Mirrors
/
cyber_threat_intelligence
mirror of https://github.com/vuldb/cyber_threat_intelligence
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update

This commit is contained in:
Marc Ruef 2022-01-26 15:36:47 +01:00
parent 256a28ff44
commit 0c11dcfc85
100 changed files with 2140 additions and 1247 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
1937CN/README.md
View File

@ -1,6 +1,6 @@
# 1937CN - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [1937CN](https://vuldb.com/?actor.1937cn). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [1937CN](https://vuldb.com/?actor.1937cn). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.1937cn](https://vuldb.com/?actor.1937cn)
@ -29,9 +29,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
APT-C-07/README.md
View File

@ -1,6 +1,6 @@
# APT-C-07 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT-C-07](https://vuldb.com/?actor.apt-c-07). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT-C-07](https://vuldb.com/?actor.apt-c-07). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt-c-07](https://vuldb.com/?actor.apt-c-07)
@ -42,9 +42,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

17
APT16/README.md
View File

@ -1,6 +1,6 @@
# APT16 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT16](https://vuldb.com/?actor.apt16). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT16](https://vuldb.com/?actor.apt16). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt16](https://vuldb.com/?actor.apt16)
@ -37,16 +37,9 @@ ID | Type | Indicator | Confidence
1 | File | `/download` | Medium
2 | File | `comment_add.asp` | High
3 | File | `data/gbconfiguration.dat` | High
4 | File | `email.php` | Medium
5 | File | `inc/config.php` | High
6 | File | `inc/filebrowser/browser.php` | High
7 | File | `ogp_show.php` | Medium
8 | File | `register.php` | Medium
9 | Argument | `basePath` | Medium
10 | Argument | `display` | Low
11 | ... | ... | ...
4 | ... | ... | ...
There are 4 more IOA items available. Please use our online service to access the data.
There are 11 more IOA items available. Please use our online service to access the data.
## References
@ -58,9 +51,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
APT18/README.md
View File

@ -1,6 +1,6 @@
# APT18 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT18](https://vuldb.com/?actor.apt18). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT18](https://vuldb.com/?actor.apt18). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt18](https://vuldb.com/?actor.apt18)
@ -34,9 +34,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

104
APT28/README.md
View File

@ -1,6 +1,6 @@
# APT28 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT28](https://vuldb.com/?actor.apt28). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT28](https://vuldb.com/?actor.apt28). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt28](https://vuldb.com/?actor.apt28)
@ -19,12 +19,12 @@ There are 3 more campaign items available. Please use our online service to acce
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with APT28:
* NL
* RO
* US
* DE
* ES
* ...
There are 52 more country items available. Please use our online service to access the data.
There are 3 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -51,10 +51,36 @@ ID | IP address | Hostname | Confidence
17 | 45.64.105.23 | - | High
18 | 45.124.132.127 | - | High
19 | 46.19.138.66 | ab2.alchibasystems.in.net | High
20 | 46.21.147.55 | 55.147.21.46.in-addr.arpa | High
21 | ... | ... | ...
20 | 46.21.147.55 | 46-21-147-55.static.hvvc.us | High
21 | 46.21.147.71 | 46-21-147-71.static.hvvc.us | High
22 | 46.21.147.76 | 46-21-147-76.static.hvvc.us | High
23 | 46.148.17.227 | - | High
24 | 46.166.162.90 | - | High
25 | 46.183.217.74 | ip-217-74.dataclub.info | High
26 | 51.38.128.110 | - | High
27 | 51.254.76.54 | - | High
28 | 51.254.158.57 | - | High
29 | 54.37.104.106 | piber.connectedlists.com | High
30 | 58.49.58.58 | - | High
31 | 62.113.232.197 | - | High
32 | 66.172.11.207 | ip-66-172-11-207.chunkhost.com | High
33 | 66.172.12.133 | - | High
34 | 69.12.73.174 | 69.12.73.174.static.quadranet.com | High
35 | 70.85.221.10 | server002.nilsson-it.dk | High
36 | 70.85.221.20 | 14.dd.5546.static.theplanet.com | High
37 | 76.74.177.251 | ip-76-74-177-251.chunkhost.com | High
38 | 77.81.98.122 | no-rdns.clues.ro | High
39 | 77.83.247.81 | - | High
40 | 78.153.151.222 | smtp33.pristavka-fr.ru | High
41 | 80.83.115.187 | host3.smtpnoida.biz | High
42 | 80.255.3.93 | - | High
43 | 80.255.3.94 | set121.com | High
44 | 80.255.6.15 | - | High
45 | 80.255.10.236 | - | High
46 | 81.17.30.29 | - | High
47 | ... | ... | ...
There are 211 more IOC items available. Please use our online service to access the data.
There are 185 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -62,14 +88,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1040 | Authentication Bypass by Capture-replay | High
2 | T1059.007 | Cross Site Scripting | High
3 | T1068 | Execution with Unnecessary Privileges | High
4 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
5 | T1211 | 7PK Security Features | High
6 | ... | ... | ...
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 10 more TTP items available. Please use our online service to access the data.
There are 7 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -77,19 +101,43 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `.htaccess` | Medium
2 | File | `.procmailrc` | Medium
3 | File | `/$({curl` | Medium
4 | File | `/+CSCOE+/logon.html` | High
5 | File | `/.env` | Low
6 | File | `/.ssh/authorized_keys` | High
7 | File | `/.vnc/sesman_${username}_passwd` | High
8 | File | `/account/details.php` | High
9 | File | `/admin.php` | Medium
10 | File | `/admin/adclass.php` | High
11 | ... | ... | ...
1 | File | `.travis.yml` | Medium
2 | File | `/.env` | Low
3 | File | `/admin.php` | Medium
4 | File | `/admin/config.php?display=disa&view=form` | High
5 | File | `/category_view.php` | High
6 | File | `/dev/kmem` | Medium
7 | File | `/filemanager/upload.php` | High
8 | File | `/medical/inventories.php` | High
9 | File | `/monitoring` | Medium
10 | File | `/NAGErrors` | Medium
11 | File | `/plugins/servlet/audit/resource` | High
12 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
13 | File | `/proc/ioports` | High
14 | File | `/replication` | Medium
15 | File | `/reports/rwservlet` | High
16 | File | `/RestAPI` | Medium
17 | File | `/tmp` | Low
18 | File | `/tmp/speedtest_urls.xml` | High
19 | File | `/uncpath/` | Medium
20 | File | `/var/log/nginx` | High
21 | File | `/wp-admin/admin.php` | High
22 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
23 | File | `admin/app/mediamanager` | High
24 | File | `admin/index.php` | High
25 | File | `admin\model\catalog\download.php` | High
26 | File | `afr.php` | Low
27 | File | `apcupsd.pid` | Medium
28 | File | `api/it-recht-kanzlei/api-it-recht-kanzlei.php` | High
29 | File | `api/sms/send-sms` | High
30 | File | `api/v1/alarms` | High
31 | File | `application/controller/InstallerController.php` | High
32 | File | `arch/powerpc/kvm/book3s_rtas.c` | High
33 | File | `arformcontroller.php` | High
34 | File | `auth-gss2.c` | Medium
35 | ... | ... | ...
There are 2654 more IOA items available. Please use our online service to access the data.
There are 300 more IOA items available. Please use our online service to access the data.
## References
@ -132,9 +180,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
APT30/README.md
View File

@ -1,6 +1,6 @@
# APT30 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT30](https://vuldb.com/?actor.apt30). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT30](https://vuldb.com/?actor.apt30). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt30](https://vuldb.com/?actor.apt30)
@ -24,9 +24,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

24
APT31/README.md
View File

@ -1,6 +1,6 @@
# APT31 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT31](https://vuldb.com/?actor.apt31). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT31](https://vuldb.com/?actor.apt31). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt31](https://vuldb.com/?actor.apt31)
@ -20,12 +20,9 @@ ID | IP address | Hostname | Confidence
1 | 105.154.12.165 | - | High
2 | 105.157.234.0 | - | High
3 | 105.159.122.85 | - | High
4 | 110.36.231.150 | WGPON-36231-150.wateen.net | High
5 | 115.31.133.26 | - | High
6 | 115.133.136.29 | - | High
7 | ... | ... | ...
4 | ... | ... | ...
There are 10 more IOC items available. Please use our online service to access the data.
There are 13 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -44,16 +41,9 @@ ID | Type | Indicator | Confidence
1 | File | `/get_getnetworkconf.cgi` | High
2 | File | `/horde/util/go.php` | High
3 | File | `administrator/components/com_media/helpers/media.php` | High
4 | File | `comments.php` | Medium
5 | File | `data/gbconfiguration.dat` | High
6 | File | `inc/config.php` | High
7 | File | `item_details.php` | High
8 | File | `KeyHelp.ocx` | Medium
9 | File | `phpinfo.php` | Medium
10 | File | `picture.php` | Medium
11 | ... | ... | ...
4 | ... | ... | ...
There are 12 more IOA items available. Please use our online service to access the data.
There are 19 more IOA items available. Please use our online service to access the data.
## References
@ -65,9 +55,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

57
APT32/README.md
View File

@ -1,6 +1,6 @@
# APT32 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT32](https://vuldb.com/?actor.apt32). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT32](https://vuldb.com/?actor.apt32). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt32](https://vuldb.com/?actor.apt32)
@ -17,10 +17,10 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
* US
* CN
* TR
* VN
* ...
There are 10 more country items available. Please use our online service to access the data.
There are 11 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -35,22 +35,14 @@ ID | IP address | Hostname | Confidence
5 | 37.59.198.130 | - | High
6 | 37.59.198.131 | - | High
7 | 45.32.100.179 | 45.32.100.179.vultr.com | Medium
8 | 45.32.105.45 | 45.32.105.45.vultr.com | Medium
8 | 45.32.105.45 | - | High
9 | 45.32.114.49 | 45.32.114.49.vultr.com | Medium
10 | 45.76.147.201 | 45.76.147.201.vultr.com | Medium
11 | 45.76.179.28 | 45.76.179.28.vultr.com | Medium
12 | 45.76.179.151 | 45.76.179.151.vultr.com | Medium
13 | 45.77.39.101 | 45.77.39.101.vultr.com | Medium
14 | 45.114.117.137 | - | High
15 | 45.114.117.164 | folien.reisnart.com | High
16 | 64.62.174.9 | unassigned9.net2.fc.aoindustries.com | High
17 | 64.62.174.16 | unassigned16.net2.fc.aoindustries.com | High
18 | 64.62.174.17 | unassigned17.net2.fc.aoindustries.com | High
19 | 64.62.174.21 | unassigned21.net2.fc.aoindustries.com | High
20 | 64.62.174.41 | unassigned41.net2.fc.aoindustries.com | High
21 | ... | ... | ...
13 | ... | ... | ...
There are 40 more IOC items available. Please use our online service to access the data.
There are 48 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -61,10 +53,9 @@ ID | Technique | Description | Confidence
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1211 | 7PK Security Features | High
5 | ... | ... | ...
4 | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
There are 7 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -74,15 +65,25 @@ ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/cgi-bin/cgiServer.exx` | High
2 | File | `/cgi-bin/login_action.cgi` | High
3 | File | `/dev/sg0` | Medium
4 | File | `/event/runquery.do` | High
5 | File | `/forum/away.php` | High
6 | File | `/manager?action=getlogcat` | High
7 | File | `/password.html` | High
8 | File | `/system/ws/v11/ss/email)` | High
9 | File | `/uncpath/` | Medium
10 | File | `add_vhost.php` | High
11 | ... | ... | ...
3 | File | `/cgi-bin/webviewer_login_page` | High
4 | File | `/dev/sg0` | Medium
5 | File | `/event/runquery.do` | High
6 | File | `/filemanager/php/connector.php` | High
7 | File | `/forum/away.php` | High
8 | File | `/goform/setmac` | High
9 | File | `/manager?action=getlogcat` | High
10 | File | `/password.html` | High
11 | File | `/system/ws/v11/ss/email` | High
12 | File | `/uncpath/` | Medium
13 | File | `add_vhost.php` | High
14 | File | `admin/images.aspx` | High
15 | File | `admin/index.php` | High
16 | File | `adv2.php?action=modify` | High
17 | File | `agent.cfg` | Medium
18 | File | `arch/x86/include/asm/fpu/internal.h` | High
19 | File | `asm/float.c` | Medium
20 | File | `asm/nasm.c` | Medium
21 | ... | ... | ...
There are 178 more IOA items available. Please use our online service to access the data.
@ -98,9 +99,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

53
APT34/README.md
View File

@ -1,6 +1,6 @@
# APT34 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT34](https://vuldb.com/?actor.apt34). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT34](https://vuldb.com/?actor.apt34). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt34](https://vuldb.com/?actor.apt34)
@ -10,10 +10,10 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
* US
* IR
* DE
* CN
* ...
There are 19 more country items available. Please use our online service to access the data.
There are 18 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -35,15 +35,9 @@ ID | IP address | Hostname | Confidence
12 | 80.82.79.221 | - | High
13 | 80.82.79.240 | - | High
14 | 81.17.56.249 | - | High
15 | 82.102.14.216 | h82-102-14-216.host.redstation.co.uk | High
16 | 82.102.14.219 | h82-102-14-219.host.redstation.co.uk | High
17 | 82.102.14.222 | h82-102-14-222.host.redstation.co.uk | High
18 | 82.102.14.246 | h82-102-14-246.host.redstation.co.uk | High
19 | 83.142.230.138 | - | High
20 | 88.99.246.174 | static.174.246.99.88.clients.your-server.de | High
21 | ... | ... | ...
15 | ... | ... | ...
There are 52 more IOC items available. Please use our online service to access the data.
There are 58 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -54,10 +48,9 @@ ID | Technique | Description | Confidence
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1211 | 7PK Security Features | High
5 | ... | ... | ...
4 | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
There are 7 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -75,9 +68,33 @@ ID | Type | Indicator | Confidence
8 | File | `/forum/away.php` | High
9 | File | `/getcfg.php` | Medium
10 | File | `/GetCSSashx/?CP=%2fwebconfig` | High
11 | ... | ... | ...
11 | File | `/HNAP1` | Low
12 | File | `/horde/util/go.php` | High
13 | File | `/includes/rrdtool.inc.php` | High
14 | File | `/irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping` | High
15 | File | `/login` | Low
16 | File | `/monitoring` | Medium
17 | File | `/opt/vyatta/share/vyatta-cfg/templates/system/static-host-mapping/host-name/node.def` | High
18 | File | `/proc/#####/fd/3` | High
19 | File | `/proc/ioports` | High
20 | File | `/rom-0` | Low
21 | File | `/squashfs-root/www/HNAP1/control/SetWizardConfig.php` | High
22 | File | `/uncpath/` | Medium
23 | File | `/wp-content/plugins/updraftplus/admin.php` | High
24 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
25 | File | `adclick.php` | Medium
26 | File | `addentry.php` | Medium
27 | File | `add_edit_user.asp` | High
28 | File | `add_to_cart.php` | High
29 | File | `admin.php` | Medium
30 | File | `admin/class-bulk-editor-list-table.php` | High
31 | File | `admin/dl_data.php` | High
32 | File | `admin/index.php` | High
33 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High
34 | File | `admin/system_manage/save.html` | High
35 | ... | ... | ...
There are 376 more IOA items available. Please use our online service to access the data.
There are 304 more IOA items available. Please use our online service to access the data.
## References
@ -96,9 +113,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

17
APT38/README.md
View File

@ -1,6 +1,6 @@
# APT38 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [APT38](https://vuldb.com/?actor.apt38). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [APT38](https://vuldb.com/?actor.apt38). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.apt38](https://vuldb.com/?actor.apt38)
@ -45,16 +45,9 @@ ID | Type | Indicator | Confidence
1 | File | `json-stringifier.h` | High
2 | File | `mm/memory.c` | Medium
3 | File | `\\.\pipe\WPSCloudSvr\WpsCloudSvr` | High
4 | Library | `DNSAPI.dll` | Medium
5 | Library | `kso.dll` | Low
6 | Library | `mshtml.dll` | Medium
7 | Library | `system/libraries/Email.php` | High
8 | Argument | `content` | Low
9 | Argument | `email->from` | Medium
10 | Argument | `location.href` | High
11 | ... | ... | ...
4 | ... | ... | ...
There are 5 more IOA items available. Please use our online service to access the data.
There are 12 more IOA items available. Please use our online service to access the data.
## References
@ -66,9 +59,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

67
APT41/README.md
View File

@ -9,6 +9,7 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
The following campaigns are known and can be associated with APT41:
* CVE-2019-19781
* MoonBounce
## Countries
@ -19,7 +20,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
* RU
* ...
There are 7 more country items available. Please use our online service to access the data.
There are 13 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -27,28 +28,24 @@ These indicators of compromise indicate associated network ressources which are
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 23.67.95.153 | a23-67-95-153.deploy.static.akamaitechnologies.com | High
2 | 43.255.191.255 | - | High
3 | 45.76.6.149 | 45.76.6.149.vultr.com | Medium
4 | 45.76.75.219 | 45.76.75.219.vultr.com | Medium
5 | 45.138.157.78 | vm303301.pq.hosting | High
6 | 61.78.62.21 | - | High
7 | 61.195.98.245 | h61-195-98-245.ablenetvps.ne.jp | High
8 | 66.42.48.186 | 66.42.48.186.vultr.com | Medium
9 | 66.42.98.220 | 66.42.98.220.vultr.com | Medium
10 | 66.42.103.222 | 66.42.103.222.vultr.com | Medium
11 | 66.42.107.133 | 66.42.107.133.vultr.com | Medium
12 | 66.98.126.203 | 66.98.126.203.16clouds.com | High
13 | 67.198.161.250 | 67.198.161.250.CUSTOMER.KRYPT.COM | High
14 | 67.198.161.251 | 67.198.161.251.CUSTOMER.KRYPT.COM | High
15 | 67.198.161.252 | 67.198.161.252.CUSTOMER.KRYPT.COM | High
16 | 74.82.201.8 | 74.82.201.8.16clouds.com | High
17 | 91.208.184.78 | wk-azure.biz | High
18 | 103.19.3.21 | 103.19.3.21.static.xtom.com | High
19 | 103.19.3.109 | 103.19.3.109.static.xtom.com | High
20 | ... | ... | ...
1 | 5.183.101.21 | bestofgy.co.uk | High
2 | 5.183.101.114 | - | High
3 | 5.183.103.122 | - | High
4 | 5.188.93.132 | gcorelabs.paris.vpn015 | High
5 | 5.188.108.22 | pol1.htjsq.com | High
6 | 5.188.108.228 | xc5.exclusivacondominios.com | High
7 | 5.189.222.33 | spain466.es | High
8 | 23.67.95.153 | a23-67-95-153.deploy.static.akamaitechnologies.com | High
9 | 43.255.191.255 | - | High
10 | 45.76.6.149 | 45.76.6.149.vultr.com | Medium
11 | 45.76.75.219 | 45.76.75.219.vultr.com | Medium
12 | 45.128.132.6 | - | High
13 | 45.128.135.15 | - | High
14 | 45.138.157.78 | srv1.fincantleri.co | High
15 | 61.78.62.21 | - | High
16 | ... | ... | ...
There are 38 more IOC items available. Please use our online service to access the data.
There are 60 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -58,10 +55,10 @@ ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1211 | 7PK Security Features | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
There are 7 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -78,10 +75,23 @@ ID | Type | Indicator | Confidence
7 | File | `/get_getnetworkconf.cgi` | High
8 | File | `/lists/admin/` | High
9 | File | `/login.cgi?logout=1` | High
10 | File | `/public/login.htm` | High
11 | ... | ... | ...
10 | File | `/module/admin_logs` | High
11 | File | `/public/login.htm` | High
12 | File | `/public/plugins/` | High
13 | File | `/replication` | Medium
14 | File | `/start-stop` | Medium
15 | File | `/tmp/app/.env` | High
16 | File | `/uncpath/` | Medium
17 | File | `/WEB-INF/web.xml` | High
18 | File | `/wp-admin/admin-ajax.php` | High
19 | File | `/_next` | Low
20 | File | `adclick.php` | Medium
21 | File | `addentry.php` | Medium
22 | File | `addrating.php` | High
23 | File | `admin/conf_users_edit.php` | High
24 | ... | ... | ...
There are 126 more IOA items available. Please use our online service to access the data.
There are 202 more IOA items available. Please use our online service to access the data.
## References
@ -91,6 +101,7 @@ The following list contains external sources which discuss the actor and the ass
* https://github.com/blackberry/threat-research-and-intelligence/blob/main/APT41.csv
* https://github.com/eset/malware-ioc/tree/master/winnti_group
* https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf
* https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
* https://vxug.fakedoma.in/archive/APTs/2021/2021.01.14/APT%2041.pdf
* https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
* https://www.threatminer.org/report.php?q=OfPigsandMalwareExaminingaPossibleMemberoftheWinntiGroup-TrendMicro.pdf&y=2017
@ -108,4 +119,4 @@ The following articles explain our unique predictive cyber threat intelligence:
## License
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

16
ActionRAT/README.md
View File

@ -1,6 +1,6 @@
# ActionRAT - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [ActionRAT](https://vuldb.com/?actor.actionrat). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [ActionRAT](https://vuldb.com/?actor.actionrat). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.actionrat](https://vuldb.com/?actor.actionrat)
@ -48,15 +48,9 @@ ID | Type | Indicator | Confidence
2 | File | `admin/index.php` | High
3 | File | `books.php` | Medium
4 | File | `data/gbconfiguration.dat` | High
5 | File | `filter.php` | Medium
6 | File | `guestbook.cgi` | High
7 | File | `inc/config.php` | High
8 | File | `lib/krb5/asn.1/asn1_encode.c` | High
9 | File | `login.php` | Medium
10 | File | `mdeploy.php` | Medium
11 | ... | ... | ...
5 | ... | ... | ...
There are 23 more IOA items available. Please use our online service to access the data.
There are 29 more IOA items available. Please use our online service to access the data.
## References
@ -68,9 +62,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

