77d8abd8acd81e3b2eb3b9c40bd3e2b04756
Details	sha256	1	51e9cadeab1b33260c4ccb2c63f5860a77dd58541d7fb0840ad52d0a1abedd21
Details	sha256	1	547440bd037a149ac7ac58bc5aaa65d079537e7a87dc93bb92edf0de7648761c
Details	sha256	1	553f355f62c4419b808e078f3f71f401f187a9ac496b785e81fbf087e02dc13f
Details	sha256	2	55b9264bc1f665acd94d922dd13522f48f2c88b02b587e50d5665b72855aa71c
Details	sha256	1	5e0457815554574ea74b8973fc6290bd1344aac06c1318606ea4650c21081f0a
Details	sha256	1	8c9aeedeea37ee88c84b170d9cd6c6d83581e3a57671be0ba19f2c8a17bd29f3
Details	sha256	1	913ee2b048093162ff54dca050024f07200cdeaf13ffd56c449acb9e6d5fbda0
Details	sha256	1	99344d862e9de0210f4056bdf4b8045ab9eabe1a62464d6513ed16208ab068fc
Details	sha256	1	b36288233531f7ac2e472a689ff99cb0f2ac8cba1b6ea975a9a80c1aa7f6a02a
Details	sha256	1	b443032aa281440017d1dcc3ae0a70d1d30d4f2f2b3f064f95f285e243559249
Details	sha256	2	f7ddf2651faf81d2d5fe699f81315bb2cf72bb14d74a1c891424c6afad544bde
Details	sha256	1	10836bda2d6a10791eb9541ad9ef1cb608aa9905766c28037950664cd64c6334
Details	IPv4	109	1.0.0.0
Details	Pdb	1	app_web_tcnma5bs.pdb
Details	Url	42	http://www.us-cert.gov/tlp.
Details	Url	12	https://www.cisa.gov/forms/feedback
Details	Windows Registry Key	1	HKUSmsY