nuclei-templates/file/malware/hash/regeorg-webshell-hash.yaml

id: regeorg-webshell-hash
info:
  name: ReGeorg Webshell Hash - Detect
  author: pussycat0x
  severity: info
  description: Detects the reGeorg webshells' JSP version.
  reference:
    - https://github.com/volexity/threat-intel/blob/main/2022/2022-08-10%20Mass%20exploitation%20of%20(Un)authenticated%20Zimbra%20RCE%20CVE-2022-27925/yara.yar
    - https://github.com/SecWiki/WebShell-2/blob/master/reGeorg-master/tunnel.jsp
  tags: malware,webshells

file:
  - extensions:
      - all

    matchers:
      - type: dsl
        dsl:
          - "sha256(raw) == 'f9b20324f4239a8c82042d8207e35776d6777b6305974964cd9ccc09d431b845'"
# digest: 4b0a00483046022100b886e1dd58565f1e41c52634fd7e09dc53c65bcdcc1b14a157de50a37b1dbb03022100b0a926bd917b70266d4c40a32b2b3949208df60d484e07cad9f986e02c981591:922c64590222798bb761d5b6d8e72950
New - Templates 2024-06-20 09:42:34 +00:00			`id: regeorg-webshell-hash`
update 2024-06-19 10:13:35 +00:00			`info:`
New - Templates 2024-06-20 09:42:34 +00:00			`name: ReGeorg Webshell Hash - Detect`
update 2024-06-19 10:13:35 +00:00			`author: pussycat0x`
			`severity: info`
			`description: Detects the reGeorg webshells' JSP version.`
			`reference:`
			`- https://github.com/volexity/threat-intel/blob/main/2022/2022-08-10%20Mass%20exploitation%20of%20(Un)authenticated%20Zimbra%20RCE%20CVE-2022-27925/yara.yar`
			`- https://github.com/SecWiki/WebShell-2/blob/master/reGeorg-master/tunnel.jsp`
			`tags: malware,webshells`

			`file:`
			`- extensions:`
			`- all`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- "sha256(raw) == 'f9b20324f4239a8c82042d8207e35776d6777b6305974964cd9ccc09d431b845'"`
Auto Template Signing [Fri Jun 21 10:04:41 UTC 2024] :robot: 2024-06-21 10:04:41 +00:00			`# digest: 4b0a00483046022100b886e1dd58565f1e41c52634fd7e09dc53c65bcdcc1b14a157de50a37b1dbb03022100b0a926bd917b70266d4c40a32b2b3949208df60d484e07cad9f986e02c981591:922c64590222798bb761d5b6d8e72950`