46
Adwind/README.md
View File

@ -1,6 +1,6 @@
# Adwind - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Adwind](https://vuldb.com/?actor.adwind). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Adwind](https://vuldb.com/?actor.adwind). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.adwind](https://vuldb.com/?actor.adwind)
@ -9,11 +9,11 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Adwind:
* US
* CO
* RU
* FR
* ...
There are 13 more country items available. Please use our online service to access the data.
There are 16 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -36,14 +36,19 @@ ID | IP address | Hostname | Confidence
13 | 23.227.199.72 | 23-227-199-72.static.hvvc.us | High
14 | 23.227.199.118 | 23-227-199-118.static.hvvc.us | High
15 | 23.227.199.121 | 23-227-199-121.static.hvvc.us | High
16 | 23.231.23.182 | - | High
16 | 23.231.23.182 | mx6.touringul.com | High
17 | 31.31.196.31 | server31.hosting.reg.ru | High
18 | 31.171.155.72 | - | High
19 | 37.61.235.30 | - | High
20 | 46.20.33.76 | - | High
21 | ... | ... | ...
21 | 50.7.199.164 | - | High
22 | 51.254.21.25 | ip25.ip-51-254-21.eu | High
23 | 65.99.225.111 | hv36svg168.neubox.net | High
24 | 67.215.4.74 | - | High
25 | 67.215.4.75 | - | High
26 | ... | ... | ...
There are 106 more IOC items available. Please use our online service to access the data.
There are 101 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -54,10 +59,9 @@ ID | Technique | Description | Confidence
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1211 | 7PK Security Features | High
5 | ... | ... | ...
4 | ... | ... | ...
There are 8 more TTP items available. Please use our online service to access the data.
There are 3 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -65,19 +69,15 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `%windir%\Internet Logs\` | High
2 | File | `/admin/link.php?action=addlink` | High
3 | File | `/ajax/GetInheritedProperties` | High
4 | File | `/anony/mjpg.cgi` | High
5 | File | `/browse.PROJECTKEY` | High
6 | File | `/data/admin/#/app/config/` | High
7 | File | `/etc/group` | Medium
8 | File | `/forum/away.php` | High
9 | File | `/info.xml` | Medium
10 | File | `/knowage/restful-services/signup/update` | High
11 | ... | ... | ...
1 | File | `/irj/portal/` | Medium
2 | File | `/phppath/php` | Medium
3 | File | `/uncpath/` | Medium
4 | File | `acl.c` | Low
5 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High
6 | File | `administrator/components/com_media/helpers/media.php` | High
7 | ... | ... | ...
There are 247 more IOA items available. Please use our online service to access the data.
There are 48 more IOA items available. Please use our online service to access the data.
## References
@ -89,9 +89,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

16
Arid Viper/README.md
View File

@ -1,6 +1,6 @@
# Arid Viper - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Arid Viper](https://vuldb.com/?actor.arid_viper). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Arid Viper](https://vuldb.com/?actor.arid_viper). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.arid_viper](https://vuldb.com/?actor.arid_viper)
@ -47,15 +47,9 @@ ID | Type | Indicator | Confidence
2 | File | `add_comment.php` | High
3 | File | `admin/index.php` | High
4 | File | `data/gbconfiguration.dat` | High
5 | File | `e2_header.inc.php` | High
6 | File | `email.php` | Medium
7 | File | `Forms/tools_admin_1` | High
8 | File | `ftpcmd.c` | Medium
9 | File | `gb.cgi` | Low
10 | File | `inc/config.php` | High
11 | ... | ... | ...
5 | ... | ... | ...
There are 19 more IOA items available. Please use our online service to access the data.
There are 25 more IOA items available. Please use our online service to access the data.
## References
@ -68,9 +62,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

19
BEAR/README.md
View File

@ -1,6 +1,6 @@
# BEAR - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [BEAR](https://vuldb.com/?actor.bear). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [BEAR](https://vuldb.com/?actor.bear). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.bear](https://vuldb.com/?actor.bear)
@ -13,7 +13,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
* UA
* ...
There are 3 more country items available. Please use our online service to access the data.
There are 4 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -50,16 +50,9 @@ ID | Type | Indicator | Confidence
1 | File | `/index.php` | Medium
2 | File | `/uncpath/` | Medium
3 | File | `add_comment.php` | High
4 | File | `data/gbconfiguration.dat` | High
5 | File | `FlexCell.ocx` | Medium
6 | File | `forums.aspx` | Medium
7 | File | `forums.php` | Medium
8 | File | `index.php` | Medium
9 | File | `install.php` | Medium
10 | File | `photo-gallery.php` | High
11 | ... | ... | ...
4 | ... | ... | ...
There are 16 more IOA items available. Please use our online service to access the data.
There are 24 more IOA items available. Please use our online service to access the data.
## References
@ -72,9 +65,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

78
Baldr/README.md
View File

@ -1,6 +1,6 @@
# Baldr - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Baldr](https://vuldb.com/?actor.baldr). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Baldr](https://vuldb.com/?actor.baldr). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.baldr](https://vuldb.com/?actor.baldr)
@ -8,12 +8,7 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Baldr:
* US
* CN
* RU
* ...
There are 16 more country items available. Please use our online service to access the data.
* NL
## IOC - Indicator of Compromise
@ -39,11 +34,15 @@ ID | IP address | Hostname | Confidence
16 | 18.221.49.166 | ec2-18-221-49-166.us-east-2.compute.amazonaws.com | Medium
17 | 23.19.58.101 | - | High
18 | 23.95.95.61 | 23-95-95-61-host.colocrossing.com | High
19 | 23.254.217.112 | hwsrv-901988.hostwindsdns.com | High
20 | 23.254.225.240 | hwsrv-907360.hostwindsdns.com | High
21 | ... | ... | ...
19 | 23.254.217.112 | hwsrv-930282.hostwindsdns.com | High
20 | 23.254.225.240 | sha29.phpautomailer.com | High
21 | 45.64.186.10 | 45-64-186-10.static.bangmod-idc.com | High
22 | 45.77.252.143 | 45.77.252.143.vultr.com | Medium
23 | 46.30.42.130 | assetshub.com | High
24 | 46.249.62.196 | - | High
25 | ... | ... | ...
There are 101 more IOC items available. Please use our online service to access the data.
There are 97 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -56,7 +55,7 @@ ID | Technique | Description | Confidence
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -64,19 +63,46 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/+CSCOE+/logon.html` | High
2 | File | `/admin/functions.php` | High
3 | File | `/auth/login` | Medium
4 | File | `/download` | Medium
5 | File | `/forum/away.php` | High
6 | File | `/goform/saveParentControlInfo` | High
7 | File | `/inc/lists/edit-list.php` | High
8 | File | `/Interface/DevManage/EC.php?cmd=upload` | High
9 | File | `/MicroStrategyWS/happyaxis.jsp` | High
10 | File | `/modules/projects/vw_files.php` | High
11 | ... | ... | ...
1 | File | `.travis.yml` | Medium
2 | File | `/.env` | Low
3 | File | `/admin.php` | Medium
4 | File | `/admin/config.php?display=disa&view=form` | High
5 | File | `/BRS_netgear_success.html` | High
6 | File | `/category_view.php` | High
7 | File | `/dev/kmem` | Medium
8 | File | `/dev/shm` | Medium
9 | File | `/medical/inventories.php` | High
10 | File | `/monitoring` | Medium
11 | File | `/NAGErrors` | Medium
12 | File | `/plugins/servlet/audit/resource` | High
13 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
14 | File | `/proc/ioports` | High
15 | File | `/replication` | Medium
16 | File | `/rest/api/2/user/picker` | High
17 | File | `/RestAPI` | Medium
18 | File | `/rom-0` | Low
19 | File | `/tmp` | Low
20 | File | `/tmp/speedtest_urls.xml` | High
21 | File | `/uncpath/` | Medium
22 | File | `/var/log/nginx` | High
23 | File | `/wp-admin/admin.php` | High
24 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
25 | File | `abook_database.php` | High
26 | File | `account.asp` | Medium
27 | File | `admin-ajax.php?action=get_wdtable order[0][dir]` | High
28 | File | `admin/index.php` | High
29 | File | `admin/login.php` | High
30 | File | `admincp.php` | Medium
31 | File | `admincp.php?app=apps&do=save` | High
32 | File | `admincp.php?app=files` | High
33 | File | `admin\model\catalog\download.php` | High
34 | File | `ajax/render/widget_php` | High
35 | File | `apcupsd.pid` | Medium
36 | File | `api/sms/send-sms` | High
37 | File | `api/v1/alarms` | High
38 | ... | ... | ...
There are 248 more IOA items available. Please use our online service to access the data.
There are 323 more IOA items available. Please use our online service to access the data.
## References
@ -88,9 +114,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
Bitter/README.md
View File

@ -1,6 +1,6 @@
# Bitter - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Bitter](https://vuldb.com/?actor.bitter). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Bitter](https://vuldb.com/?actor.bitter). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.bitter](https://vuldb.com/?actor.bitter)
@ -43,9 +43,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
Bublik/README.md
View File

@ -1,6 +1,6 @@
# Bublik - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Bublik](https://vuldb.com/?actor.bublik). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Bublik](https://vuldb.com/?actor.bublik). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.bublik](https://vuldb.com/?actor.bublik)
@ -27,9 +27,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

2
Bunse/README.md
View File

@ -51,4 +51,4 @@ The following articles explain our unique predictive cyber threat intelligence:
## License
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

45
Chalubo/README.md Normal file
View File

@ -0,0 +1,45 @@
# Chalubo - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Chalubo](https://vuldb.com/?actor.chalubo). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.chalubo](https://vuldb.com/?actor.chalubo)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Chalubo:
* CN
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Chalubo.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 103.27.185.139 | - | High
2 | 103.82.143.51 | - | High
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Chalubo. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://twitter.com/zom3y3/status/1229258375189262336
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

72
Charming Kitten/README.md
View File

@ -1,6 +1,6 @@
# Charming Kitten - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Charming Kitten](https://vuldb.com/?actor.charming_kitten). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Charming Kitten](https://vuldb.com/?actor.charming_kitten). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.charming_kitten](https://vuldb.com/?actor.charming_kitten)
@ -8,12 +8,12 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Charming Kitten:
* US
* NL
* ES
* CN
* US
* ...
There are 17 more country items available. Please use our online service to access the data.
There are 23 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -40,10 +40,11 @@ ID | IP address | Hostname | Confidence
17 | 51.254.254.217 | me14.mecide.com | High
18 | 51.255.28.57 | - | High
19 | 54.36.217.8 | ip8.ip-54-36-217.eu | High
20 | 54.37.164.254 | ip254.ip-54-37-164.eu | High
21 | ... | ... | ...
20 | 54.37.164.254 | - | High
21 | 69.30.221.126 | - | High
22 | ... | ... | ...
There are 87 more IOC items available. Please use our online service to access the data.
There are 86 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -51,11 +52,10 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1040 | Authentication Bypass by Capture-replay | High
2 | T1059.007 | Cross Site Scripting | High
3 | T1068 | Execution with Unnecessary Privileges | High
4 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
5 | ... | ... | ...
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 7 more TTP items available. Please use our online service to access the data.
@ -65,19 +65,39 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `'phpshell.php` | High
2 | File | `..\WWWRoot\CustomPages\aspshell.asp` | High
3 | File | `/about-us/locations/index` | High
4 | File | `/admin/` | Low
5 | File | `/admin/account/changepassword` | High
6 | File | `/admin/index.php` | High
7 | File | `/admin/pin/websitepin` | High
8 | File | `/admin_giant/add_gallery.php` | High
9 | File | `/admin_giant/add_team_member.php` | High
10 | File | `/api/addusers` | High
11 | ... | ... | ...
1 | File | `.travis.yml` | Medium
2 | File | `/.env` | Low
3 | File | `/?module=users&section=cpanel&page=list` | High
4 | File | `/admin.php` | Medium
5 | File | `/admin/powerline` | High
6 | File | `/admin/syslog` | High
7 | File | `/api/upload` | Medium
8 | File | `/cgi-bin` | Medium
9 | File | `/context/%2e/WEB-INF/web.xml` | High
10 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
11 | File | `/medical/inventories.php` | High
12 | File | `/monitoring` | Medium
13 | File | `/new` | Low
14 | File | `/plugins/servlet/audit/resource` | High
15 | File | `/plugins/servlet/project-config/PROJECT/roles` | High
16 | File | `/proc/<pid>/status` | High
17 | File | `/public/plugins/` | High
18 | File | `/replication` | Medium
19 | File | `/RestAPI` | Medium
20 | File | `/scripts/killpvhost` | High
21 | File | `/secure/QueryComponent!Default.jspa` | High
22 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
23 | File | `/tmp` | Low
24 | File | `/tmp/redis.ds` | High
25 | File | `/uncpath/` | Medium
26 | File | `/var/log/nginx` | High
27 | File | `/wp-admin` | Medium
28 | File | `/wp-json/wc/v3/webhooks` | High
29 | File | `actions/CompanyDetailsSave.php` | High
30 | File | `ActiveServices.java` | High
31 | ... | ... | ...
There are 1236 more IOA items available. Please use our online service to access the data.
There are 260 more IOA items available. Please use our online service to access the data.
## References
@ -91,9 +111,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

20
Chimera/README.md
View File

@ -1,6 +1,6 @@
# Chimera - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Chimera](https://vuldb.com/?actor.chimera). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Chimera](https://vuldb.com/?actor.chimera). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.chimera](https://vuldb.com/?actor.chimera)
@ -25,12 +25,9 @@ ID | IP address | Hostname | Confidence
2 | 5.254.64.234 | - | High
3 | 5.254.112.226 | - | High
4 | 14.229.140.66 | static.vnpt.vn | High
5 | 23.236.77.94 | - | High
6 | 39.109.5.135 | - | High
7 | 43.250.200.106 | - | High
8 | ... | ... | ...
5 | ... | ... | ...
There are 13 more IOC items available. Please use our online service to access the data.
There are 16 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -61,9 +58,12 @@ ID | Type | Indicator | Confidence
8 | File | `admin/index.php?n=ui_set&m=admin&c=index&a=doget_text_content&table=lang&field=1` | High
9 | File | `administrator/components/com_media/helpers/media.php` | High
10 | File | `APPFLT.SYS` | Medium
11 | ... | ... | ...
11 | File | `auth-gss2.c` | Medium
12 | File | `authors.pwd` | Medium
13 | File | `CFIDE/componentutils/cfcexplorer.cfc` | High
14 | ... | ... | ...
There are 115 more IOA items available. Please use our online service to access the data.
There are 113 more IOA items available. Please use our online service to access the data.
## References
@ -76,9 +76,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

18
DEV-0322/README.md
View File

@ -27,11 +27,9 @@ ID | IP address | Hostname | Confidence
1 | 24.64.36.238 | mail.target-realty.com | High
2 | 45.63.62.109 | 45.63.62.109.vultr.com | Medium
3 | 45.76.173.103 | 45.76.173.103.vultr.com | Medium
4 | 45.77.121.232 | 45.77.121.232.vultr.com | Medium
5 | 66.42.98.156 | 66.42.98.156.vultr.com | Medium
6 | ... | ... | ...
4 | ... | ... | ...
There are 9 more IOC items available. Please use our online service to access the data.
There are 11 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -56,15 +54,9 @@ ID | Type | Indicator | Confidence
2 | File | `data/gbconfiguration.dat` | High
3 | File | `flow.php` | Medium
4 | File | `goform/setUsbUnload` | High
5 | File | `HTTPServerILServlet.java` | High
6 | File | `login_meeting.cgi` | High
7 | File | `manager.c` | Medium
8 | File | `options.cpp` | Medium
9 | File | `redir.php` | Medium
10 | File | `register.php` | Medium
11 | ... | ... | ...
5 | ... | ... | ...
There are 21 more IOA items available. Please use our online service to access the data.
There are 27 more IOA items available. Please use our online service to access the data.
## References
@ -82,4 +74,4 @@ The following articles explain our unique predictive cyber threat intelligence:
## License
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

13
DanaBot/README.md
View File

@ -1,6 +1,6 @@
# DanaBot - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [DanaBot](https://vuldb.com/?actor.danabot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DanaBot](https://vuldb.com/?actor.danabot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.danabot](https://vuldb.com/?actor.danabot)
@ -24,10 +24,9 @@ ID | IP address | Hostname | Confidence
1 | 5.8.55.205 | carpbaboon.com | High
2 | 31.214.157.12 | mail.private-mail.nl | High
3 | 47.74.130.165 | - | High
4 | 149.154.157.106 | 106.157.154.149.in-addr.arpa | High
5 | ... | ... | ...
4 | ... | ... | ...
There are 8 more IOC items available. Please use our online service to access the data.
There are 9 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -60,7 +59,7 @@ ID | Type | Indicator | Confidence
10 | File | `admin/user.php?form=update_f&user_name` | High
11 | ... | ... | ...
There are 80 more IOA items available. Please use our online service to access the data.
There are 81 more IOA items available. Please use our online service to access the data.
## References
@ -72,9 +71,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

21
Dark Caracal/README.md
View File

@ -1,6 +1,6 @@
# Dark Caracal - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Dark Caracal](https://vuldb.com/?actor.dark_caracal). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dark Caracal](https://vuldb.com/?actor.dark_caracal). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dark_caracal](https://vuldb.com/?actor.dark_caracal)
@ -10,10 +10,10 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
* CZ
* US
* FR
* CN
* ...
There are 3 more country items available. Please use our online service to access the data.
There are 5 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -47,16 +47,9 @@ ID | Type | Indicator | Confidence
1 | File | `/apply.cgi` | Medium
2 | File | `apply.cgi` | Medium
3 | File | `data/gbconfiguration.dat` | High
4 | File | `inc/config.php` | High
5 | File | `ipp.c` | Low
6 | File | `product_desc.php` | High
7 | File | `software-description.php` | High
8 | File | `system/admin/dash_additem.php` | High
9 | File | `wp-admin/post.php` | High
10 | Argument | `basePath` | Medium
11 | ... | ... | ...
4 | ... | ... | ...
There are 11 more IOA items available. Please use our online service to access the data.
There are 22 more IOA items available. Please use our online service to access the data.
## References
@ -68,9 +61,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

14
DarkHydrus/README.md
View File

@ -1,6 +1,6 @@
# DarkHydrus - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [DarkHydrus](https://vuldb.com/?actor.darkhydrus). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [DarkHydrus](https://vuldb.com/?actor.darkhydrus). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.darkhydrus](https://vuldb.com/?actor.darkhydrus)
@ -51,13 +51,9 @@ ID | Type | Indicator | Confidence
4 | File | `4.3.0.CP04` | Medium
5 | File | `addentry.php` | Medium
6 | File | `add_comment.php` | High
7 | File | `comment_add.asp` | High
8 | File | `data/gbconfiguration.dat` | High
9 | File | `download.php` | Medium
10 | File | `goto.php` | Medium
11 | ... | ... | ...
7 | ... | ... | ...
There are 36 more IOA items available. Please use our online service to access the data.
There are 46 more IOA items available. Please use our online service to access the data.
## References
@ -72,9 +68,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

2
Darkode/README.md
View File

@ -51,4 +51,4 @@ The following articles explain our unique predictive cyber threat intelligence:
## License
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

19
Dofoil/README.md
View File

@ -1,6 +1,6 @@
# Dofoil - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Dofoil](https://vuldb.com/?actor.dofoil). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dofoil](https://vuldb.com/?actor.dofoil). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dofoil](https://vuldb.com/?actor.dofoil)
@ -26,13 +26,9 @@ ID | IP address | Hostname | Confidence
3 | 23.6.24.15 | a23-6-24-15.deploy.static.akamaitechnologies.com | High
4 | 23.6.65.194 | a23-6-65-194.deploy.static.akamaitechnologies.com | High
5 | 23.209.185.159 | a23-209-185-159.deploy.static.akamaitechnologies.com | High
6 | 27.100.36.191 | - | High
7 | 45.63.25.55 | 45.63.25.55.vultr.com | Medium
8 | 50.3.75.246 | web.netkolik.org | High
9 | 50.21.183.63 | - | High
10 | ... | ... | ...
6 | ... | ... | ...
There are 16 more IOC items available. Please use our online service to access the data.
There are 20 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -59,10 +55,9 @@ ID | Type | Indicator | Confidence
7 | File | `catalog.asp` | Medium
8 | File | `dapur/index.php` | High
9 | File | `data/gbconfiguration.dat` | High
10 | File | `dc_categorieslist.asp` | High
11 | ... | ... | ...
10 | ... | ... | ...
There are 69 more IOA items available. Please use our online service to access the data.
There are 79 more IOA items available. Please use our online service to access the data.
## References
@ -74,9 +69,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
Dokkaebi/README.md
View File

@ -1,6 +1,6 @@
# Dokkaebi - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Dokkaebi](https://vuldb.com/?actor.dokkaebi). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dokkaebi](https://vuldb.com/?actor.dokkaebi). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dokkaebi](https://vuldb.com/?actor.dokkaebi)
@ -22,9 +22,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

