(US-CERT) This file is a malicious PHP file containing an embedded obfuscated payload. This payload is Base64 encoded and password protected.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2021-04-27 by GReAT from Kaspersky
2021-03-03 by Joe Slowik from DomainTools
2021-01-27 by CERT-FR from CERT-FR
2016-12-29 by Department of Homeland Security from Department of Homeland Security
2016-12-29 by Robert Graham from Errata Security
Tool: P.A.S.
Names: P.A.S., PAS, Fobushell
Description: (US-CERT) This file is a malicious PHP file containing an embedded obfuscated payload. This payload is Base64 encoded and password protected.
Category: Malware
Type: Backdoor
Information: https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf
Information: https://blog.erratasec.com/2016/12/some-notes-on-iocs.html
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/php.pas
Last-card-change: 2022-12-28
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |