SYMBOLCOMMON_NAMEaka. SYNONYMS
win.exchange_tool (Back to overview)

MS Exchange Tool

Actor(s): Mirage


There is no description at this point.

References
2018-03-16Github (nccgroup)NCC Group PLC
@online{plc:20180316:royal:7ff57f8, author = {NCC Group PLC}, title = {{Royal APT - APT15 Repository}}, date = {2018-03-16}, organization = {Github (nccgroup)}, url = {https://github.com/nccgroup/Royal_APT}, language = {English}, urldate = {2020-01-09} } Royal APT - APT15 Repository
BS2005 MS Exchange Tool RoyalCli Royal DNS Mirage
2018-03-10NCC GroupRob Smallridge
@online{smallridge:20180310:apt15:e5e7ef0, author = {Rob Smallridge}, title = {{APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS}}, date = {2018-03-10}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/}, language = {English}, urldate = {2019-12-19} } APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS
BS2005 MS Exchange Tool RoyalCli Royal DNS Mirage
Yara Rules
[TLP:WHITE] win_exchange_tool_w0 (20180312 | Detects malware from APT 15 report by NCC Group)
rule win_exchange_tool_w0 {
    meta:
        description = "Detects malware from APT 15 report by NCC Group"
        author = "Florian Roth"
        reference = "https://goo.gl/HZ5XMN"
        date = "2018-03-10"
        hash1 = "16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool"
        malpedia_version = "20180312"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "\\Release\\EWSTEW.pdb" ascii
        $s2 = "EWSTEW.exe" fullword wide
        $s3 = "Microsoft.Exchange.WebServices.Data" fullword ascii
        $s4 = "tmp.dat" fullword wide
        $s6 = "/v or /t is null" fullword wide
    condition:
        all of them
}
Download all Yara Rules