77
Donot/README.md
View File

@ -1,19 +1,26 @@
# Donot - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Donot](https://vuldb.com/?actor.donot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Donot](https://vuldb.com/?actor.donot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.donot](https://vuldb.com/?actor.donot)
## Campaigns
The following campaigns are known and can be associated with Donot:
* DarkMusical
* Gedit
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Donot:
* US
* DE
* CA
* TR
* GB
* ...
There are 17 more country items available. Please use our online service to access the data.
There are 18 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -23,22 +30,16 @@ ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 5.135.19.26 | - | High
2 | 5.135.199.0 | - | High
3 | 37.120.140.211 | - | High
4 | 37.139.3.130 | - | High
5 | 37.139.28.208 | - | High
6 | 45.33.29.133 | li1046-133.members.linode.com | High
7 | 46.101.204.168 | - | High
8 | 46.105.40.12 | ip12.ip-46-105-40.eu | High
9 | 66.42.75.101 | 66.42.75.101.vultr.com | Medium
10 | 72.14.188.71 | li54-71.members.linode.com | High
11 | 77.244.211.55 | www21.wricko.net | High
12 | 82.196.7.221 | - | High
13 | 85.204.74.117 | - | High
14 | 89.33.246.99 | - | High
15 | 95.85.15.131 | - | High
16 | ... | ... | ...
3 | 37.48.122.145 | - | High
4 | 37.120.140.211 | - | High
5 | 37.120.198.208 | - | High
6 | 37.139.3.130 | - | High
7 | 37.139.28.208 | - | High
8 | 45.33.29.133 | li1046-133.members.linode.com | High
9 | 46.101.204.168 | - | High
10 | ... | ... | ...
There are 28 more IOC items available. Please use our online service to access the data.
There are 38 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -51,7 +52,7 @@ ID | Technique | Description | Confidence
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 5 more TTP items available. Please use our online service to access the data.
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -61,31 +62,43 @@ ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/+CSCOE+/logon.html` | High
2 | File | `/bin/login.php` | High
3 | File | `/de/cgi/dfs_guest/` | High
4 | File | `/htmlcode/html/indexdefault.asp` | High
5 | File | `/out.php` | Medium
6 | File | `/products/details.asp` | High
7 | File | `/uncpath/` | Medium
8 | File | `/var/www/xms/application/config/config.php` | High
9 | File | `/var/www/xms/application/controllers/gatherLogs.php` | High
10 | File | `/var/www/xms/application/controllers/verifyLogin.php` | High
11 | ... | ... | ...
3 | File | `/Category` | Medium
4 | File | `/de/cgi/dfs_guest/` | High
5 | File | `/event/runquery.do` | High
6 | File | `/htmlcode/html/indexdefault.asp` | High
7 | File | `/out.php` | Medium
8 | File | `/products/details.asp` | High
9 | File | `/system/ws/v11/ss/email` | High
10 | File | `/uncpath/` | Medium
11 | File | `/var/www/xms/application/config/config.php` | High
12 | File | `/var/www/xms/application/controllers/gatherLogs.php` | High
13 | File | `/var/www/xms/application/controllers/verifyLogin.php` | High
14 | File | `/var/www/xms/cleanzip.sh` | High
15 | File | `/wp-admin/admin-ajax.php` | High
16 | File | `adclick.php` | Medium
17 | File | `addentry.php` | Medium
18 | File | `admin/user.php` | High
19 | File | `agent.cfg` | Medium
20 | File | `api/admin/role/save` | High
21 | File | `app/controllers/application_controller.rb` | High
22 | ... | ... | ...
There are 132 more IOA items available. Please use our online service to access the data.
There are 181 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://github.com/faisalusuf/ThreatIntelligence/blob/main/APT%20DONOT%20TEAM/Tracking-DONOT-IOCs.csv
* https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
Dragonfly 2.0/README.md
View File

@ -1,6 +1,6 @@
# Dragonfly 2.0 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Dragonfly 2.0](https://vuldb.com/?actor.dragonfly_2.0). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dragonfly 2.0](https://vuldb.com/?actor.dragonfly_2.0). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dragonfly_2.0](https://vuldb.com/?actor.dragonfly_2.0)
@ -24,9 +24,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

36
Dragonfly/README.md
View File

@ -1,6 +1,6 @@
# Dragonfly - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Dragonfly](https://vuldb.com/?actor.dragonfly). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Dragonfly](https://vuldb.com/?actor.dragonfly). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.dragonfly](https://vuldb.com/?actor.dragonfly)
@ -15,8 +15,8 @@ The following campaigns are known and can be associated with Dragonfly:
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Dragonfly:
* US
* RU
* GB
* RU
* ...
There are 6 more country items available. Please use our online service to access the data.
@ -32,12 +32,9 @@ ID | IP address | Hostname | Confidence
3 | 5.196.167.184 | ip184.ip-5-196-167.eu | High
4 | 37.139.7.16 | - | High
5 | 51.159.28.101 | 51-159-28-101.rev.poneytelecom.eu | High
6 | 61.78.34.179 | - | High
7 | 91.183.104.150 | remote.degeest-audit.be | High
8 | 91.227.68.97 | www.socenter.ru | High
9 | ... | ... | ...
6 | ... | ... | ...
There are 15 more IOC items available. Please use our online service to access the data.
There are 18 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -59,18 +56,17 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/cgi-bin/system_mgr.cgi` | High
2 | File | `/inc/HTTPClient.php` | High
3 | File | `/s/` | Low
4 | File | `/uncpath/` | Medium
5 | File | `/wbg/core/_includes/authorization.inc.php` | High
6 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
7 | File | `admin/import/class-import-settings.php` | High
8 | File | `ajax/comments.php` | High
9 | File | `architext.conf` | High
10 | File | `attachment_send.php` | High
11 | ... | ... | ...
2 | File | `/s/` | Low
3 | File | `/uncpath/` | Medium
4 | File | `/wbg/core/_includes/authorization.inc.php` | High
5 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
6 | File | `admin/import/class-import-settings.php` | High
7 | File | `ajax/comments.php` | High
8 | File | `architext.conf` | High
9 | File | `attachment_send.php` | High
10 | ... | ... | ...
There are 85 more IOA items available. Please use our online service to access the data.
There are 79 more IOA items available. Please use our online service to access the data.
## References
@ -86,9 +82,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

176
Emotet/README.md
View File

@ -8,12 +8,12 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Emotet:
* US
* VN
* CN
* ES
* US
* ...
There are 40 more country items available. Please use our online service to access the data.
There are 5 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -21,29 +21,114 @@ These indicators of compromise indicate associated network ressources which are
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 1.226.84.243 | - | High
2 | 2.58.16.86 | - | High
3 | 2.58.16.89 | - | High
4 | 2.82.75.215 | bl21-75-215.dsl.telepac.pt | High
5 | 5.2.84.232 | momos.alastyr.com | High
6 | 5.2.136.90 | static-5-2-136-90.rdsnet.ro | High
7 | 5.2.182.7 | static-5-2-182-7.rdsnet.ro | High
8 | 5.2.212.254 | static-5-2-212-254.rdsnet.ro | High
9 | 5.12.246.155 | 5-12-246-155.residential.rdsnet.ro | High
10 | 5.39.91.110 | ns3278366.ip-5-39-91.eu | High
11 | 5.79.70.250 | - | High
12 | 5.89.33.136 | net-5-89-33-136.cust.vodafonedsl.it | High
13 | 5.196.35.138 | vps10.open-techno.net | High
14 | 5.230.193.41 | casagarcia-web.sys.netzfabrik.eu | High
15 | 8.4.9.137 | onlinehorizons.net | High
16 | 12.162.84.2 | - | High
17 | 12.163.208.58 | - | High
18 | 12.184.217.101 | - | High
19 | 23.6.65.194 | a23-6-65-194.deploy.static.akamaitechnologies.com | High
20 | 23.36.85.183 | a23-36-85-183.deploy.static.akamaitechnologies.com | High
21 | ... | ... | ...
1 | 1.186.249.82 | 1.186.249.82.dvois.com | High
2 | 1.226.84.243 | - | High
3 | 2.58.16.86 | - | High
4 | 2.58.16.89 | - | High
5 | 2.82.75.215 | bl21-75-215.dsl.telepac.pt | High
6 | 5.2.84.232 | momos.alastyr.com | High
7 | 5.2.136.90 | static-5-2-136-90.rdsnet.ro | High
8 | 5.2.182.7 | static-5-2-182-7.rdsnet.ro | High
9 | 5.2.212.254 | static-5-2-212-254.rdsnet.ro | High
10 | 5.12.246.155 | 5-12-246-155.residential.rdsnet.ro | High
11 | 5.39.91.110 | ns3278366.ip-5-39-91.eu | High
12 | 5.79.70.250 | - | High
13 | 5.89.33.136 | net-5-89-33-136.cust.vodafonedsl.it | High
14 | 5.196.35.138 | vps10.open-techno.net | High
15 | 5.230.193.41 | casagarcia-web.sys.netzfabrik.eu | High
16 | 8.4.9.137 | host-8-4-9-137.onlinehorizons.net | High
17 | 12.32.68.154 | mail.sealscoinc.com | High
18 | 12.149.72.170 | - | High
19 | 12.162.84.2 | - | High
20 | 12.163.208.58 | - | High
21 | 12.182.146.226 | - | High
22 | 12.184.217.101 | - | High
23 | 23.6.65.194 | a23-6-65-194.deploy.static.akamaitechnologies.com | High
24 | 23.36.85.183 | a23-36-85-183.deploy.static.akamaitechnologies.com | High
25 | 23.199.63.11 | a23-199-63-11.deploy.static.akamaitechnologies.com | High
26 | 23.199.71.185 | a23-199-71-185.deploy.static.akamaitechnologies.com | High
27 | 23.239.2.11 | li683-11.members.linode.com | High
28 | 24.43.99.75 | rrcs-24-43-99-75.west.biz.rr.com | High
29 | 24.101.229.82 | dynamic-acs-24-101-229-82.zoominternet.net | High
30 | 24.119.116.230 | 24-119-116-230.cpe.sparklight.net | High
31 | 24.121.176.48 | 24-121-176-48.prkrcmtc01.com.sta.suddenlink.net | High
32 | 24.137.76.62 | host-24-137-76-62.public.eastlink.ca | High
33 | 24.178.90.49 | 024-178-090-049.res.spectrum.com | High
34 | 24.179.13.119 | 024-179-013-119.res.spectrum.com | High
35 | 24.217.117.217 | 024-217-117-217.res.spectrum.com | High
36 | 24.232.228.233 | OL233-228.fibertel.com.ar | High
37 | 24.244.177.40 | - | High
38 | 27.78.27.110 | localhost | High
39 | 27.82.13.10 | KD027082013010.ppp-bb.dion.ne.jp | High
40 | 27.109.24.214 | - | High
41 | 27.114.9.93 | i27-114-9-93.s41.a011.ap.plala.or.jp | High
42 | 36.91.44.183 | - | High
43 | 37.46.129.215 | we-too.ru | High
44 | 37.97.135.82 | 37-97-135-82.colo.transip.net | High
45 | 37.139.21.175 | 37.139.21.175-e2-8080-keep-up | High
46 | 37.179.204.33 | - | High
47 | 37.187.4.178 | ks2.kku.io | High
48 | 37.187.57.57 | ns3357940.ovh.net | High
49 | 37.187.72.193 | ns3362285.ip-37-187-72.eu | High
50 | 37.187.161.206 | toolbox.alabs.io | High
51 | 37.205.9.252 | s1.ithelp24.eu | High
52 | 37.221.70.250 | b2b-customer.inftele.net | High
53 | 41.169.36.237 | - | High
54 | 41.185.28.84 | brf01-nix01.wadns.net | High
55 | 41.185.29.128 | abp79-nix01.wadns.net | High
56 | 41.231.225.139 | - | High
57 | 42.62.40.103 | - | High
58 | 45.16.226.117 | 45-16-226-117.lightspeed.sndgca.sbcglobal.net | High
59 | 45.33.77.42 | li1023-42.members.linode.com | High
60 | 45.46.37.97 | cpe-45-46-37-97.maine.res.rr.com | High
61 | 45.55.36.51 | - | High
62 | 45.55.219.163 | - | High
63 | 45.79.95.107 | li1194-107.members.linode.com | High
64 | 45.230.45.171 | - | High
65 | 46.4.100.178 | support.wizard-shopservice.de | High
66 | 46.4.192.185 | static.185.192.4.46.clients.your-server.de | High
67 | 46.28.111.142 | enkindu.jsuchy.net | High
68 | 46.32.229.152 | 094882.vps-10.com | High
69 | 46.32.233.226 | yetitoolusa.com | High
70 | 46.38.238.8 | v2202109122001163131.happysrv.de | High
71 | 46.43.2.95 | chris.default.cjenkinson.uk0.bigv.io | High
72 | 46.101.58.37 | 46.101.58.37-e1-8080 | High
73 | 46.105.81.76 | myu0.cylipo.sbs | High
74 | 46.105.114.137 | ns3188253.ip-46-105-114.eu | High
75 | 46.105.131.68 | http.adven.fr | High
76 | 46.105.131.79 | relay.adven.fr | High
77 | 46.105.131.87 | pop.adven.fr | High
78 | 46.165.254.206 | - | High
79 | 47.36.140.164 | 047-036-140-164.res.spectrum.com | High
80 | 47.146.39.147 | - | High
81 | 47.188.131.94 | - | High
82 | 49.12.121.47 | filezilla-project.org | High
83 | 49.50.209.131 | 131.host-49-50-209.euba.megatel.co.nz | High
84 | 49.212.135.76 | os3-321-50322.vs.sakura.ne.jp | High
85 | 49.212.155.94 | os3-325-52340.vs.sakura.ne.jp | High
86 | 50.28.51.143 | - | High
87 | 50.31.146.101 | mail.brillinjurylaw.com | High
88 | 50.91.114.38 | 050-091-114-038.res.spectrum.com | High
89 | 50.116.78.109 | intersearchmedia.com | High
90 | 50.245.107.73 | 50-245-107-73-static.hfc.comcastbusiness.net | High
91 | 51.15.7.145 | 51-15-7-145.rev.poneytelecom.eu | High
92 | 51.75.33.127 | ip127.ip-51-75-33.eu | High
93 | 51.89.36.180 | ip180.ip-51-89-36.eu | High
94 | 51.89.199.141 | ip141.ip-51-89-199.eu | High
95 | 51.255.165.160 | 160.ip-51-255-165.eu | High
96 | 54.38.143.245 | tools.inovato.me | High
97 | 58.27.215.3 | 58-27-215-3.wateen.net | High
98 | 58.94.58.13 | i58-94-58-13.s41.a014.ap.plala.or.jp | High
99 | 59.148.253.194 | 059148253194.ctinets.com | High
100 | 60.93.23.51 | softbank060093023051.bbtec.net | High
101 | 60.108.128.186 | softbank060108128186.bbtec.net | High
102 | 60.125.114.64 | softbank060125114064.bbtec.net | High
103 | 60.249.78.226 | 60-249-78-226.hinet-ip.hinet.net | High
104 | 61.19.246.238 | - | High
105 | 62.30.7.67 | 67.7-30-62.static.virginmediabusiness.co.uk | High
106 | ... | ... | ...
There are 425 more IOC items available. Please use our online service to access the data.
There are 419 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -54,9 +139,7 @@ ID | Technique | Description | Confidence
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1211 | 7PK Security Features | High
5 | T1222 | Permission Issues | High
6 | ... | ... | ...
4 | ... | ... | ...
There are 9 more TTP items available. Please use our online service to access the data.
@ -66,19 +149,28 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `..\WWWRoot\CustomPages\aspshell.asp` | High
2 | File | `/.env` | Low
3 | File | `/.ssh/authorized_keys` | High
4 | File | `/accounts/password_change/` | High
5 | File | `/admin/` | Low
6 | File | `/admin/account/changepassword` | High
7 | File | `/admin/account/changeprofileimage` | High
8 | File | `/admin/account/clearcache` | High
9 | File | `/admin/cms.php` | High
10 | File | `/admin/communitymanagement.php` | High
11 | ... | ... | ...
1 | File | `./clients/client` | High
2 | File | `/?ajax-request=jnews` | High
3 | File | `/assets/ctx` | Medium
4 | File | `/config/getuser` | High
5 | File | `/core/table/query` | High
6 | File | `/dev/ion` | Medium
7 | File | `/ecma/operations/ecma-objects.c` | High
8 | File | `/enduserreg` | Medium
9 | File | `/forum/away.php` | High
10 | File | `/GetCopiedFile` | High
11 | File | `/goform/activate_process` | High
12 | File | `/hdf5/src/H5T.c` | High
13 | File | `/jerry-core/ecma/base/ecma-gc.c` | High
14 | File | `/jerry-core/ecma/base/ecma-helpers-conversion.c` | High
15 | File | `/jerry-core/ecma/base/ecma-lcache.c` | High
16 | File | `/jerry-core/ecma/operations/ecma-objects.c` | High
17 | File | `/jerry-core/vm/vm.c` | High
18 | File | `/mobile/SelectUsers.jsp` | High
19 | File | `/ms/mdiy/model/importJson.do` | High
20 | ... | ... | ...
There are 736 more IOA items available. Please use our online service to access the data.
There are 166 more IOA items available. Please use our online service to access the data.
## References
@ -94,7 +186,9 @@ The following list contains external sources which discuss the actor and the ass
* https://blog.talosintelligence.com/2021/10/threat-roundup-1022-1029.html
* https://blog.talosintelligence.com/2021/12/threat-roundup-1126-1203.html
* https://community.blueliv.com/#!/s/5fb2ee2482df413eaf344b29
* https://pastebin.com/uPn1zM6b
* https://unit42.paloaltonetworks.com/emotet-command-and-control/
* https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html
## Literature
@ -105,4 +199,4 @@ The following articles explain our unique predictive cyber threat intelligence:
## License
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

34
Exchange Marauder/README.md
View File

@ -1,6 +1,6 @@
# Exchange Marauder - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Exchange Marauder](https://vuldb.com/?actor.exchange_marauder). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Exchange Marauder](https://vuldb.com/?actor.exchange_marauder). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.exchange_marauder](https://vuldb.com/?actor.exchange_marauder)
@ -28,13 +28,11 @@ These indicators of compromise indicate associated network ressources which are
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 5.254.43.18 | - | High
2 | 80.92.205.81 | vm224534.pq.hosting | High
2 | 80.92.205.81 | vm302679.pq.hosting | High
3 | 103.77.192.219 | - | High
4 | 104.140.114.110 | reflect59.kelptrade.com | High
5 | 104.250.191.110 | - | High
6 | ... | ... | ...
4 | ... | ... | ...
There are 8 more IOC items available. Please use our online service to access the data.
There are 10 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -55,19 +53,15 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php` | High
2 | File | `api_poller.php` | High
3 | File | `application/controllers/admin/dataentry.php` | High
4 | File | `cmd.php?cmd=login_form` | High
5 | File | `cng.sys` | Low
6 | File | `data/gbconfiguration.dat` | High
7 | File | `diag_command.php` | High
8 | File | `framework/db/ActiveRecord.php` | High
9 | File | `guestbook.cgi` | High
10 | File | `inc/config.php` | High
11 | ... | ... | ...
1 | File | `/filemanager/upload.php` | High
2 | File | `/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php` | High
3 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
4 | File | `api_poller.php` | High
5 | File | `application/controllers/admin/dataentry.php` | High
6 | File | `cmd.php?cmd=login_form` | High
7 | ... | ... | ...
There are 38 more IOA items available. Please use our online service to access the data.
There are 45 more IOA items available. Please use our online service to access the data.
## References
@ -79,9 +73,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

15
FIN12/README.md
View File

@ -33,10 +33,10 @@ ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1222 | Permission Issues | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 2 more TTP items available. Please use our online service to access the data.
There are 5 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -54,9 +54,14 @@ ID | Type | Indicator | Confidence
8 | File | `/services/details.asp` | High
9 | File | `/thruk/#cgi-bin/extinfo.cgi?type=2` | High
10 | File | `/_core/profile/` | High
11 | ... | ... | ...
11 | File | `adclick.php` | Medium
12 | File | `additem.asp` | Medium
13 | File | `addsite.php` | Medium
14 | File | `admin/review.php` | High
15 | File | `AdvancedBluetoothDetailsHeaderController.java` | High
16 | ... | ... | ...
There are 122 more IOA items available. Please use our online service to access the data.
There are 124 more IOA items available. Please use our online service to access the data.
## References
@ -73,4 +78,4 @@ The following articles explain our unique predictive cyber threat intelligence:
## License
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

