id: regeorg-webshell-hash
info:
  name: ReGeorg Webshell Hash - Detect
  author: pussycat0x
  severity: info
  description: Detects the reGeorg webshells' JSP version.
  reference:
    - https://github.com/volexity/threat-intel/blob/main/2022/2022-08-10%20Mass%20exploitation%20of%20(Un)authenticated%20Zimbra%20RCE%20CVE-2022-27925/yara.yar
    - https://github.com/SecWiki/WebShell-2/blob/master/reGeorg-master/tunnel.jsp
  tags: malware,webshells

file:
  - extensions:
      - all

    matchers:
      - type: dsl
        dsl:
          - "sha256(raw) == 'f9b20324f4239a8c82042d8207e35776d6777b6305974964cd9ccc09d431b845'"
# digest: 4b0a00483046022100b886e1dd58565f1e41c52634fd7e09dc53c65bcdcc1b14a157de50a37b1dbb03022100b0a926bd917b70266d4c40a32b2b3949208df60d484e07cad9f986e02c981591:922c64590222798bb761d5b6d8e72950