2024-06-20 09:42:34 +00:00
|
|
|
id: regeorg-webshell-hash
|
2024-06-19 10:13:35 +00:00
|
|
|
info:
|
2024-06-20 09:42:34 +00:00
|
|
|
name: ReGeorg Webshell Hash - Detect
|
2024-06-19 10:13:35 +00:00
|
|
|
author: pussycat0x
|
|
|
|
severity: info
|
|
|
|
description: Detects the reGeorg webshells' JSP version.
|
|
|
|
reference:
|
|
|
|
- https://github.com/volexity/threat-intel/blob/main/2022/2022-08-10%20Mass%20exploitation%20of%20(Un)authenticated%20Zimbra%20RCE%20CVE-2022-27925/yara.yar
|
|
|
|
- https://github.com/SecWiki/WebShell-2/blob/master/reGeorg-master/tunnel.jsp
|
|
|
|
tags: malware,webshells
|
|
|
|
|
|
|
|
file:
|
|
|
|
- extensions:
|
|
|
|
- all
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
- type: dsl
|
|
|
|
dsl:
|
|
|
|
- "sha256(raw) == 'f9b20324f4239a8c82042d8207e35776d6777b6305974964cd9ccc09d431b845'"
|
2024-06-21 10:04:41 +00:00
|
|
|
# digest: 4b0a00483046022100b886e1dd58565f1e41c52634fd7e09dc53c65bcdcc1b14a157de50a37b1dbb03022100b0a926bd917b70266d4c40a32b2b3949208df60d484e07cad9f986e02c981591:922c64590222798bb761d5b6d8e72950
|