117
FIN7/README.md
View File

@ -1,6 +1,6 @@
# FIN7 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [FIN7](https://vuldb.com/?actor.fin7). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN7](https://vuldb.com/?actor.fin7). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.fin7](https://vuldb.com/?actor.fin7)
@ -16,11 +16,11 @@ The following campaigns are known and can be associated with FIN7:
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with FIN7:
* US
* RU
* SE
* CN
* FR
* ...
There are 40 more country items available. Please use our online service to access the data.
There are 27 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -37,20 +37,43 @@ ID | IP address | Hostname | Confidence
7 | 5.61.32.118 | - | High
8 | 5.61.38.52 | - | High
9 | 5.135.73.113 | - | High
10 | 5.149.250.235 | mapleridge.org.uk | High
11 | 5.149.250.241 | - | High
10 | 5.149.250.235 | snigist.co.uk | High
11 | 5.149.250.241 | flipveranda.co.uk | High
12 | 5.149.252.144 | - | High
13 | 5.149.253.126 | - | High
14 | 5.188.10.102 | - | High
15 | 5.188.10.248 | - | High
16 | 5.199.169.188 | - | High
17 | 5.252.177.23 | 5-252-177-23.mivocloud.com | High
18 | 5.252.177.37 | 5-252-177-37.mivocloud.com | High
18 | 5.252.177.37 | no-rdns.mivocloud.com | High
19 | 8.28.175.68 | phoenixartisanacoutrements.com | High
20 | 23.83.133.119 | - | High
21 | ... | ... | ...
21 | 23.249.162.161 | - | High
22 | 31.7.61.136 | hosted-by.securefastserver.com | High
23 | 31.18.219.133 | ip1f12db85.dynamic.kabel-deutschland.de | High
24 | 31.131.17.125 | - | High
25 | 31.131.17.127 | automarinetechnology.com | High
26 | 31.131.17.128 | - | High
27 | 31.148.219.18 | - | High
28 | 31.148.219.44 | - | High
29 | 31.148.219.126 | - | High
30 | 31.148.219.141 | - | High
31 | 31.148.220.107 | - | High
32 | 31.148.220.215 | - | High
33 | 31.184.234.66 | - | High
34 | 31.184.234.71 | - | High
35 | 37.1.211.239 | ourdrops.org | High
36 | 37.1.215.4 | - | High
37 | 37.1.215.72 | - | High
38 | 37.235.54.48 | 48.54.235.37.in-addr.arpa | High
39 | 37.252.4.131 | - | High
40 | 45.77.60.230 | 45.77.60.230.vultr.com | Medium
41 | 45.77.204.130 | 45.77.204.130.vultr.com | Medium
42 | 45.87.152.64 | free.pq.hosting | High
43 | 45.133.216.25 | lisulisimp.example.com | High
44 | ... | ... | ...
There are 195 more IOC items available. Please use our online service to access the data.
There are 172 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -58,14 +81,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1040 | Authentication Bypass by Capture-replay | High
2 | T1059.007 | Cross Site Scripting | High
3 | T1068 | Execution with Unnecessary Privileges | High
4 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
5 | T1211 | 7PK Security Features | High
6 | ... | ... | ...
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 10 more TTP items available. Please use our online service to access the data.
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -73,19 +94,55 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/$({curl` | Medium
2 | File | `/+CSCOE+/logon.html` | High
3 | File | `/anony/mjpg.cgi` | High
4 | File | `/api/addusers` | High
5 | File | `/backupsettings.conf` | High
6 | File | `/bfd/pef.c` | Medium
7 | File | `/bin/boa` | Medium
8 | File | `/category.php` | High
9 | File | `/category_view.php` | High
10 | File | `/cms/print.php` | High
11 | ... | ... | ...
1 | File | `/+CSCOE+/logon.html` | High
2 | File | `/?module=users&section=cpanel&page=list` | High
3 | File | `/admin/powerline` | High
4 | File | `/admin/syslog` | High
5 | File | `/api/upload` | Medium
6 | File | `/assets/ctx` | Medium
7 | File | `/concat?/%2557EB-INF/web.xml` | High
8 | File | `/context/%2e/WEB-INF/web.xml` | High
9 | File | `/get_getnetworkconf.cgi` | High
10 | File | `/HNAP1` | Low
11 | File | `/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events` | High
12 | File | `/monitoring` | Medium
13 | File | `/new` | Low
14 | File | `/osm/REGISTER.cmd` | High
15 | File | `/proc/<pid>/status` | High
16 | File | `/public/plugins/` | High
17 | File | `/replication` | Medium
18 | File | `/secure/QueryComponent!Default.jspa` | High
19 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
20 | File | `/tmp` | Low
21 | File | `/type.php` | Medium
22 | File | `/uncpath/` | Medium
23 | File | `/wp-json/wc/v3/webhooks` | High
24 | File | `4.2.0.CP09` | Medium
25 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
26 | File | `actions/CompanyDetailsSave.php` | High
27 | File | `ActiveServices.java` | High
28 | File | `admin.color.php` | High
29 | File | `admin.cropcanvas.php` | High
30 | File | `admin.joomlaradiov5.php` | High
31 | File | `admin.php` | Medium
32 | File | `admin/?n=user&c=admin_user&a=doGetUserInfo` | High
33 | File | `admin/add-glossary.php` | High
34 | File | `admin/conf_users_edit.php` | High
35 | File | `admin/edit-comments.php` | High
36 | File | `admin/src/containers/InputModalStepperProvider/index.js` | High
37 | File | `admin/write-post.php` | High
38 | File | `administrator/components/com_media/helpers/media.php` | High
39 | File | `admin_events.php` | High
40 | File | `AjaxApplication.java` | High
41 | File | `akocomments.php` | High
42 | File | `allopass-error.php` | High
43 | File | `AllowBindAppWidgetActivity.java` | High
44 | File | `AndroidManifest.xml` | High
45 | File | `AnnotateActivity.java` | High
46 | File | `announcement.php` | High
47 | ... | ... | ...
There are 614 more IOA items available. Please use our online service to access the data.
There are 404 more IOA items available. Please use our online service to access the data.
## References
@ -103,9 +160,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

19
FIN8/README.md
View File

@ -1,6 +1,6 @@
# FIN8 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [FIN8](https://vuldb.com/?actor.fin8). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [FIN8](https://vuldb.com/?actor.fin8). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.fin8](https://vuldb.com/?actor.fin8)
@ -29,7 +29,7 @@ ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 104.168.145.204 | hwsrv-836597.hostwindsdns.com | High
2 | 104.168.237.21 | hwsrv-850035.hostwindsdns.com | High
3 | 192.52.167.199 | mx312.linespree.net | High
3 | 192.52.167.199 | mx312.punkchaine.net | High
4 | ... | ... | ...
There are 2 more IOC items available. Please use our online service to access the data.
@ -52,16 +52,9 @@ ID | Type | Indicator | Confidence
1 | File | `addentry.php` | Medium
2 | File | `add_comment.php` | High
3 | File | `admin/index.php` | High
4 | File | `comment_add.asp` | High
5 | File | `data/gbconfiguration.dat` | High
6 | File | `email.php` | Medium
7 | File | `import.php` | Medium
8 | File | `inc/config.php` | High
9 | File | `register.asp` | Medium
10 | File | `register.php` | Medium
11 | ... | ... | ...
4 | ... | ... | ...
There are 13 more IOA items available. Please use our online service to access the data.
There are 20 more IOA items available. Please use our online service to access the data.
## References
@ -74,9 +67,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

13
FontOnLake/README.md
View File

@ -41,16 +41,9 @@ ID | Type | Indicator | Confidence
1 | File | `/s/` | Low
2 | File | `AdminbaseController.class.php` | High
3 | File | `application\User\Controller\ProfileController.class.php` | High
4 | File | `exif.c` | Low
5 | File | `htimage.exe` | Medium
6 | File | `libbfd.c` | Medium
7 | File | `opncls.c` | Medium
8 | Library | `gdrv.sys` | Medium
9 | Argument | `-m/-c` | Low
10 | Argument | `imgurl` | Low
11 | ... | ... | ...
4 | ... | ... | ...
There are 5 more IOA items available. Please use our online service to access the data.
There are 12 more IOA items available. Please use our online service to access the data.
## References
@ -67,4 +60,4 @@ The following articles explain our unique predictive cyber threat intelligence:
## License
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
Foudre/README.md
View File

@ -1,6 +1,6 @@
# Foudre - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Foudre](https://vuldb.com/?actor.foudre). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Foudre](https://vuldb.com/?actor.foudre). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.foudre](https://vuldb.com/?actor.foudre)
@ -22,9 +22,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

2
Fqnx/README.md
View File

@ -28,4 +28,4 @@ The following articles explain our unique predictive cyber threat intelligence:
## License
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

10
GMERA/README.md
View File

@ -1,6 +1,6 @@
# GMERA - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [GMERA](https://vuldb.com/?actor.gmera). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [GMERA](https://vuldb.com/?actor.gmera). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.gmera](https://vuldb.com/?actor.gmera)
@ -46,7 +46,9 @@ ID | Type | Indicator | Confidence
1 | File | `view/file/index.php` | High
2 | Argument | `$_REQUEST['path']` | High
3 | Argument | `__CSRFTOKEN` | Medium
4 | Input Value | `12345678` | Medium
4 | ... | ... | ...
There are 1 more IOA items available. Please use our online service to access the data.
## References
@ -58,9 +60,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

27
Gamaredon/README.md
View File

@ -1,6 +1,6 @@
# Gamaredon - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Gamaredon](https://vuldb.com/?actor.gamaredon). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Gamaredon](https://vuldb.com/?actor.gamaredon). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.gamaredon](https://vuldb.com/?actor.gamaredon)
@ -9,8 +9,8 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gamaredon:
* RU
* CN
* LY
* US
* ...
There are 2 more country items available. Please use our online service to access the data.
@ -21,12 +21,12 @@ These indicators of compromise indicate associated network ressources which are
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 141.8.195.60 | ullir.from.sh | High
2 | 142.93.110.250 | - | High
3 | 176.57.215.115 | 296606-cl92049.tmweb.ru | High
1 | 2.59.41.5 | vds-sizaus.timeweb.ru | High
2 | 141.8.195.60 | ullir.from.sh | High
3 | 142.93.110.250 | - | High
4 | ... | ... | ...
There are 4 more IOC items available. Please use our online service to access the data.
There are 5 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -47,13 +47,9 @@ ID | Type | Indicator | Confidence
1 | File | `/manager?action=getlogcat` | High
2 | File | `/var/log/nginx` | High
3 | File | `index.php` | Medium
4 | File | `namazu.cgi` | Medium
5 | File | `wp-login.php` | Medium
6 | Library | `vpnapi.dll` | Medium
7 | Argument | `HOST` | Low
8 | Argument | `priority` | Medium
9 | Argument | `Referer` | Low
10 | Input Value | `1" onmouseover=prompt(947671) bad="` | High
4 | ... | ... | ...
There are 7 more IOA items available. Please use our online service to access the data.
## References
@ -62,14 +58,15 @@ The following list contains external sources which discuss the actor and the ass
* https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/
* https://github.com/blackorbird/APT_REPORT/blob/master/Gamaredon/Gamaredon202102_ioc1000%2B.csv
* https://github.com/SentineLabs/Gamaredon-APT/blob/master/2020-02-04-gamaredon-blog-iocs-vk.misp.csv
* https://pastebin.com/Vhb4KF5L
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

111
Gh0stRAT/README.md
View File

@ -9,11 +9,11 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Gh0stRAT:
* US
* ES
* FR
* VN
* CN
* ...
There are 5 more country items available. Please use our online service to access the data.
There are 16 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -22,28 +22,30 @@ These indicators of compromise indicate associated network ressources which are
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 13.249.38.69 | server-13-249-38-69.iad89.r.cloudfront.net | High
2 | 36.43.74.215 | - | High
3 | 36.46.114.54 | - | High
4 | 39.109.1.246 | - | High
5 | 42.51.192.3 | - | High
6 | 43.226.152.12 | - | High
7 | 43.226.159.201 | - | High
8 | 45.119.125.223 | - | High
9 | 45.195.203.97 | - | High
10 | 45.253.67.78 | - | High
11 | 47.93.52.188 | - | High
12 | 47.93.245.163 | - | High
13 | 47.95.233.18 | - | High
14 | 47.111.82.157 | - | High
15 | 47.112.30.91 | - | High
16 | 58.218.66.21 | - | High
17 | 58.218.67.245 | - | High
18 | 58.218.199.225 | - | High
19 | 58.221.47.41 | - | High
20 | 58.221.47.47 | - | High
21 | ... | ... | ...
2 | 20.42.65.92 | - | High
3 | 20.189.173.22 | - | High
4 | 36.43.74.215 | - | High
5 | 36.46.114.54 | - | High
6 | 39.109.1.246 | - | High
7 | 42.51.192.3 | - | High
8 | 43.226.152.12 | - | High
9 | 43.226.159.201 | - | High
10 | 45.119.125.223 | - | High
11 | 45.195.203.97 | - | High
12 | 45.253.67.78 | - | High
13 | 47.93.52.188 | - | High
14 | 47.93.245.163 | - | High
15 | 47.95.233.18 | - | High
16 | 47.111.82.157 | - | High
17 | 47.112.30.91 | - | High
18 | 52.168.117.173 | - | High
19 | 52.182.143.212 | - | High
20 | 58.218.66.21 | - | High
21 | 58.218.67.245 | - | High
22 | 58.218.199.225 | - | High
23 | ... | ... | ...
There are 77 more IOC items available. Please use our online service to access the data.
There are 87 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -53,11 +55,10 @@ ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1222 | Permission Issues | High
4 | T1499 | Resource Consumption | High
5 | ... | ... | ...
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -65,19 +66,45 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/opt/IBM/es/lib/libffq.cryptionjni.so` | High
2 | File | `/router_info.xml` | High
3 | File | `add_comment.php` | High
4 | File | `admin/viewtheatre.php` | High
5 | File | `ajax_crons.php` | High
6 | File | `ajax_migration_cpanel.php` | High
7 | File | `banner_add_edit.asp` | High
8 | File | `cff/cffparse.c` | High
9 | File | `cfgexpand.c` | Medium
10 | File | `cng.sys` | Low
11 | ... | ... | ...
1 | File | `/+CSCOE+/logon.html` | High
2 | File | `/.env` | Low
3 | File | `/.ssh/authorized_keys` | High
4 | File | `/admin.php?&m=Public&a=login` | High
5 | File | `/ajax/networking/get_netcfg.php` | High
6 | File | `/car.php` | Medium
7 | File | `/concat?/%2557EB-INF/web.xml` | High
8 | File | `/config/getuser` | High
9 | File | `/dashboards/#` | High
10 | File | `/data/remove` | Medium
11 | File | `/etc/controller-agent/agent.conf` | High
12 | File | `/etc/postfix/sender_login` | High
13 | File | `/etc/sudoers` | Medium
14 | File | `/etc/tomcat8/Catalina/attack` | High
15 | File | `/filemanager/php/connector.php` | High
16 | File | `/forum/away.php` | High
17 | File | `/fudforum/adm/hlplist.php` | High
18 | File | `/GponForm/fsetup_Form` | High
19 | File | `/log_download.cgi` | High
20 | File | `/modules/profile/index.php` | High
21 | File | `/navigate/navigate_download.php` | High
22 | File | `/out.php` | Medium
23 | File | `/password.html` | High
24 | File | `/property-list/property_view.php` | High
25 | File | `/public/plugins/` | High
26 | File | `/rest/api/2/search` | High
27 | File | `/s/` | Low
28 | File | `/scripts/cpan_config` | High
29 | File | `/secure/QueryComponent!Default.jspa` | High
30 | File | `/server-info` | Medium
31 | File | `/tmp` | Low
32 | File | `/tmp/app/.env` | High
33 | File | `/tmp/kamailio_ctl` | High
34 | File | `/tmp/kamailio_fifo` | High
35 | File | `/ucms/index.php?do=list_edit` | High
36 | File | `/uncpath/` | Medium
37 | ... | ... | ...
There are 75 more IOA items available. Please use our online service to access the data.
There are 321 more IOA items available. Please use our online service to access the data.
## References
@ -95,6 +122,8 @@ The following list contains external sources which discuss the actor and the ass
* https://blog.talosintelligence.com/2021/09/threat-roundup-0917-0924.html
* https://blog.talosintelligence.com/2021/10/threat-roundup-0924-1001.html
* https://blog.talosintelligence.com/2021/10/threat-roundup-1001-1008.html
* https://blog.talosintelligence.com/2022/01/threat-roundup-0107-0114.html
* https://blog.talosintelligence.com/2022/01/threat-roundup-1231-0107.html
## Literature
@ -105,4 +134,4 @@ The following articles explain our unique predictive cyber threat intelligence:
## License
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

26
Hafnium/README.md
View File

@ -1,6 +1,6 @@
# Hafnium - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Hafnium](https://vuldb.com/?actor.hafnium). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Hafnium](https://vuldb.com/?actor.hafnium). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.hafnium](https://vuldb.com/?actor.hafnium)
@ -15,6 +15,7 @@ The following campaigns are known and can be associated with Hafnium:
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Hafnium:
* CN
* US
## IOC - Indicator of Compromise
@ -22,7 +23,7 @@ These indicators of compromise indicate associated network ressources which are
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 172.105.174.117 | li2083-117.members.linode.com | High
1 | 172.105.174.117 | 172-105-174-117.ip.linodeusercontent.com | High
2 | 182.239.123.241 | 182.239.123.241.hk.chinamobile.com | High
3 | 182.239.124.180 | 182.239.124.180.hk.chinamobile.com | High
@ -45,19 +46,12 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `adclick.php` | Medium
2 | File | `add.php` | Low
3 | File | `admin/_cmdstat.jsp` | High
4 | File | `CFIDE/componentutils/cfcexplorer.cfc` | High
5 | File | `index.php` | Medium
6 | File | `index.php?m=home&c=message&a=add` | High
7 | File | `svcstatus.c` | Medium
8 | Argument | `dest` | Low
9 | Argument | `destination` | Medium
10 | Argument | `path` | Low
11 | ... | ... | ...
1 | File | `/.env` | Low
2 | File | `/ajax/networking/get_netcfg.php` | High
3 | File | `/auth/session` | High
4 | ... | ... | ...
There are 5 more IOA items available. Please use our online service to access the data.
There are 22 more IOA items available. Please use our online service to access the data.
## References
@ -70,9 +64,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

14
Hupigon/README.md
View File

@ -1,6 +1,6 @@
# Hupigon - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Hupigon](https://vuldb.com/?actor.hupigon). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Hupigon](https://vuldb.com/?actor.hupigon). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.hupigon](https://vuldb.com/?actor.hupigon)
@ -15,13 +15,9 @@ ID | IP address | Hostname | Confidence
3 | 23.3.13.33 | a23-3-13-33.deploy.static.akamaitechnologies.com | High
4 | 23.3.13.40 | a23-3-13-40.deploy.static.akamaitechnologies.com | High
5 | 65.55.252.93 | - | High
6 | 72.21.81.200 | - | High
7 | 72.22.185.199 | - | High
8 | 72.22.185.207 | - | High
9 | 91.199.212.52 | crt.sectigo.com | High
10 | ... | ... | ...
6 | ... | ... | ...
There are 17 more IOC items available. Please use our online service to access the data.
There are 21 more IOC items available. Please use our online service to access the data.
## References
@ -34,9 +30,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

67
Inception/README.md
View File

@ -1,6 +1,6 @@
# Inception - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Inception](https://vuldb.com/?actor.inception). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Inception](https://vuldb.com/?actor.inception). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.inception](https://vuldb.com/?actor.inception)
@ -14,12 +14,12 @@ The following campaigns are known and can be associated with Inception:
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Inception:
* DE
* FR
* SV
* IT
* FR
* ...
There are 8 more country items available. Please use our online service to access the data.
There are 4 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -30,10 +30,9 @@ ID | IP address | Hostname | Confidence
1 | 51.255.139.194 | ip194.ip-51-255-139.eu | High
2 | 82.221.100.55 | web.a1yola.com | High
3 | 82.221.100.60 | - | High
4 | 83.53.147.144 | 144.red-83-53-147.dynamicip.rima-tde.net | High
5 | ... | ... | ...
4 | ... | ... | ...
There are 6 more IOC items available. Please use our online service to access the data.
There are 7 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -41,14 +40,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1008 | Algorithm Downgrade | High
2 | T1040 | Authentication Bypass by Capture-replay | High
3 | T1059.007 | Cross Site Scripting | High
4 | T1068 | Execution with Unnecessary Privileges | High
5 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
6 | ... | ... | ...
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 11 more TTP items available. Please use our online service to access the data.
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -56,19 +53,33 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `%PROGRAMDATA%\3CXPhone for Windows\PhoneApp` | High
2 | File | `%PROGRAMDATA%\WrData\PKG` | High
3 | File | `%SYSTEMDRIVE%\totalcmd\TOTALCMD64.EXE` | High
4 | File | `.gitolite.rc` | Medium
5 | File | `.travis.yml` | Medium
6 | File | `.well-known` | Medium
7 | File | `/#/CampaignManager/users` | High
8 | File | `/#/page` | Low
9 | File | `/.htpasswd` | Medium
10 | File | `/1.com.php` | Medium
11 | ... | ... | ...
1 | File | `.travis.yml` | Medium
2 | File | `/account/register` | High
3 | File | `/api/notify.php` | High
4 | File | `/backups/` | Medium
5 | File | `/cgi-bin/New_GUI/Igmp.asp` | High
6 | File | `/domain/service/.ewell-known/caldav` | High
7 | File | `/etc/passwd` | Medium
8 | File | `/formAdvFirewall` | High
9 | File | `/goods/getGoodsListByConditions/` | High
10 | File | `/home/user/dir` | High
11 | File | `/master/article.php` | High
12 | File | `/mobile/SelectUsers.jsp` | High
13 | File | `/ProteinArraySignificanceTest.json` | High
14 | File | `/Videos/Id/hls/PlaylistId/SegmentId.SegmentContainer` | High
15 | File | `/web` | Low
16 | File | `4.edu.php\conn\function.php` | High
17 | File | `abc.c` | Low
18 | File | `admin/bad.php` | High
19 | File | `admin/dl_sendmail.php` | High
20 | File | `admin/edit.php` | High
21 | File | `admin/pages/useredit.php` | High
22 | File | `AdminBaseController.class.php` | High
23 | File | `AlertReceiver.java` | High
24 | File | `AndroidManifest.xml` | High
25 | ... | ... | ...
There are 2413 more IOA items available. Please use our online service to access the data.
There are 213 more IOA items available. Please use our online service to access the data.
## References
@ -83,9 +94,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

71
InvisiMole/README.md
View File

@ -1,6 +1,6 @@
# InvisiMole - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [InvisiMole](https://vuldb.com/?actor.invisimole). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [InvisiMole](https://vuldb.com/?actor.invisimole). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.invisimole](https://vuldb.com/?actor.invisimole)
@ -13,7 +13,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
* ES
* ...
There are 21 more country items available. Please use our online service to access the data.
There are 18 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -24,10 +24,9 @@ ID | IP address | Hostname | Confidence
1 | 46.165.230.241 | - | High
2 | 46.165.231.85 | - | High
3 | 46.165.241.129 | - | High
4 | 46.165.241.153 | - | High
5 | ... | ... | ...
4 | ... | ... | ...
There are 7 more IOC items available. Please use our online service to access the data.
There are 8 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -38,10 +37,9 @@ ID | Technique | Description | Confidence
1 | T1040 | Authentication Bypass by Capture-replay | High
2 | T1059.007 | Cross Site Scripting | High
3 | T1068 | Execution with Unnecessary Privileges | High
4 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
5 | ... | ... | ...
4 | ... | ... | ...
There are 8 more TTP items available. Please use our online service to access the data.
There are 9 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -57,11 +55,56 @@ ID | Type | Indicator | Confidence
6 | File | `/cgi-bin/bcm_password` | High
7 | File | `/cgi-bin/nobody` | High
8 | File | `/cgi-bin/nobody/Search.cgi` | High
9 | File | `/cgi-bin/supervisor/CloudSetup.cgi` | High
10 | File | `/cgi-bin/webproc` | High
11 | ... | ... | ...
9 | File | `/cgi-bin/webproc` | High
10 | File | `/config/netconf.cmd` | High
11 | File | `/etc/passwd` | Medium
12 | File | `/etc/services/INET/inet_ipv4.php` | High
13 | File | `/forum/away.php` | High
14 | File | `/get_getnetworkconf.cgi` | High
15 | File | `/goform/saveParentControlInfo` | High
16 | File | `/home.jsp` | Medium
17 | File | `/horde/util/go.php` | High
18 | File | `/include/stat/stat.php` | High
19 | File | `/login` | Low
20 | File | `/login.cgi?logout=1` | High
21 | File | `/Login.do` | Medium
22 | File | `/mifs/c/i/reg/reg.html` | High
23 | File | `/pages.php` | Medium
24 | File | `/pages/items` | Medium
25 | File | `/proc/iomem` | Medium
26 | File | `/profile/deleteWatch.do` | High
27 | File | `/show_news.php` | High
28 | File | `/status.js` | Medium
29 | File | `/tmp` | Low
30 | File | `/uncpath/` | Medium
31 | File | `/userRpm/MediaServerFoldersCfgRpm.htm` | High
32 | File | `/usr/local/ssl/openssl.cnf` | High
33 | File | `/var/log/nginx` | High
34 | File | `/wp-admin` | Medium
35 | File | `/xampp/guestbook-en.pl` | High
36 | File | `abook_database.php` | High
37 | File | `AccountStatus.jsp` | High
38 | File | `action/usermanager.htm` | High
39 | File | `add.php` | Low
40 | File | `add_comment.php` | High
41 | File | `admin.cgi?action=config_restore` | High
42 | File | `admin.php3` | Medium
43 | File | `admin/add-news.php` | High
44 | File | `admin/ajax/op_kandidat.php` | High
45 | File | `admin/gv_mail.php` | High
46 | File | `admin/manage-articles.php` | High
47 | File | `admin/manage-departments.php` | High
48 | File | `admin/systemOutOfBand.do` | High
49 | File | `ajax.php` | Medium
50 | File | `and/or` | Low
51 | File | `Annot.cc` | Medium
52 | File | `aoutx.h` | Low
53 | File | `app/application.cpp` | High
54 | File | `apply.cgi` | Medium
55 | File | `apps/app_article/controller/rating.php` | High
56 | ... | ... | ...
There are 614 more IOA items available. Please use our online service to access the data.
There are 485 more IOA items available. Please use our online service to access the data.
## References
@ -73,9 +116,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
KRBanker/README.md
View File

@ -1,6 +1,6 @@
# KRBanker - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [KRBanker](https://vuldb.com/?actor.krbanker). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [KRBanker](https://vuldb.com/?actor.krbanker). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.krbanker](https://vuldb.com/?actor.krbanker)
@ -28,9 +28,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

17
KilllSomeOne/README.md
View File

@ -1,6 +1,6 @@
# KilllSomeOne - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [KilllSomeOne](https://vuldb.com/?actor.killlsomeone). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [KilllSomeOne](https://vuldb.com/?actor.killlsomeone). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.killlsomeone](https://vuldb.com/?actor.killlsomeone)
@ -37,16 +37,9 @@ ID | Type | Indicator | Confidence
1 | File | `addentry.php` | Medium
2 | File | `admin_add.php` | High
3 | File | `assets/add/registrar-accounts.php` | High
4 | File | `data/gbconfiguration.dat` | High
5 | File | `email.php` | Medium
6 | File | `guestbook.cgi` | High
7 | File | `guestserver.cgi` | High
8 | File | `inc/config.php` | High
9 | File | `inc/filebrowser/browser.php` | High
10 | File | `index.php` | Medium
11 | ... | ... | ...
4 | ... | ... | ...
There are 16 more IOA items available. Please use our online service to access the data.
There are 23 more IOA items available. Please use our online service to access the data.
## References
@ -58,9 +51,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

88
Kinsing/README.md Normal file
View File

@ -0,0 +1,88 @@
# Kinsing - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Kinsing](https://vuldb.com/?actor.kinsing). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.kinsing](https://vuldb.com/?actor.kinsing)
## Campaigns
The following campaigns are known and can be associated with Kinsing:
* Log4Shell
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Kinsing:
* US
* RU
* CN
* ...
There are 4 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Kinsing.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 3.215.110.66 | ec2-3-215-110-66.compute-1.amazonaws.com | Medium
2 | 31.210.20.181 | - | High
3 | 34.81.218.76 | 76.218.81.34.bc.googleusercontent.com | Medium
4 | 42.112.28.216 | midp.highlatrol.com | High
5 | 45.129.2.107 | - | High
6 | 45.137.151.106 | - | High
7 | ... | ... | ...
There are 26 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Kinsing. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 4 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Kinsing. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/filemanager/upload.php` | High
2 | File | `/includes/event-management/index.php` | High
3 | File | `/Main_AdmStatus_Content.asp` | High
4 | File | `/member/picture/album` | High
5 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High
6 | File | `actions.php` | Medium
7 | File | `admin.php` | Medium
8 | File | `admin\controller\uploadfile.php` | High
9 | File | `album_portal.php` | High
10 | ... | ... | ...
There are 75 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://gist.github.com/Iansus/050e121170a864c37b13f979c1883ad4
* https://twitter.com/iansus/status/1472867647410819073
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
Kobalos/README.md
View File

@ -1,6 +1,6 @@
# Kobalos - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Kobalos](https://vuldb.com/?actor.kobalos). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Kobalos](https://vuldb.com/?actor.kobalos). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.kobalos](https://vuldb.com/?actor.kobalos)
@ -28,9 +28,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

16
Konni/README.md
View File

@ -1,6 +1,6 @@
# Konni - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Konni](https://vuldb.com/?actor.konni). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Konni](https://vuldb.com/?actor.konni). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.konni](https://vuldb.com/?actor.konni)
@ -18,7 +18,7 @@ These indicators of compromise indicate associated network ressources which are
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 31.170.160.129 | - | High
2 | 31.170.162.63 | - | High
2 | 31.170.162.63 | cpl04.main-hosting.eu | High
3 | 31.170.163.30 | cpl07.main-hosting.eu | High
4 | ... | ... | ...
@ -41,11 +41,9 @@ ID | Type | Indicator | Confidence
1 | File | `application\User\Controller\ProfileController.class.php` | High
2 | File | `banner-edit.php` | High
3 | File | `tmUnblock.cgi` | High
4 | File | `wallet.dat` | Medium
5 | Argument | `imgurl` | Low
6 | Argument | `ttcp_ip` | Low
7 | Input Value | `..\` | Low
8 | Network Port | `tcp/8080` | Medium
4 | ... | ... | ...
There are 5 more IOA items available. Please use our online service to access the data.
## References
@ -58,9 +56,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

212
Lazarus/README.md
View File

@ -1,6 +1,6 @@
# Lazarus - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Lazarus](https://vuldb.com/?actor.lazarus). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Lazarus](https://vuldb.com/?actor.lazarus). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.lazarus](https://vuldb.com/?actor.lazarus)
@ -19,12 +19,12 @@ There are 5 more campaign items available. Please use our online service to acce
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lazarus:
* US
* ZA
* RU
* VN
* FR
* IN
* ...
There are 43 more country items available. Please use our online service to access the data.
There are 1 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -52,9 +52,169 @@ ID | IP address | Hostname | Confidence
18 | 2.93.86.251 | - | High
19 | 2.93.86.253 | - | High
20 | 2.93.131.116 | - | High
21 | ... | ... | ...
21 | 2.93.131.179 | - | High
22 | 2.93.238.2 | - | High
23 | 2.93.238.12 | - | High
24 | 2.93.238.20 | - | High
25 | 2.93.238.26 | - | High
26 | 2.93.238.35 | - | High
27 | 2.93.238.93 | - | High
28 | 2.93.238.146 | - | High
29 | 2.93.238.167 | - | High
30 | 2.93.238.176 | - | High
31 | 2.93.238.183 | - | High
32 | 2.93.238.199 | - | High
33 | 2.93.238.213 | - | High
34 | 2.93.238.215 | - | High
35 | 2.93.238.222 | - | High
36 | 2.93.238.252 | - | High
37 | 2.93.238.253 | - | High
38 | 2.93.248.5 | - | High
39 | 2.93.248.46 | - | High
40 | 2.94.53.139 | - | High
41 | 2.94.65.211 | - | High
42 | 2.94.65.246 | - | High
43 | 2.94.82.42 | - | High
44 | 2.94.117.30 | - | High
45 | 2.94.117.46 | - | High
46 | 2.94.117.47 | - | High
47 | 2.94.117.56 | - | High
48 | 2.94.209.30 | - | High
49 | 2.187.99.180 | - | High
50 | 5.22.137.178 | mail.bpdl.co.uk | High
51 | 5.22.140.93 | 5-22-140-93.host.as51043.net | High
52 | 5.41.88.137 | - | High
53 | 5.41.89.32 | - | High
54 | 5.41.94.221 | - | High
55 | 5.41.190.7 | - | High
56 | 5.41.201.151 | - | High
57 | 5.41.237.214 | - | High
58 | 5.79.99.169 | nsg037-19.divide.nl | High
59 | 5.98.91.76 | host-5-98-91-76.business.telecomitalia.it | High
60 | 5.141.87.156 | 5-141-97-156.static-adsl.isurgut.ru | High
61 | 5.189.190.67 | m2767.contaboserver.net | High
62 | 5.200.154.208 | - | High
63 | 5.200.177.218 | - | High
64 | 5.200.191.104 | - | High
65 | 5.200.198.10 | - | High
66 | 5.200.202.99 | - | High
67 | 14.102.46.3 | - | High
68 | 14.139.125.214 | - | High
69 | 14.140.123.179 | 14.140.123.179.static-pune-vsnl.net.in | High
70 | 14.141.27.100 | 14.141.26.100.static-Mumbai.vsnl.net.in | High
71 | 14.141.129.116 | 14.141.129.116.static-Delhi.vsnl.net.in | High
72 | 14.149.149.211 | - | High
73 | 21.252.107.198 | - | High
74 | 23.152.0.232 | betrp-basisto.seemband.com | High
75 | 26.165.218.44 | - | High
76 | 27.96.110.130 | 130.110.96.27.static.m1net.com.sg | High
77 | 27.114.187.37 | - | High
78 | 27.123.221.66 | 66-221.fiber.net.id | High
79 | 27.125.35.229 | - | High
80 | 31.47.47.130 | - | High
81 | 31.54.73.156 | host31-54-73-156.range31-54.btcentralplus.com | High
82 | 31.54.74.176 | host31-54-74-176.range31-54.btcentralplus.com | High
83 | 31.146.82.22 | 31-146-82-22.dsl.utg.ge | High
84 | 31.146.136.6 | 31-146-136-6.dsl.utg.ge | High
85 | 31.168.203.44 | bzq-203-168-31-44.red.bezeqint.net | High
86 | 36.71.90.4 | - | High
87 | 37.34.240.177 | - | High
88 | 37.48.106.69 | high-convey.blockother.com | High
89 | 37.71.50.2 | 2.50.71.37.rev.sfr.net | High
90 | 37.75.0.98 | - | High
91 | 37.75.2.203 | - | High
92 | 37.75.10.194 | mail.kplus.com.tr | High
93 | 37.75.11.162 | 37-75-11-162.rdns.saglayici.net | High
94 | 37.98.114.90 | 90.mobinnet.net | High
95 | 37.104.24.220 | - | High
96 | 37.104.50.144 | - | High
97 | 37.104.67.33 | - | High
98 | 37.105.234.200 | - | High
99 | 37.106.115.3 | - | High
100 | 37.143.29.10 | - | High
101 | 37.148.209.156 | 37-148-209-156.cizgi.net.tr | High
102 | 37.216.67.155 | - | High
103 | 37.216.213.70 | - | High
104 | 37.235.21.166 | - | High
105 | 41.57.108.68 | - | High
106 | 41.67.136.38 | netcomafrica.com | High
107 | 41.67.136.39 | netcomafrica.com | High
108 | 41.72.99.5 | - | High
109 | 41.72.101.138 | - | High
110 | 41.74.166.253 | - | High
111 | 41.92.208.194 | - | High
112 | 41.92.208.196 | - | High
113 | 41.92.208.197 | - | High
114 | 41.110.179.197 | - | High
115 | 41.128.226.60 | - | High
116 | 41.131.49.228 | host-41-131-49-228.static.link.com.eg | High
117 | 41.131.164.156 | - | High
118 | 41.134.208.234 | 41-134-208-234.dsl.mweb.co.za | High
119 | 41.182.252.56 | ADSL-41-182-252-56.ipb.na | High
120 | 41.205.139.34 | ADSL-41-205-139-34.ipb.na | High
121 | 41.208.106.68 | owa.altaqnya.com.ly | High
122 | 41.208.106.70 | dc1.Mail.dsmhlc.ly | High
123 | 41.215.250.40 | - | High
124 | 41.223.30.20 | host30-20.creolink.com | High
125 | 41.224.254.90 | - | High
126 | 43.249.216.6 | - | High
127 | 45.33.2.79 | li956-79.members.linode.com | High
128 | 45.33.23.183 | li977-183.members.linode.com | High
129 | 45.56.79.23 | li929-23.members.linode.com | High
130 | 45.79.19.196 | li1118-196.members.linode.com | High
131 | 45.118.34.215 | - | High
132 | 45.120.61.145 | - | High
133 | 45.124.169.36 | - | High
134 | 45.199.63.220 | - | High
135 | 46.19.101.186 | ip-46-19-101-186.gnc.net | High
136 | 46.21.147.161 | 46-21-147-161.static.hvvc.us | High
137 | 46.52.131.102 | - | High
138 | 46.121.242.180 | 46-121-242-180.static.012.net.il | High
139 | 46.174.116.60 | - | High
140 | 46.174.116.87 | - | High
141 | 46.174.116.90 | - | High
142 | 46.174.116.99 | - | High
143 | 46.174.116.221 | - | High
144 | 46.174.116.231 | - | High
145 | 46.174.116.234 | - | High
146 | 46.174.117.15 | - | High
147 | 46.174.117.32 | - | High
148 | 46.174.117.36 | - | High
149 | 46.174.117.42 | - | High
150 | 46.174.117.44 | - | High
151 | 46.174.117.50 | - | High
152 | 46.174.117.61 | - | High
153 | 46.174.117.77 | - | High
154 | 46.174.117.80 | - | High
155 | 46.174.117.97 | - | High
156 | 46.174.117.98 | - | High
157 | 46.174.117.103 | - | High
158 | 46.174.117.116 | - | High
159 | 46.174.117.121 | - | High
160 | 46.174.117.129 | - | High
161 | 46.174.117.134 | - | High
162 | 46.174.117.153 | - | High
163 | 46.174.117.164 | - | High
164 | 46.218.127.110 | reverse.completel.fr | High
165 | 47.206.4.145 | static-47-206-4-145.srst.fl.frontiernet.net | High
166 | 49.206.1.61 | 49.206.1.61.actcorp.in | High
167 | 50.62.168.157 | p3nwvpweb145.shr.prod.phx3.secureserver.net | High
168 | 50.87.144.227 | somethingaboutmarketing.com | High
169 | 51.235.1.216 | - | High
170 | 51.235.13.162 | - | High
171 | 51.235.17.133 | - | High
172 | 51.235.19.202 | - | High
173 | 51.235.33.226 | - | High
174 | 51.235.49.202 | - | High
175 | 54.64.30.175 | vega.mh-tec.co.jp | High
176 | 58.82.155.98 | 98.155.82.58.static-corp.jastel.co.th | High
177 | 58.185.197.210 | - | High
178 | 59.90.93.97 | static.bb.knl.59.90.93.97.bsnl.in | High
179 | 59.90.93.138 | static.bb.knl.59.90.93.138.bsnl.in | High
180 | 59.90.93.248 | static.bb.knl.59.90.93.248.bsnl.in | High
181 | ... | ... | ...
There are 878 more IOC items available. Please use our online service to access the data.
There are 718 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -62,14 +222,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1040 | Authentication Bypass by Capture-replay | High
2 | T1059.007 | Cross Site Scripting | High
3 | T1068 | Execution with Unnecessary Privileges | High
4 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
5 | T1211 | 7PK Security Features | High
6 | ... | ... | ...
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 10 more TTP items available. Please use our online service to access the data.
There are 7 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -77,19 +235,19 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `#!/system` | Medium
2 | File | `$SPLUNK_HOME/etc/splunk-launch.conf` | High
3 | File | `%APPDATA%\Securepoint SSL VPN` | High
4 | File | `%PROGRAMFILES%\MyQ\PHP\Sessions\` | High
5 | File | `.htaccess` | Medium
6 | File | `.htpasswd` | Medium
7 | File | `.procmailrc` | Medium
8 | File | `.travis.yml` | Medium
9 | File | `/+CSCOE+/logon.html` | High
10 | File | `/.gitolite.rc` | High
1 | File | `/admin/login.php` | High
2 | File | `/ajax_crud` | Medium
3 | File | `/core/table/query` | High
4 | File | `/dev/ion` | Medium
5 | File | `/ecma/operations/ecma-objects.c` | High
6 | File | `/GetCopiedFile` | High
7 | File | `/hdf5/src/H5T.c` | High
8 | File | `/leave_system/classes/Login.php` | High
9 | File | `/risque/administration/referentiel/json/create/categorie` | High
10 | File | `/rsms/` | Low
11 | ... | ... | ...
There are 3731 more IOA items available. Please use our online service to access the data.
There are 80 more IOA items available. Please use our online service to access the data.
## References
@ -117,9 +275,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

17
Leviathan/README.md
View File

@ -1,6 +1,6 @@
# Leviathan - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Leviathan](https://vuldb.com/?actor.leviathan). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Leviathan](https://vuldb.com/?actor.leviathan). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.leviathan](https://vuldb.com/?actor.leviathan)
@ -47,16 +47,9 @@ ID | Type | Indicator | Confidence
1 | File | `encrypt.c` | Medium
2 | File | `ept.c` | Low
3 | File | `index.php` | Medium
4 | File | `PGSQL:SubmitQuery.do` | High
5 | File | `qemu-dos.com` | Medium
6 | File | `wallacepos-master/myaccount/resetpassword.php` | High
7 | Argument | `Referer` | Low
8 | Argument | `session_id` | Medium
9 | Argument | `src` | Low
10 | Argument | `token` | Low
11 | ... | ... | ...
4 | ... | ... | ...
There are 2 more IOA items available. Please use our online service to access the data.
There are 9 more IOA items available. Please use our online service to access the data.
## References
@ -69,9 +62,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

13
LightBasin/README.md
View File

@ -46,16 +46,9 @@ ID | Type | Indicator | Confidence
1 | File | `/DbXmlInfo.xml` | High
2 | File | `/deviceIP` | Medium
3 | File | `/inc/HTTPClient.php` | High
4 | File | `BACnOPCServer.exe` | High
5 | File | `base/ErrorHandler.php` | High
6 | File | `bvlc.c` | Low
7 | File | `csv` | Low
8 | File | `data/gbconfiguration.dat` | High
9 | File | `get/vcs.go` | Medium
10 | File | `Illuminate/Encryption/Encrypter.php` | High
11 | ... | ... | ...
4 | ... | ... | ...
There are 8 more IOA items available. Please use our online service to access the data.
There are 15 more IOA items available. Please use our online service to access the data.
## References
@ -72,4 +65,4 @@ The following articles explain our unique predictive cyber threat intelligence:
## License
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

12
Lokibot/README.md
View File

@ -1,12 +1,12 @@
# LokiBot - Cyber Threat Intelligence
# Lokibot - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [LokiBot](https://vuldb.com/?actor.lokibot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Lokibot](https://vuldb.com/?actor.lokibot). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.lokibot](https://vuldb.com/?actor.lokibot)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with LokiBot:
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Lokibot:
* ES
* US
@ -17,7 +17,7 @@ There are 12 more country items available. Please use our online service to acce
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of LokiBot.
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Lokibot.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
@ -47,7 +47,7 @@ There are 65 more IOC items available. Please use our online service to access t
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by LokiBot. This data is unique as it uses our predictive model for actor profiling.
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Lokibot. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
@ -61,7 +61,7 @@ There are 8 more TTP items available. Please use our online service to access th
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by LokiBot. This data is unique as it uses our predictive model for actor profiling.
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Lokibot. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------

14
LuminousMoth/README.md
View File

@ -1,6 +1,6 @@
# LuminousMoth - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [LuminousMoth](https://vuldb.com/?actor.luminousmoth). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [LuminousMoth](https://vuldb.com/?actor.luminousmoth). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.luminousmoth](https://vuldb.com/?actor.luminousmoth)
@ -19,8 +19,8 @@ These indicators of compromise indicate associated network ressources which are
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 45.204.9.70 | - | High
2 | 103.15.28.195 | - | High
3 | 202.59.10.253 | begin-user.sizecalm.com | High
2 | 103.15.28.195 | gld5.linkadminister.club | High
3 | 202.59.10.253 | begin-user.proscarce.org | High
## TTP - Tactics, Techniques, Procedures
@ -39,7 +39,9 @@ ID | Type | Indicator | Confidence
1 | File | `Config/SaveUploadedHotspotLogoFile` | High
2 | File | `dede\co_do.php` | High
3 | Library | `MOVEit.DMZ.WebApi.dll` | High
4 | Argument | `ids` | Low
4 | ... | ... | ...
There are 1 more IOA items available. Please use our online service to access the data.
## References
@ -51,9 +53,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
Manul/README.md
View File

@ -1,6 +1,6 @@
# Manul - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Manul](https://vuldb.com/?actor.manul). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Manul](https://vuldb.com/?actor.manul). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.manul](https://vuldb.com/?actor.manul)
@ -28,9 +28,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

17
MsAttacker/README.md
View File

@ -1,6 +1,6 @@
# MsAttacker - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [MsAttacker](https://vuldb.com/?actor.msattacker). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [MsAttacker](https://vuldb.com/?actor.msattacker). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.msattacker](https://vuldb.com/?actor.msattacker)
@ -42,16 +42,9 @@ ID | Type | Indicator | Confidence
1 | File | `/get_getnetworkconf.cgi` | High
2 | File | `controllers/Weixin.php` | High
3 | File | `functions/functions_filters.asp` | High
4 | File | `inc/config.php` | High
5 | Library | `system/libraries/Email.php` | High
6 | Argument | `basePath` | Medium
7 | Argument | `email->from` | Medium
8 | Argument | `First Name/Last Name/Address field` | High
9 | Argument | `name` | Low
10 | Argument | `url` | Low
11 | ... | ... | ...
4 | ... | ... | ...
There are 1 more IOA items available. Please use our online service to access the data.
There are 8 more IOA items available. Please use our online service to access the data.
## References
@ -63,9 +56,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

24
Mustang Panda/README.md
View File

@ -1,6 +1,6 @@
# Mustang Panda - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Mustang Panda](https://vuldb.com/?actor.mustang_panda). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Mustang Panda](https://vuldb.com/?actor.mustang_panda). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.mustang_panda](https://vuldb.com/?actor.mustang_panda)
@ -29,13 +29,9 @@ ID | IP address | Hostname | Confidence
3 | 45.77.184.12 | comm.phiu.pw | High
4 | 45.248.87.14 | - | High
5 | 91.195.240.117 | - | High
6 | 95.217.1.81 | static.81.1.217.95.clients.your-server.de | High
7 | 149.28.74.41 | 149.28.74.41.vultr.com | Medium
8 | 149.28.74.149 | 149.28.74.149.vultr.com | Medium
9 | 154.221.24.47 | - | High
10 | ... | ... | ...
6 | ... | ... | ...
There are 17 more IOC items available. Please use our online service to access the data.
There are 21 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -46,10 +42,9 @@ ID | Technique | Description | Confidence
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1222 | Permission Issues | High
5 | ... | ... | ...
4 | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -66,8 +61,9 @@ ID | Type | Indicator | Confidence
7 | File | `/settings` | Medium
8 | File | `/updater.php` | Medium
9 | File | `/uploads/dede` | High
10 | File | `/webtools/control/httpService` | High
11 | ... | ... | ...
10 | File | `/way4acs/enroll` | High
11 | File | `/webtools/control/httpService` | High
12 | ... | ... | ...
There are 89 more IOA items available. Please use our online service to access the data.
@ -83,9 +79,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

31
MyKings/README.md
View File

@ -1,6 +1,6 @@
# MyKings - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [MyKings](https://vuldb.com/?actor.mykings). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [MyKings](https://vuldb.com/?actor.mykings). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.mykings](https://vuldb.com/?actor.mykings)
@ -38,18 +38,14 @@ ID | IP address | Hostname | Confidence
9 | 45.58.133.10 | depending-tcped.landweeks.com | High
10 | 45.58.135.106 | - | High
11 | 45.58.140.194 | vm194.ebouravi.com | High
12 | 45.116.13.219 | - | High
12 | 45.116.13.219 | 45.116.13.219.static.xtom.hk | High
13 | 54.255.141.50 | ec2-54-255-141-50.ap-southeast-1.compute.amazonaws.com | Medium
14 | 60.250.76.52 | 60-250-76-52.hinet-ip.hinet.net | High
15 | 64.32.3.186 | - | High
16 | 66.117.2.182 | crownwine.net | High
17 | 66.117.6.174 | menu-btob.etherraw.com | High
18 | 67.21.90.226 | saas-mx0226.profirstin.com | High
19 | 67.229.99.82 | kumrye.manibal.co.uk | High
20 | 69.30.200.178 | - | High
21 | ... | ... | ...
17 | ... | ... | ...
There are 61 more IOC items available. Please use our online service to access the data.
There are 65 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -62,7 +58,7 @@ ID | Technique | Description | Confidence
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 4 more TTP items available. Please use our online service to access the data.
There are 5 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -80,9 +76,18 @@ ID | Type | Indicator | Confidence
8 | File | `/mysql/api/drobo.php` | High
9 | File | `/rating.php` | Medium
10 | File | `/rom-0` | Low
11 | ... | ... | ...
11 | File | `/secure/admin/ConfigureBatching!default.jspa` | High
12 | File | `/uncpath/` | Medium
13 | File | `/usr/local/WowzaStreamingEngine/bin/` | High
14 | File | `/var/log/nginx` | High
15 | File | `/wordpress/wp-admin/admin.php` | High
16 | File | `/_next` | Low
17 | File | `actions.hsp` | Medium
18 | File | `addtocart.asp` | High
19 | File | `ajax/api/hook/decodeArguments` | High
20 | ... | ... | ...
There are 162 more IOA items available. Please use our online service to access the data.
There are 164 more IOA items available. Please use our online service to access the data.
## References
@ -95,9 +100,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

46
NSO Group/README.md
View File

@ -1,6 +1,6 @@
# NSO Group - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [NSO Group](https://vuldb.com/?actor.nso_group). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [NSO Group](https://vuldb.com/?actor.nso_group). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.nso_group](https://vuldb.com/?actor.nso_group)
@ -16,8 +16,8 @@ The following campaigns are known and can be associated with NSO Group:
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with NSO Group:
* US
* DE
* US
* CN
* ...
@ -37,14 +37,9 @@ ID | IP address | Hostname | Confidence
6 | 18.217.13.50 | ec2-18-217-13-50.us-east-2.compute.amazonaws.com | Medium
7 | 18.225.12.72 | ec2-18-225-12-72.us-east-2.compute.amazonaws.com | Medium
8 | 23.239.16.143 | li685-143.members.linode.com | High
9 | 45.60.241.11 | - | High
10 | 45.60.251.11 | - | High
11 | 45.79.190.38 | li1289-38.members.linode.com | High
12 | 52.8.52.166 | ec2-52-8-52-166.us-west-1.compute.amazonaws.com | Medium
13 | 52.8.153.44 | ec2-52-8-153-44.us-west-1.compute.amazonaws.com | Medium
14 | ... | ... | ...
9 | ... | ... | ...
There are 26 more IOC items available. Please use our online service to access the data.
There are 31 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -52,12 +47,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
1 | T1040 | Authentication Bypass by Capture-replay | High
2 | T1059.007 | Cross Site Scripting | High
3 | T1068 | Execution with Unnecessary Privileges | High
4 | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
There are 7 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -70,14 +65,21 @@ ID | Type | Indicator | Confidence
3 | File | `/etc/controller-agent/agent.conf` | High
4 | File | `/forms/web_importTFTP` | High
5 | File | `/forum/away.php` | High
6 | File | `/localhost/u` | Medium
7 | File | `/out.php` | Medium
8 | File | `/PluXml/core/admin/parametres_edittpl.php` | High
9 | File | `/rom-0` | Low
10 | File | `/root/run/adm.php?admin-ediy&part=exdiy` | High
11 | ... | ... | ...
6 | File | `/graphql` | Medium
7 | File | `/localhost/u` | Medium
8 | File | `/out.php` | Medium
9 | File | `/PluXml/core/admin/parametres_edittpl.php` | High
10 | File | `/public_html/admin/plugins/bad_behavior2/blacklist.php` | High
11 | File | `/rom-0` | Low
12 | File | `/root/run/adm.php?admin-ediy&part=exdiy` | High
13 | File | `/v2/devices/add` | High
14 | File | `/var/ipfire/backup/bin/backup.pl` | High
15 | File | `/wp-json/wc/v3/webhooks` | High
16 | File | `adclick.php` | Medium
17 | File | `AddEvent.php` | Medium
18 | ... | ... | ...
There are 140 more IOA items available. Please use our online service to access the data.
There are 147 more IOA items available. Please use our online service to access the data.
## References
@ -93,9 +95,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

18
Nanocore/README.md
View File

@ -30,12 +30,9 @@ ID | IP address | Hostname | Confidence
1 | 8.8.8.8 | dns.google | High
2 | 20.42.65.92 | - | High
3 | 23.235.221.158 | vps53141.inmotionhosting.com | High
4 | 79.134.225.101 | - | High
5 | 87.120.37.96 | - | High
6 | 104.208.16.94 | - | High
7 | ... | ... | ...
4 | ... | ... | ...
There are 11 more IOC items available. Please use our online service to access the data.
There are 14 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -61,14 +58,9 @@ ID | Type | Indicator | Confidence
3 | File | `browser.php` | Medium
4 | File | `cat.php` | Low
5 | File | `CompanionDeviceManagerService.java` | High
6 | File | `config.xml` | Medium
7 | File | `dede\co_do.php` | High
8 | File | `detail.php` | Medium
9 | File | `Dynamiccontenttags.php` | High
10 | File | `filemanager/model.php` | High
11 | ... | ... | ...
6 | ... | ... | ...
There are 37 more IOA items available. Please use our online service to access the data.
There are 42 more IOA items available. Please use our online service to access the data.
## References
@ -87,4 +79,4 @@ The following articles explain our unique predictive cyber threat intelligence:
## License
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

12
Necurs/README.md
View File

@ -1,6 +1,6 @@
# Necurs - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Necurs](https://vuldb.com/?actor.necurs). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Necurs](https://vuldb.com/?actor.necurs). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.necurs](https://vuldb.com/?actor.necurs)
@ -19,11 +19,9 @@ ID | IP address | Hostname | Confidence
1 | 40.121.206.97 | - | High
2 | 64.47.209.23 | - | High
3 | 64.63.188.85 | - | High
4 | 64.231.250.149 | bas3-toronto12-64-231-250-149.dsl.bell.ca | High
5 | 65.79.10.48 | freshman-events.nl.edu | High
6 | ... | ... | ...
4 | ... | ... | ...
There are 8 more IOC items available. Please use our online service to access the data.
There are 10 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -52,9 +50,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
Needles/README.md
View File

@ -1,6 +1,6 @@
# Needles - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Needles](https://vuldb.com/?actor.needles). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Needles](https://vuldb.com/?actor.needles). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.needles](https://vuldb.com/?actor.needles)
@ -31,9 +31,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

27
NetWire/README.md
View File

@ -27,14 +27,9 @@ ID | IP address | Hostname | Confidence
4 | 45.144.225.219 | - | High
5 | 89.249.74.213 | - | High
6 | 94.103.80.254 | v702647.hosted-by-vdsina.ru | High
7 | 103.150.8.54 | - | High
8 | 104.21.70.22 | - | High
9 | 142.44.252.19 | ip19.ip-142-44-252.net | High
10 | 155.94.198.169 | 155.94.198.169.static.quadranet.com | High
11 | 162.159.129.233 | - | High
12 | ... | ... | ...
7 | ... | ... | ...
There are 20 more IOC items available. Please use our online service to access the data.
There are 25 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -47,7 +42,7 @@ ID | Technique | Description | Confidence
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
There are 7 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -65,9 +60,19 @@ ID | Type | Indicator | Confidence
8 | File | `/netflow/jspui/linkdownalertConfig.jsp` | High
9 | File | `/product.php` | Medium
10 | File | `/products/details.asp` | High
11 | ... | ... | ...
11 | File | `/uncpath/` | Medium
12 | File | `123flashchat.php` | High
13 | File | `ActionsAndOperations` | High
14 | File | `adclick.php` | Medium
15 | File | `admin.php` | Medium
16 | File | `adminlogin.asp` | High
17 | File | `Adminstrator/Users/Edit/` | High
18 | File | `binder.c` | Medium
19 | File | `books.php` | Medium
20 | File | `buy.php` | Low
21 | ... | ... | ...
There are 183 more IOA items available. Please use our online service to access the data.
There are 174 more IOA items available. Please use our online service to access the data.
## References
@ -91,4 +96,4 @@ The following articles explain our unique predictive cyber threat intelligence:
## License
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
Neuron/README.md
View File

@ -1,6 +1,6 @@
# Neuron - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Neuron](https://vuldb.com/?actor.neuron). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Neuron](https://vuldb.com/?actor.neuron). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.neuron](https://vuldb.com/?actor.neuron)
@ -39,9 +39,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

19
Nobelium/README.md
View File

@ -1,6 +1,6 @@
# Nobelium - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Nobelium](https://vuldb.com/?actor.nobelium). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Nobelium](https://vuldb.com/?actor.nobelium). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.nobelium](https://vuldb.com/?actor.nobelium)
@ -10,6 +10,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
* CN
* US
* DE
## IOC - Indicator of Compromise
@ -35,13 +36,11 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/notice-edit.php` | High
2 | File | `burl.c` | Low
3 | File | `http_auth.c` | Medium
4 | File | `ViewLog.asp` | Medium
5 | Argument | `aid` | Low
6 | Argument | `remote_host` | Medium
7 | Input Value | `%3bping+-c+3+10.0.99.102%3b%23` | High
8 | Input Value | `/%2F` | Low
2 | File | `/wp-content/plugins/updraftplus/admin.php` | High
3 | File | `burl.c` | Low
4 | ... | ... | ...
There are 8 more IOA items available. Please use our online service to access the data.
## References
@ -53,9 +52,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

17
Oto Gonderici/README.md
View File

@ -1,6 +1,6 @@
# Oto Gonderici - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Oto Gonderici](https://vuldb.com/?actor.oto_gonderici). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Oto Gonderici](https://vuldb.com/?actor.oto_gonderici). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.oto_gonderici](https://vuldb.com/?actor.oto_gonderici)
@ -50,16 +50,9 @@ ID | Type | Indicator | Confidence
1 | File | `/usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php` | High
2 | File | `audiohd.exe` | Medium
3 | File | `C:\Windupdt` | Medium
4 | File | `C:\z_Drivers` | Medium
5 | File | `cgi-bin/webproc` | High
6 | File | `cheaters.php/confirm_resend.php` | High
7 | File | `data/gbconfiguration.dat` | High
8 | File | `ext/standard/link_win32.c` | High
9 | File | `getfile.asp` | Medium
10 | File | `mypage` | Low
11 | ... | ... | ...
4 | ... | ... | ...
There are 13 more IOA items available. Please use our online service to access the data.
There are 21 more IOA items available. Please use our online service to access the data.
## References
@ -71,9 +64,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

98
PlugX/README.md Normal file
View File

@ -0,0 +1,98 @@
# PlugX - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [PlugX](https://vuldb.com/?actor.plugx). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.plugx](https://vuldb.com/?actor.plugx)
## Countries
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with PlugX:
* CN
* US
* DE
## IOC - Indicator of Compromise
These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of PlugX.
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 34.92.30.54 | 54.30.92.34.bc.googleusercontent.com | Medium
2 | 35.220.176.90 | 90.176.220.35.bc.googleusercontent.com | Medium
3 | 95.179.128.208 | 95.179.128.208.vultr.com | Medium
4 | ... | ... | ...
There are 8 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by PlugX. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by PlugX. This data is unique as it uses our predictive model for actor profiling.
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `$JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups` | High
2 | File | `/admin/` | Low
3 | File | `/admin/?/plugin/comment/settings` | High
4 | File | `/admin/ajax/file-browser/upload/` | High
5 | File | `/admin/index.php` | High
6 | File | `/api/filemanager` | High
7 | File | `/api/request/?OPERATION_NAME` | High
8 | File | `/apparel--accessories` | High
9 | File | `/apply_noauth.cgi` | High
10 | File | `/catalog/admin/categories.php?cPath=&action=new_product` | High
11 | File | `/domains/index.fts` | High
12 | File | `/DroboAccess/delete_user` | High
13 | File | `/foundry/modules/news/newscolumns.php` | High
14 | File | `/GponForm/device_Form?script/` | High
15 | File | `/media/api` | Medium
16 | File | `/member/test/points` | High
17 | File | `/Mum.Geo.Services/DataAccessService.svc` | High
18 | File | `/port_3480` | Medium
19 | File | `/q` | Low
20 | File | `/service-list` | High
21 | File | `/smstest.html` | High
22 | File | `/tmp` | Low
23 | File | `/tmp/kamailio_fifo` | High
24 | File | `/tmp/scfgdndf` | High
25 | File | `/view/friend_profile.php` | High
26 | File | `AccessManagerCoreService.exe` | High
27 | File | `actions/doreport.php` | High
28 | File | `addlyricsform.php` | High
29 | File | `addmerchpicform.php` | High
30 | File | `addresses_export.php` | High
31 | File | `adherents/cartes/carte.php` | High
32 | File | `admin.php?m=Member&a=adminaddsave` | High
33 | ... | ... | ...
There are 280 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://twitter.com/0xrb/status/1482976719300890629
## Literature
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

16
ProLock/README.md
View File

@ -1,6 +1,6 @@
# ProLock - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [ProLock](https://vuldb.com/?actor.prolock). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [ProLock](https://vuldb.com/?actor.prolock). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.prolock](https://vuldb.com/?actor.prolock)
@ -16,7 +16,7 @@ These indicators of compromise indicate associated network ressources which are
ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 185.212.128.8 | alpha.casino | High
1 | 185.212.128.8 | alinac4r1.ptr1.ru | High
## TTP - Tactics, Techniques, Procedures
@ -35,11 +35,9 @@ ID | Type | Indicator | Confidence
1 | File | `category.php` | Medium
2 | File | `Unlock.exe` | Medium
3 | File | `wp-admin/media-upload.php` | High
4 | File | `wp-content/uploads` | High
5 | File | `wp-content/uploads/tmm_db_migrate/wp_users.dat` | High
6 | Argument | `post_id` | Low
7 | Argument | `site` | Low
8 | Argument | `user_login/user_pass/user_email` | High
4 | ... | ... | ...
There are 5 more IOA items available. Please use our online service to access the data.
## References
@ -51,9 +49,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
Pzchao/README.md
View File

@ -1,6 +1,6 @@
# Pzchao - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Pzchao](https://vuldb.com/?actor.pzchao). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Pzchao](https://vuldb.com/?actor.pzchao). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.pzchao](https://vuldb.com/?actor.pzchao)
@ -22,9 +22,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

16
Qealler/README.md
View File

@ -1,6 +1,6 @@
# Qealler - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Qealler](https://vuldb.com/?actor.qealler). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Qealler](https://vuldb.com/?actor.qealler). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.qealler](https://vuldb.com/?actor.qealler)
@ -8,8 +8,8 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Qealler:
* RU
* US
* RU
## IOC - Indicator of Compromise
@ -20,6 +20,14 @@ ID | IP address | Hostname | Confidence
1 | 139.59.76.44 | server1.agorimtech.com | High
2 | 146.185.139.123 | - | High
## TTP - Tactics, Techniques, Procedures
Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Qealler. This data is unique as it uses our predictive model for actor profiling.
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1068 | Execution with Unnecessary Privileges | High
## References
The following list contains external sources which discuss the actor and the associated activities:
@ -30,9 +38,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

59
REvil/README.md
View File

@ -1,6 +1,6 @@
# REvil - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [REvil](https://vuldb.com/?actor.revil). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [REvil](https://vuldb.com/?actor.revil). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.revil](https://vuldb.com/?actor.revil)
@ -16,7 +16,10 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
* US
* DE
* CN
* RU
* ...
There are 7 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -26,10 +29,16 @@ ID | IP address | Hostname | Confidence
-- | ---------- | -------- | ----------
1 | 5.230.195.226 | - | High
2 | 18.223.199.234 | ec2-18-223-199-234.us-east-2.compute.amazonaws.com | Medium
3 | 45.55.211.79 | - | High
4 | ... | ... | ...
3 | 45.9.148.108 | mx1.dendrite.network | High
4 | 45.33.2.79 | li956-79.members.linode.com | High
5 | 45.33.18.44 | li972-44.members.linode.com | High
6 | 45.33.20.235 | li974-235.members.linode.com | High
7 | 45.33.23.183 | li977-183.members.linode.com | High
8 | 45.33.30.197 | li1047-197.members.linode.com | High
9 | 45.55.211.79 | - | High
10 | ... | ... | ...
There are 6 more IOC items available. Please use our online service to access the data.
There are 34 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -39,7 +48,10 @@ ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1222 | Permission Issues | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -47,25 +59,32 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/category_view.php` | High
2 | File | `/cms/process.php` | High
3 | File | `/etc/shadow` | Medium
4 | File | `/movie.php` | Medium
5 | File | `admin/settings.php` | High
6 | File | `data/gbconfiguration.dat` | High
7 | File | `instant_service.cc` | High
8 | File | `item_show.php` | High
9 | File | `language/lang_english/lang_main_album.php` | High
10 | File | `maketemp.pl` | Medium
11 | ... | ... | ...
1 | File | `/.htpasswd` | Medium
2 | File | `/category_view.php` | High
3 | File | `/cgi-bin/nasset.cgi` | High
4 | File | `/cgi-bin/webadminget.cgi` | High
5 | File | `/cms/process.php` | High
6 | File | `/etc/shadow` | Medium
7 | File | `/forum/away.php` | High
8 | File | `/goform/SetNetControlList` | High
9 | File | `/index.php/weblinks-categories` | High
10 | File | `/modules/profile/index.php` | High
11 | File | `/movie.php` | Medium
12 | File | `/public/login.htm` | High
13 | File | `/show_news.php` | High
14 | File | `/uncpath/` | Medium
15 | File | `adclick.php` | Medium
16 | File | `admin.asp` | Medium
17 | ... | ... | ...
There are 13 more IOA items available. Please use our online service to access the data.
There are 135 more IOA items available. Please use our online service to access the data.
## References
The following list contains external sources which discuss the actor and the associated activities:
* https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html
* https://ddanchev.blogspot.com/2022/01/exposing-internet-connected_24.html
* https://www.darktrace.com/en/blog/darktraces-cyber-ai-analyst-investigates-sodinokibi-r-evil-ransomware/
* https://www.varonis.com/blog/revil-msp-supply-chain-attack/
@ -73,9 +92,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

72
Ramnit/README.md
View File

@ -8,12 +8,12 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Ramnit:
* DE
* ES
* US
* ES
* RU
* ...
There are 16 more country items available. Please use our online service to access the data.
There are 13 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -41,9 +41,25 @@ ID | IP address | Hostname | Confidence
18 | 23.64.109.30 | a23-64-109-30.deploy.static.akamaitechnologies.com | High
19 | 23.196.65.196 | a23-196-65-196.deploy.static.akamaitechnologies.com | High
20 | 23.218.130.41 | a23-218-130-41.deploy.static.akamaitechnologies.com | High
21 | ... | ... | ...
21 | 31.44.184.117 | - | High
22 | 34.98.99.30 | 30.99.98.34.bc.googleusercontent.com | Medium
23 | 34.102.136.180 | 180.136.102.34.bc.googleusercontent.com | Medium
24 | 34.197.76.50 | ec2-34-197-76-50.compute-1.amazonaws.com | Medium
25 | 34.225.182.233 | ec2-34-225-182-233.compute-1.amazonaws.com | Medium
26 | 35.188.161.42 | 42.161.188.35.bc.googleusercontent.com | Medium
27 | 35.224.11.86 | 86.11.224.35.bc.googleusercontent.com | Medium
28 | 39.107.34.197 | - | High
29 | 45.118.145.96 | - | High
30 | 46.17.47.67 | fxchfjhtftfr.net | High
31 | 46.165.220.141 | - | High
32 | 46.165.220.142 | - | High
33 | 46.165.220.143 | - | High
34 | 46.165.220.144 | - | High
35 | 46.165.220.145 | - | High
36 | 46.165.220.146 | - | High
37 | ... | ... | ...
There are 158 more IOC items available. Please use our online service to access the data.
There are 143 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -51,14 +67,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1040 | Authentication Bypass by Capture-replay | High
2 | T1059.007 | Cross Site Scripting | High
3 | T1068 | Execution with Unnecessary Privileges | High
4 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
5 | T1211 | 7PK Security Features | High
6 | ... | ... | ...
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 9 more TTP items available. Please use our online service to access the data.
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -66,19 +80,26 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `-X/path/to/wwwroot/file.php.` | High
2 | File | `.dbshell` | Medium
3 | File | `.gemspec` | Medium
4 | File | `.git/hooks/post-update` | High
5 | File | `.gitmodules` | Medium
6 | File | `.htaccess` | Medium
7 | File | `/.kedpm/history` | High
8 | File | `/.vnc/sesman_${username}_passwd` | High
9 | File | `//etc/RT2870STA.dat` | High
10 | File | `/about-us/locations/index` | High
11 | ... | ... | ...
1 | File | `/admin/admin.php` | High
2 | File | `/admin/imageslider/file.php` | High
3 | File | `/cgi-bin/luci` | High
4 | File | `/core/vb/vurl.php` | High
5 | File | `/etc/ldap.conf` | High
6 | File | `/importTool/preview` | High
7 | File | `/mods/_core/courses/users/create_course.php` | High
8 | File | `/phppath/php` | Medium
9 | File | `/plugins/Dashboard/Controller.php` | High
10 | File | `/server-status` | High
11 | File | `/uncpath/` | Medium
12 | File | `adclick.php` | Medium
13 | File | `addentry.php` | Medium
14 | File | `add_comment.php` | High
15 | File | `admin-ajax.php` | High
16 | File | `admin.php` | Medium
17 | File | `admin/class-bulk-editor-list-table.php` | High
18 | ... | ... | ...
There are 3581 more IOA items available. Please use our online service to access the data.
There are 149 more IOA items available. Please use our online service to access the data.
## References
@ -92,6 +113,7 @@ The following list contains external sources which discuss the actor and the ass
* https://blog.talosintelligence.com/2021/10/threat-roundup-1015-1022.html
* https://blog.talosintelligence.com/2021/10/threat-roundup-1022-1029.html
* https://github.com/firehol/blocklist-ipsets/blob/master/bambenek_ramnit.ipset
* https://twitter.com/bit_dam/status/1280975679354556429
## Literature
@ -102,4 +124,4 @@ The following articles explain our unique predictive cyber threat intelligence:
## License
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

11
Royal Road/README.md
View File

@ -1,6 +1,6 @@
# Royal Road - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Royal Road](https://vuldb.com/?actor.royal_road). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Royal Road](https://vuldb.com/?actor.royal_road). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.royal_road](https://vuldb.com/?actor.royal_road)
@ -62,10 +62,9 @@ ID | Type | Indicator | Confidence
7 | File | `admin/index.php` | High
8 | File | `assets/add/registrar.php` | High
9 | File | `books.php` | Medium
10 | File | `cart.php` | Medium
11 | ... | ... | ...
10 | ... | ... | ...
There are 78 more IOA items available. Please use our online service to access the data.
There are 79 more IOA items available. Please use our online service to access the data.
## References
@ -77,9 +76,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

53
Sandworm Team/README.md
View File

@ -1,6 +1,6 @@
# Sandworm Team - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Sandworm Team](https://vuldb.com/?actor.sandworm_team). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Sandworm Team](https://vuldb.com/?actor.sandworm_team). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.sandworm_team](https://vuldb.com/?actor.sandworm_team)
@ -34,13 +34,9 @@ ID | IP address | Hostname | Confidence
5 | 5.149.254.114 | mail1.auditoriavanzada.info | High
6 | 5.255.87.39 | - | High
7 | 31.210.111.154 | . | High
8 | 37.220.34.56 | - | High
9 | 46.4.28.218 | static.218.28.4.46.clients.your-server.de | High
10 | 46.165.222.6 | - | High
11 | 46.165.222.28 | root.server-ke412.com | High
12 | ... | ... | ...
8 | ... | ... | ...
There are 22 more IOC items available. Please use our online service to access the data.
There are 26 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -51,11 +47,9 @@ ID | Technique | Description | Confidence
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1211 | 7PK Security Features | High
5 | T1222 | Permission Issues | High
6 | ... | ... | ...
4 | ... | ... | ...
There are 8 more TTP items available. Please use our online service to access the data.
There are 10 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -71,11 +65,36 @@ ID | Type | Indicator | Confidence
6 | File | `/cgi-bin/portal` | High
7 | File | `/common/vam_editXml.php` | High
8 | File | `/configs/application.ini` | High
9 | File | `/Monitoring-History.php` | High
10 | File | `/nova/bin/diskd` | High
11 | ... | ... | ...
9 | File | `/dl/dl_print.php` | High
10 | File | `/moddable/xs/sources/xsDebug.c` | High
11 | File | `/Monitoring-History.php` | High
12 | File | `/nova/bin/diskd` | High
13 | File | `/phppath/php` | Medium
14 | File | `/portal/api/style/edit-theme-set/template-sources` | High
15 | File | `/rpc/api` | Medium
16 | File | `/rup` | Low
17 | File | `/StdC/Ap4StdCFileByteStream.cpp` | High
18 | File | `/uncpath/` | Medium
19 | File | `/user-utils/users/md5.json` | High
20 | File | `/var/log/nginx` | High
21 | File | `/webapps/blogs-journals/execute/editBlogEntry` | High
22 | File | `/wordpress/wp-admin/admin.php` | High
23 | File | `/wp-json` | Medium
24 | File | `adclick.php` | Medium
25 | File | `add.php` | Low
26 | File | `add.php/del.php` | High
27 | File | `add_comment.php` | High
28 | File | `admin-ajax.php` | High
29 | File | `admin.php` | Medium
30 | File | `admin/adminsignin.html` | High
31 | File | `admin/forums.php` | High
32 | File | `admin/google_search_console/class-gsc-table.php` | High
33 | File | `admin/infoclass_update.php` | High
34 | File | `admin/menus/edit.php` | High
35 | File | `admin/system/admin/certificates/delete` | High
36 | ... | ... | ...
There are 319 more IOA items available. Please use our online service to access the data.
There are 305 more IOA items available. Please use our online service to access the data.
## References
@ -91,9 +110,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

84
Silence/README.md
View File

@ -1,6 +1,6 @@
# Silence - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Silence](https://vuldb.com/?actor.silence). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Silence](https://vuldb.com/?actor.silence). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.silence](https://vuldb.com/?actor.silence)
@ -9,11 +9,11 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Silence:
* US
* DE
* IT
* CN
* GB
* ...
There are 19 more country items available. Please use our online service to access the data.
There are 25 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -28,7 +28,7 @@ ID | IP address | Hostname | Confidence
5 | 5.39.218.210 | mail.qbmail.biz | High
6 | 5.39.221.46 | - | High
7 | 5.39.221.60 | - | High
8 | 5.154.191.105 | out-nc-weeknum.quotawise.com | High
8 | 5.154.191.105 | - | High
9 | 5.188.231.47 | - | High
10 | 5.188.231.89 | - | High
11 | 5.200.55.198 | - | High
@ -41,9 +41,14 @@ ID | IP address | Hostname | Confidence
18 | 46.183.221.37 | ip-221-37.dataclub.info | High
19 | 46.183.221.89 | ip-221-89.dataclub.info | High
20 | 51.255.200.161 | 161.ip-51-255-200.eu | High
21 | ... | ... | ...
21 | 54.36.191.97 | vps-58b2e5b8.vps.ovh.net | High
22 | 62.57.131.114 | 62.57.131.114.dyn.user.ono.com | High
23 | 74.220.215.239 | host239.hostmonster.com | High
24 | 77.246.145.82 | skoderyaru2.e-vds.ru | High
25 | 77.246.145.86 | znatokfinansov.ru | High
26 | ... | ... | ...
There are 106 more IOC items available. Please use our online service to access the data.
There are 101 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -51,14 +56,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1040 | Authentication Bypass by Capture-replay | High
2 | T1059.007 | Cross Site Scripting | High
3 | T1068 | Execution with Unnecessary Privileges | High
4 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
5 | T1211 | 7PK Security Features | High
6 | ... | ... | ...
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 10 more TTP items available. Please use our online service to access the data.
There are 7 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -66,19 +69,44 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `%PROGRAMDATA%\checkmk\agent\local` | High
2 | File | `%SYSTEMDRIVE%\ProgramData\exclusions.dat` | High
3 | File | `..\WWWRoot\CustomPages\aspshell.asp` | High
4 | File | `.git/hooks/post-update` | High
5 | File | `.htaccess` | Medium
6 | File | `/.env` | Low
7 | File | `/.ssh/authorized_keys` | High
8 | File | `/1/?type=productinfo&S_id=140` | High
9 | File | `/?/admin/page/edit/3` | High
10 | File | `/?/admin/plugin/file_manager/browse/` | High
11 | ... | ... | ...
1 | File | `/?module=users&section=cpanel&page=list` | High
2 | File | `/admin/powerline` | High
3 | File | `/admin/syslog` | High
4 | File | `/api/upload` | Medium
5 | File | `/cgi-bin` | Medium
6 | File | `/cgi-bin/kerbynet` | High
7 | File | `/context/%2e/WEB-INF/web.xml` | High
8 | File | `/dcim/sites/add/` | High
9 | File | `/download` | Medium
10 | File | `/EXCU_SHELL` | Medium
11 | File | `/forum/away.php` | High
12 | File | `/fudforum/adm/hlplist.php` | High
13 | File | `/inc/extensions.php` | High
14 | File | `/login` | Low
15 | File | `/Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp` | High
16 | File | `/monitoring` | Medium
17 | File | `/new` | Low
18 | File | `/proc/<pid>/status` | High
19 | File | `/public/plugins/` | High
20 | File | `/req_password_user.php` | High
21 | File | `/rom` | Low
22 | File | `/scripts/killpvhost` | High
23 | File | `/secure/QueryComponent!Default.jspa` | High
24 | File | `/src/main/java/com/dotmarketing/filters/CMSFilter.java` | High
25 | File | `/tmp` | Low
26 | File | `/tmp/redis.ds` | High
27 | File | `/uncpath/` | Medium
28 | File | `/ViewUserHover.jspa` | High
29 | File | `/WEB-INF/web.xml` | High
30 | File | `/wp-admin` | Medium
31 | File | `/wp-json/wc/v3/webhooks` | High
32 | File | `actions/CompanyDetailsSave.php` | High
33 | File | `ActiveServices.java` | High
34 | File | `addlink.php` | Medium
35 | File | `addtocart.asp` | High
36 | ... | ... | ...
There are 3749 more IOA items available. Please use our online service to access the data.
There are 308 more IOA items available. Please use our online service to access the data.
## References
@ -93,9 +121,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

17
Snake/README.md
View File

@ -1,6 +1,6 @@
# Snake - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Snake](https://vuldb.com/?actor.snake). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Snake](https://vuldb.com/?actor.snake). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.snake](https://vuldb.com/?actor.snake)
@ -56,16 +56,9 @@ ID | Type | Indicator | Confidence
1 | File | `/lists/admin/` | High
2 | File | `convert.c` | Medium
3 | File | `inc/autoload.function.php` | High
4 | File | `kernel/trace/ring_buffer.c` | High
5 | File | `libr/config/config.c` | High
6 | File | `page.php` | Medium
7 | File | `register.php` | Medium
8 | File | `simpleupload.py` | High
9 | File | `syscheck/seechanges.c` | High
10 | File | `wp-admin/user-new.php` | High
11 | ... | ... | ...
4 | ... | ... | ...
There are 7 more IOA items available. Please use our online service to access the data.
There are 14 more IOA items available. Please use our online service to access the data.
## References
@ -77,9 +70,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

79
StealthyTrident/README.md
View File

@ -1,6 +1,6 @@
# StealthyTrident - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [StealthyTrident](https://vuldb.com/?actor.stealthytrident). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [StealthyTrident](https://vuldb.com/?actor.stealthytrident). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.stealthytrident](https://vuldb.com/?actor.stealthytrident)
@ -38,7 +38,7 @@ ID | Technique | Description | Confidence
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 4 more TTP items available. Please use our online service to access the data.
There are 3 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -46,19 +46,66 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `!pwds.txt/!nicks.txt` | High
2 | File | `%00` | Low
3 | File | `%windir%\Internet Logs\` | High
4 | File | `.asppp.fifo` | Medium
5 | File | `.folder` | Low
6 | File | `.ldaprc` | Low
7 | File | `.php` | Low
8 | File | `.php.rar` | Medium
9 | File | `.user` | Low
10 | File | `/*` | Low
11 | ... | ... | ...
1 | File | `.user` | Low
2 | File | `/.perf` | Low
3 | File | `/admin/` | Low
4 | File | `/caucho-status` | High
5 | File | `/cgi-bin/readfile.tcl` | High
6 | File | `/etc/password` | High
7 | File | `/php/` | Low
8 | File | `/Pwrchute` | Medium
9 | File | `/status` | Low
10 | File | `/var/yp` | Low
11 | File | `/_vti_pvt/access.cnf` | High
12 | File | `1.TEXT` | Low
13 | File | `14all.cgi` | Medium
14 | File | `500error.jsp` | Medium
15 | File | `ab.c` | Low
16 | File | `account_update.php` | High
17 | File | `add.php` | Low
18 | File | `addentry.cgi` | Medium
19 | File | `addressbook.php/options.php/search.php/help.php` | High
20 | File | `admin.html` | Medium
21 | File | `admin.php` | Medium
22 | File | `admin/auth/checksession.php` | High
23 | File | `administrator/phpinfo.php` | High
24 | File | `AdminViewError/AdminAddadmin` | High
25 | File | `admin_ug_auth.php` | High
26 | File | `admin_user.db` | High
27 | File | `advserver.exe` | High
28 | File | `ad_member.php` | High
29 | File | `agentadmin.php` | High
30 | File | `aolsecurityprivate.class` | High
31 | File | `article.php` | Medium
32 | File | `artlist.php` | Medium
33 | File | `astrocam.cgi` | Medium
34 | File | `as_web.exe/as_web4.exe` | High
35 | File | `athcgi.exe` | Medium
36 | File | `auction.cgi` | Medium
37 | File | `auth.inc.php` | Medium
38 | File | `axspawn.c` | Medium
39 | File | `backend.php/screen.php/comment.php` | High
40 | File | `badmin.c` | Medium
41 | File | `books.php` | Medium
42 | File | `bttv-driver.c` | High
43 | File | `bugzilla_email_append.pl` | High
44 | File | `bug_update_advanced_page.php/bug_update_page.php/view_bug_advanced_page.php/view_bug_page.php` | High
45 | File | `calendar.php` | Medium
46 | File | `category.cfm` | Medium
47 | File | `cgi-bin` | Low
48 | File | `cgi-bin/` | Medium
49 | File | `cgicso.c` | Medium
50 | File | `cgitest.exe` | Medium
51 | File | `charities.cron` | High
52 | File | `check_me.mod.php` | High
53 | File | `chetcpasswd.cgi` | High
54 | File | `cio_main.c` | Medium
55 | File | `clear_cookies.php` | High
56 | File | `CodeBrws.asp` | Medium
57 | File | `colegal.htm` | Medium
58 | ... | ... | ...
There are 6570 more IOA items available. Please use our online service to access the data.
There are 507 more IOA items available. Please use our online service to access the data.
## References
@ -70,9 +117,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

28
Strider/README.md
View File

@ -1,6 +1,6 @@
# Strider - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Strider](https://vuldb.com/?actor.strider). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Strider](https://vuldb.com/?actor.strider). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.strider](https://vuldb.com/?actor.strider)
@ -19,7 +19,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
* DE
* ...
There are 4 more country items available. Please use our online service to access the data.
There are 5 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -30,10 +30,9 @@ ID | IP address | Hostname | Confidence
1 | 37.252.125.88 | - | High
2 | 54.209.129.218 | ec2-54-209-129-218.compute-1.amazonaws.com | Medium
3 | 66.228.52.133 | li294-133.members.linode.com | High
4 | 81.4.108.168 | darkhshadow.co.uk | High
5 | ... | ... | ...
4 | ... | ... | ...
There are 7 more IOC items available. Please use our online service to access the data.
There are 8 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -55,18 +54,11 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `.procmailrc` | Medium
2 | File | `BC_Logon.swf` | Medium
3 | File | `C:\Windows\SysWOW64\webcenter\web.exe` | High
4 | File | `index.php` | Medium
5 | File | `libfaad/bits.c` | High
6 | File | `modules/mappers/mod_rewrite.c` | High
7 | File | `wp-includes/pluggable.php` | High
8 | Library | `C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_4592475aca2acf83\Amd64\printconfig.dll` | High
9 | Library | `lib/user/sfBasicSecurityUser.class.php` | High
10 | Library | `nvwgf2um/x.dll` | High
11 | ... | ... | ...
2 | File | `article.php` | Medium
3 | File | `BC_Logon.swf` | Medium
4 | ... | ... | ...
There are 4 more IOA items available. Please use our online service to access the data.
There are 22 more IOA items available. Please use our online service to access the data.
## References
@ -78,9 +70,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
Suckfly/README.md
View File

@ -1,6 +1,6 @@
# Suckfly - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Suckfly](https://vuldb.com/?actor.suckfly). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Suckfly](https://vuldb.com/?actor.suckfly). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.suckfly](https://vuldb.com/?actor.suckfly)
@ -40,9 +40,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

69
TA505/README.md
View File

@ -1,6 +1,6 @@
# TA505 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [TA505](https://vuldb.com/?actor.ta505). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [TA505](https://vuldb.com/?actor.ta505). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.ta505](https://vuldb.com/?actor.ta505)
@ -24,7 +24,7 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
* RU
* ...
There are 21 more country items available. Please use our online service to access the data.
There are 16 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -36,22 +36,15 @@ ID | IP address | Hostname | Confidence
2 | 5.149.254.25 | bmc.srv60.swdc.ams1.nl.fortunix.net | High
3 | 27.102.118.143 | - | High
4 | 37.59.52.229 | bemta-05.srv.sopeople.net | High
5 | 45.8.126.7 | eltopasla.example.com | High
5 | 45.8.126.7 | mail01.bivoic.com | High
6 | 45.63.101.210 | 45.63.101.210.vultr.com | Medium
7 | 45.76.206.149 | 45.76.206.149.vultr.com | Medium
8 | 45.76.223.177 | 45.76.223.177.vultr.com | Medium
9 | 45.77.16.211 | 45.77.16.211.vultr.com | Medium
10 | 46.161.27.241 | - | High
11 | 66.42.45.55 | 66.42.45.55.vultr.com | Medium
12 | 79.141.171.160 | mouse.panjiva.org.uk | High
13 | 91.214.124.20 | - | High
14 | 91.214.124.25 | - | High
15 | 92.38.135.88 | kingjohn2.com | High
16 | 92.38.135.134 | henrykxyealy.com | High
17 | 94.44.166.189 | apn-94-44-166-189.vodafone.hu | High
18 | ... | ... | ...
11 | ... | ... | ...
There are 34 more IOC items available. Please use our online service to access the data.
There are 41 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -62,10 +55,9 @@ ID | Technique | Description | Confidence
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1211 | 7PK Security Features | High
5 | ... | ... | ...
4 | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
There are 7 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -75,17 +67,48 @@ ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/+CSCOE+/logon.html` | High
2 | File | `/admin/config.php?display=disa&view=form` | High
3 | File | `/api/addusers` | High
4 | File | `/cgi-bin/webproc` | High
3 | File | `/cgi-bin/webproc` | High
4 | File | `/common/ticket_associated_tickets.php` | High
5 | File | `/dus/shopliste/index.php` | High
6 | File | `/etc/path` | Medium
7 | File | `/etc/shadow` | Medium
8 | File | `/inc/parser/xhtml.php` | High
9 | File | `/modules/tasks/summary.inc.php` | High
10 | File | `/nagiosql/admin/checkcommands.php` | High
11 | ... | ... | ...
9 | File | `/include/chart_generator.php` | High
10 | File | `/modules/tasks/summary.inc.php` | High
11 | File | `/nagiosql/admin/checkcommands.php` | High
12 | File | `/rest/api/2/user/picker` | High
13 | File | `/secure/QueryComponent!Default.jspa` | High
14 | File | `/sendKey` | Medium
15 | File | `/tmp` | Low
16 | File | `/ui/artifactimport/upload` | High
17 | File | `/uncpath/` | Medium
18 | File | `/usr/5bin/su` | Medium
19 | File | `/usr/bin/mail` | High
20 | File | `/var/dt/` | Medium
21 | File | `/var/WEB-GUI/cgi-bin/telnet.cgi` | High
22 | File | `00.jsp` | Low
23 | File | `account_activations/edit` | High
24 | File | `adclick.php` | Medium
25 | File | `AddResolution.jspa` | High
26 | File | `admin.asp` | Medium
27 | File | `admin.php` | Medium
28 | File | `admin/` | Low
29 | File | `admin/manage-comments.php` | High
30 | File | `administration/comments.php` | High
31 | File | `AdminViewError/AdminAddadmin` | High
32 | File | `agentdisplay.php` | High
33 | File | `ajax.php` | Medium
34 | File | `ajaxhelper.php` | High
35 | File | `app/call_centers/cmd.php` | High
36 | File | `arch/x86/kvm/hyperv.c` | High
37 | File | `ashnews.php/ashheadlines.php` | High
38 | File | `auction.cgi` | Medium
39 | File | `autologin.jsp` | High
40 | File | `axspawn.c` | Medium
41 | File | `backup.php` | Medium
42 | ... | ... | ...
There are 423 more IOA items available. Please use our online service to access the data.
There are 361 more IOA items available. Please use our online service to access the data.
## References
@ -104,9 +127,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

11
TA544/README.md
View File

@ -1,6 +1,6 @@
# TA544 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [TA544](https://vuldb.com/?actor.ta544). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [TA544](https://vuldb.com/?actor.ta544). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.ta544](https://vuldb.com/?actor.ta544)
@ -30,10 +30,9 @@ ID | IP address | Hostname | Confidence
1 | 62.109.29.101 | imlejnnn.fvds.ru | High
2 | 69.55.49.159 | - | High
3 | 69.162.82.26 | 26-82-162-69.static.reverse.lstn.net | High
4 | 69.194.192.229 | - | High
5 | ... | ... | ...
4 | ... | ... | ...
There are 6 more IOC items available. Please use our online service to access the data.
There are 7 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -78,9 +77,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
Tinba/README.md
View File

@ -1,6 +1,6 @@
# Tinba - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Tinba](https://vuldb.com/?actor.tinba). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Tinba](https://vuldb.com/?actor.tinba). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.tinba](https://vuldb.com/?actor.tinba)
@ -27,9 +27,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

11
Tonto Team/README.md
View File

@ -1,6 +1,6 @@
# Tonto Team - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Tonto Team](https://vuldb.com/?actor.tonto_team). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Tonto Team](https://vuldb.com/?actor.tonto_team). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.tonto_team](https://vuldb.com/?actor.tonto_team)
@ -36,8 +36,9 @@ ID | Type | Indicator | Confidence
1 | File | `/webmail/` | Medium
2 | File | `scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS` | High
3 | File | `wap/index.php` | High
4 | Argument | `creditsformula` | High
5 | Argument | `username` | Medium
4 | ... | ... | ...
There are 2 more IOA items available. Please use our online service to access the data.
## References
@ -49,9 +50,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

86
TrickBot/README.md
View File

@ -8,12 +8,8 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with TrickBot:
* US
* RU
* ES
* ...
There are 38 more country items available. Please use our online service to access the data.
* VN
* CN
## IOC - Indicator of Compromise
@ -41,9 +37,50 @@ ID | IP address | Hostname | Confidence
18 | 23.21.48.44 | ec2-23-21-48-44.compute-1.amazonaws.com | Medium
19 | 23.21.252.4 | ec2-23-21-252-4.compute-1.amazonaws.com | Medium
20 | 23.94.233.210 | 23-94-233-210-host.colocrossing.com | High
21 | ... | ... | ...
21 | 23.96.30.229 | - | High
22 | 23.160.192.125 | unknown.ip-xfer.net | High
23 | 23.160.193.106 | unknown.ip-xfer.net | High
24 | 27.72.107.215 | dynamic-ip-adsl.viettel.vn | High
25 | 34.117.59.81 | 81.59.117.34.bc.googleusercontent.com | Medium
26 | 36.89.191.119 | - | High
27 | 36.89.193.181 | - | High
28 | 36.89.193.235 | - | High
29 | 36.94.27.124 | - | High
30 | 36.94.100.202 | - | High
31 | 37.228.70.134 | - | High
32 | 37.230.114.93 | admin1.fvds.ru | High
33 | 37.230.114.248 | kosmolot.com | High
34 | 37.230.115.133 | wdai.io | High
35 | 37.230.115.138 | i2.com | High
36 | 37.230.115.184 | 21922vdscom.com | High
37 | 43.245.216.116 | - | High
38 | 45.6.16.68 | - | High
39 | 45.167.249.126 | - | High
40 | 45.178.142.14 | - | High
41 | 45.201.134.202 | - | High
42 | 45.229.71.211 | static-45-229-71-211.extrememt.com.br | High
43 | 45.234.248.154 | 45.-234.248-154.rev.voanet.br | High
44 | 46.8.21.10 | 53980.web.hosting-russia.ru | High
45 | 46.8.21.113 | 64403.web.hosting-russia.ru | High
46 | 46.209.140.220 | - | High
47 | 46.254.128.174 | 46.254.128.174.lanultra.net | High
48 | 49.156.34.134 | - | High
49 | 51.38.101.194 | - | High
50 | 51.77.92.215 | - | High
51 | 51.81.112.144 | - | High
52 | 51.89.115.116 | tombe.nationfox.net | High
53 | 52.0.197.231 | ec2-52-0-197-231.compute-1.amazonaws.com | Medium
54 | 52.20.197.7 | ec2-52-20-197-7.compute-1.amazonaws.com | Medium
55 | 52.204.109.97 | ec2-52-204-109-97.compute-1.amazonaws.com | Medium
56 | 54.39.106.25 | ns560342.ip-54-39-106.net | High
57 | 54.221.253.252 | ec2-54-221-253-252.compute-1.amazonaws.com | Medium
58 | 62.64.9.237 | clients-62.64.9.237.misp.ru | High
59 | 62.109.2.172 | megamart24.ru | High
60 | 62.109.6.188 | velomarket31.ru | High
61 | 62.109.14.24 | btc-manager1.ru | High
62 | ... | ... | ...
There are 286 more IOC items available. Please use our online service to access the data.
There are 245 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -54,11 +91,9 @@ ID | Technique | Description | Confidence
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1211 | 7PK Security Features | High
5 | T1222 | Permission Issues | High
6 | ... | ... | ...
4 | ... | ... | ...
There are 8 more TTP items available. Please use our online service to access the data.
There are 6 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -66,19 +101,20 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `.htaccess` | Medium
2 | File | `.user` | Low
3 | File | `/$({curl` | Medium
4 | File | `/+CSCOE+/logon.html` | High
5 | File | `/.env` | Low
6 | File | `/accounts/password_change/` | High
7 | File | `/addWhiteListDomain.imss` | High
8 | File | `/adfs/ls` | Medium
9 | File | `/admin/ajax/upload-logo` | High
10 | File | `/admin/config.php?display=backup` | High
11 | ... | ... | ...
1 | File | `/admin/login.php` | High
2 | File | `/ajax_crud` | Medium
3 | File | `/core/table/query` | High
4 | File | `/dev/ion` | Medium
5 | File | `/ecma/operations/ecma-objects.c` | High
6 | File | `/GetCopiedFile` | High
7 | File | `/hdf5/src/H5T.c` | High
8 | File | `/leave_system/classes/Login.php` | High
9 | File | `/risque/administration/referentiel/json/create/categorie` | High
10 | File | `/rsms/` | Low
11 | File | `/uncpath/` | Medium
12 | ... | ... | ...
There are 1043 more IOA items available. Please use our online service to access the data.
There are 90 more IOA items available. Please use our online service to access the data.
## References
@ -107,4 +143,4 @@ The following articles explain our unique predictive cyber threat intelligence:
## License
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

14
Triton/README.md
View File

@ -1,6 +1,6 @@
# Triton - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Triton](https://vuldb.com/?actor.triton). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Triton](https://vuldb.com/?actor.triton). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.triton](https://vuldb.com/?actor.triton)
@ -37,11 +37,9 @@ ID | Type | Indicator | Confidence
1 | File | `/+CSCOE+/logon.html` | High
2 | File | `cgi-bin/MANGA/admin.cgi` | High
3 | File | `index.php` | Medium
4 | File | `webmail.php` | Medium
5 | Argument | `bauth` | Low
6 | Argument | `tag` | Low
7 | Input Value | `::$Index_Allocation` | High
8 | Network Port | `Web Server Port` | High
4 | ... | ... | ...
There are 5 more IOA items available. Please use our online service to access the data.
## References
@ -53,9 +51,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

31
Turla/README.md
View File

@ -1,6 +1,6 @@
# Turla - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Turla](https://vuldb.com/?actor.turla). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Turla](https://vuldb.com/?actor.turla). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.turla](https://vuldb.com/?actor.turla)
@ -17,10 +17,10 @@ These countries are directly (e.g. origin of attacks) or indirectly (e.g. access
* FR
* US
* AT
* RO
* ...
There are 1 more country items available. Please use our online service to access the data.
There are 2 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -37,15 +37,9 @@ ID | IP address | Hostname | Confidence
7 | 72.232.222.58 | HOST.MJSHOSTING.COM | High
8 | 77.232.99.77 | - | High
9 | 80.74.145.80 | volta.ch-meta.net | High
10 | 80.88.134.172 | - | High
11 | 80.248.65.183 | - | High
12 | 81.223.14.100 | 81-223-14-100.static.upcbusiness.at | High
13 | 82.77.184.252 | static.82.77.184.252.constanta.rdsnet.ro | High
14 | 82.113.19.72 | 72.19.113.82.monaco-telecom.net | High
15 | 82.113.19.75 | 75.19.113.82.monaco-telecom.net | High
16 | ... | ... | ...
10 | ... | ... | ...
There are 28 more IOC items available. Please use our online service to access the data.
There are 34 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -58,7 +52,7 @@ ID | Technique | Description | Confidence
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 6 more TTP items available. Please use our online service to access the data.
There are 8 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -76,9 +70,14 @@ ID | Type | Indicator | Confidence
8 | File | `/jsonrpc` | Medium
9 | File | `/product.php` | Medium
10 | File | `/ram/pckg/advanced-tools/nova/bin/netwatch` | High
11 | ... | ... | ...
11 | File | `/registerCpe` | Medium
12 | File | `/rest/collectors/1.0/template/custom` | High
13 | File | `/system?action=ServiceAdmin` | High
14 | File | `/uncpath/` | Medium
15 | File | `/Uploads` | Medium
16 | ... | ... | ...
There are 132 more IOA items available. Please use our online service to access the data.
There are 130 more IOA items available. Please use our online service to access the data.
## References
@ -98,9 +97,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

7
UP007/README.md
View File

@ -1,6 +1,6 @@
# UP007 - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [UP007](https://vuldb.com/?actor.up007). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [UP007](https://vuldb.com/?actor.up007). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.up007](https://vuldb.com/?actor.up007)
@ -9,6 +9,7 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with UP007:
* CN
* KR
## IOC - Indicator of Compromise
@ -42,9 +43,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

17
Vobfus/README.md
View File

@ -1,6 +1,6 @@
# Vobfus - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Vobfus](https://vuldb.com/?actor.vobfus). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Vobfus](https://vuldb.com/?actor.vobfus). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.vobfus](https://vuldb.com/?actor.vobfus)
@ -51,15 +51,10 @@ ID | Type | Indicator | Confidence
2 | File | `/uncpath/` | Medium
3 | File | `/webpages/data` | High
4 | File | `account.asp` | Medium
5 | File | `ajax/api/hook/getHookList` | High
6 | File | `burl.c` | Low
7 | File | `cgi-bin/` | Medium
8 | File | `comersus_optreviewreadexec.asp` | High
9 | File | `crontab/run_billing.php` | High
10 | File | `daemon.c` | Medium
11 | ... | ... | ...
5 | File | `admin\model\catalog\download.php` | High
6 | ... | ... | ...
There are 35 more IOA items available. Please use our online service to access the data.
There are 43 more IOA items available. Please use our online service to access the data.
## References
@ -71,9 +66,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

14
Windigo/README.md
View File

@ -1,6 +1,6 @@
# Windigo - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Windigo](https://vuldb.com/?actor.windigo). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Windigo](https://vuldb.com/?actor.windigo). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.windigo](https://vuldb.com/?actor.windigo)
@ -45,11 +45,9 @@ ID | Type | Indicator | Confidence
1 | File | `/uncpath/` | Medium
2 | File | `/var/log/restjavad.0.log` | High
3 | File | `init.php` | Medium
4 | File | `products.php` | Medium
5 | File | `virtualinput.cgi` | High
6 | Argument | `id` | Low
7 | Argument | `IEM_CookieLogin` | High
8 | Input Value | `[\w]*` | Low
4 | ... | ... | ...
There are 5 more IOA items available. Please use our online service to access the data.
## References
@ -61,9 +59,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
Wiper/README.md
View File

@ -1,6 +1,6 @@
# Wiper - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Wiper](https://vuldb.com/?actor.wiper). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Wiper](https://vuldb.com/?actor.wiper). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.wiper](https://vuldb.com/?actor.wiper)
@ -27,9 +27,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

6
Wirte/README.md
View File

@ -1,6 +1,6 @@
# Wirte - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Wirte](https://vuldb.com/?actor.wirte). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Wirte](https://vuldb.com/?actor.wirte). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.wirte](https://vuldb.com/?actor.wirte)
@ -47,9 +47,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

66
Wocao/README.md
View File

@ -1,6 +1,6 @@
# Wocao - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Wocao](https://vuldb.com/?actor.wocao). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Wocao](https://vuldb.com/?actor.wocao). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.wocao](https://vuldb.com/?actor.wocao)
@ -15,11 +15,11 @@ The following campaigns are known and can be associated with Wocao:
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Wocao:
* US
* ES
* NZ
* RU
* DE
* ...
There are 28 more country items available. Please use our online service to access the data.
There are 1 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -30,12 +30,9 @@ ID | IP address | Hostname | Confidence
1 | 23.254.211.108 | hwsrv-871243.hostwindsdns.com | High
2 | 31.222.185.215 | 31-222-185-215.static.cloud-ips.co.uk | High
3 | 45.77.229.10 | 45.77.229.10.vultr.com | Medium
4 | 46.101.153.58 | - | High
5 | 46.182.106.190 | tor-exit.critical.cat | High
6 | 62.141.37.236 | vps2185324.fastwebserver.de | High
7 | ... | ... | ...
4 | ... | ... | ...
There are 10 more IOC items available. Please use our online service to access the data.
There are 13 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -43,14 +40,12 @@ Tactics, techniques, and procedures summarize the suspected ATT&CK techniques us
ID | Technique | Description | Confidence
-- | --------- | ----------- | ----------
1 | T1008 | Algorithm Downgrade | High
2 | T1040 | Authentication Bypass by Capture-replay | High
3 | T1059.007 | Cross Site Scripting | High
4 | T1068 | Execution with Unnecessary Privileges | High
5 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
6 | ... | ... | ...
1 | T1040 | Authentication Bypass by Capture-replay | High
2 | T1059.007 | Cross Site Scripting | High
3 | T1068 | Execution with Unnecessary Privileges | High
4 | ... | ... | ...
There are 11 more TTP items available. Please use our online service to access the data.
There are 10 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -58,19 +53,30 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `%LOCALAPPDATA%\SaferVPN\Log` | High
2 | File | `%PROGRAMDATA%\ASUS\GamingCenterLib` | High
3 | File | `%PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10` | High
4 | File | `%PROGRAMDATA%\Razer Chroma\SDK\Apps` | High
5 | File | `%PROGRAMFILES(X86)%/Aternity Information Systems/Assistant/plugins` | High
6 | File | `%PROGRAMFILES(X86)%\Teradici\PCoIP.exe` | High
7 | File | `%SYSTEMDRIVE%\Course Software Material 18.0.1.9\cmd.exe` | High
8 | File | `%SYSTEMDRIVE%\node_modules\.bin\wmic.exe` | High
9 | File | `.authlie` | Medium
10 | File | `.config/Yubico` | High
11 | ... | ... | ...
1 | File | `/admin/index.php?lfj=friendlink&action=add` | High
2 | File | `/admin/login.php` | High
3 | File | `/ajax_crud` | Medium
4 | File | `/api/ZRMacClone/mac_addr_clone` | High
5 | File | `/base/ecma-helpers-string.c` | High
6 | File | `/cms/ajax.php` | High
7 | File | `/core/table/query` | High
8 | File | `/debug/pprof` | Medium
9 | File | `/dev/ion` | Medium
10 | File | `/ecma/operations/ecma-objects.c` | High
11 | File | `/GetCopiedFile` | High
12 | File | `/hdf5/src/H5Dchunk.c` | High
13 | File | `/hdf5/src/H5Fint.c` | High
14 | File | `/include/web_check.php` | High
15 | File | `/jerry-core/ecma/base/ecma-literal-storage.c` | High
16 | File | `/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c` | High
17 | File | `/jerry-core/parser/js/js-parser-expr.c` | High
18 | File | `/leave_system/classes/Login.php` | High
19 | File | `/member/post.php?job=postnew&step=post` | High
20 | File | `/message-bus/_diagnostics` | High
21 | File | `/mobile/SelectUsers.jsp` | High
22 | ... | ... | ...
There are 6479 more IOA items available. Please use our online service to access the data.
There are 182 more IOA items available. Please use our online service to access the data.
## References
@ -82,9 +88,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

15
XDSpy/README.md
View File

@ -1,6 +1,6 @@
# XDSpy - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [XDSpy](https://vuldb.com/?actor.xdspy). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [XDSpy](https://vuldb.com/?actor.xdspy). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.xdspy](https://vuldb.com/?actor.xdspy)
@ -40,12 +40,9 @@ ID | Type | Indicator | Confidence
1 | File | `data/gbconfiguration.dat` | High
2 | File | `functions.inc.php` | High
3 | File | `inc/config.php` | High
4 | File | `text.ctrl.php` | High
5 | Argument | `basePath` | Medium
6 | Argument | `Content-Length` | High
7 | Argument | `level` | Low
8 | Argument | `show_alias` | Medium
9 | Pattern | `Content-Length|3A|` | High
4 | ... | ... | ...
There are 6 more IOA items available. Please use our online service to access the data.
## References
@ -57,9 +54,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

12
Xcnfe/README.md
View File

@ -1,6 +1,6 @@
# Xcnfe - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Xcnfe](https://vuldb.com/?actor.xcnfe). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Xcnfe](https://vuldb.com/?actor.xcnfe). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.xcnfe](https://vuldb.com/?actor.xcnfe)
@ -13,11 +13,9 @@ ID | IP address | Hostname | Confidence
1 | 8.249.221.254 | - | High
2 | 8.249.225.254 | - | High
3 | 72.21.81.240 | - | High
4 | 104.23.98.190 | - | High
5 | 104.23.99.190 | - | High
6 | ... | ... | ...
4 | ... | ... | ...
There are 9 more IOC items available. Please use our online service to access the data.
There are 11 more IOC items available. Please use our online service to access the data.
## References
@ -29,9 +27,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

67
Zbot/README.md
View File

@ -9,11 +9,11 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Zbot:
* US
* GR
* IT
* ES
* RU
* ...
There are 15 more country items available. Please use our online service to access the data.
There are 16 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -41,9 +41,30 @@ ID | IP address | Hostname | Confidence
18 | 45.60.77.201 | - | High
19 | 49.212.235.209 | www3469.sakura.ne.jp | High
20 | 50.72.177.24 | S01069050ca30b943.wp.shawcable.net | High
21 | ... | ... | ...
21 | 50.116.43.143 | li480-143.members.linode.com | High
22 | 51.178.156.9 | ip9.ip-51-178-156.eu | High
23 | 52.85.132.44 | server-52-85-132-44.iad50.r.cloudfront.net | High
24 | 52.137.90.34 | - | High
25 | 52.185.71.28 | - | High
26 | 58.1.158.10 | ntaich204010.aich.nt.ngn.ppp.infoweb.ne.jp | High
27 | 58.68.2.214 | - | High
28 | 58.185.131.158 | - | High
29 | 59.90.221.6 | static.bb.hyd.59.90.221.6.bsnl.in | High
30 | 60.244.81.6 | 60-244-81-6.apol.com.tw | High
31 | 61.7.235.35 | - | High
32 | 61.32.242.131 | - | High
33 | 62.49.180.189 | - | High
34 | 64.219.121.189 | - | High
35 | 65.55.50.189 | - | High
36 | 66.34.208.39 | - | High
37 | 66.117.77.134 | 66-117-77-134.gohighspeed.com | High
38 | 66.151.138.85 | c-66-151-138-85.inap-sj.nfoservers.com | High
39 | 66.214.95.108 | 066-214-095-108.res.spectrum.com | High
40 | 68.13.34.171 | ip68-13-34-171.om.om.cox.net | High
41 | 69.39.74.6 | mail.marrsterry.com | High
42 | ... | ... | ...
There are 186 more IOC items available. Please use our online service to access the data.
There are 165 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -56,7 +77,7 @@ ID | Technique | Description | Confidence
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | ... | ... | ...
There are 3 more TTP items available. Please use our online service to access the data.
There are 7 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -64,19 +85,27 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `/cartstore/cartstoreadmin/orders.php` | High
2 | File | `/dev/kvm` | Medium
3 | File | `/forum/away.php` | High
4 | File | `/mnt/mtd/app/config/ProductConfig.xml` | High
5 | File | `/principals` | Medium
6 | File | `/uncpath/` | Medium
7 | File | `/var/log/nginx` | High
8 | File | `/wp-admin/admin-ajax.php` | High
9 | File | `4.2.0.CP03` | Medium
10 | File | `CGIProxy.fcgi?cmd=setTelnetSwitch` | High
11 | ... | ... | ...
1 | File | `/?ajax-request=jnews` | High
2 | File | `/admin/admin.php` | High
3 | File | `/admin/imageslider/file.php` | High
4 | File | `/cgi-bin/luci` | High
5 | File | `/core/vb/vurl.php` | High
6 | File | `/etc/ldap.conf` | High
7 | File | `/importTool/preview` | High
8 | File | `/mods/_core/courses/users/create_course.php` | High
9 | File | `/phppath/php` | Medium
10 | File | `/plugins/Dashboard/Controller.php` | High
11 | File | `/server-status` | High
12 | File | `/uncpath/` | Medium
13 | File | `adclick.php` | Medium
14 | File | `add_comment.php` | High
15 | File | `admin-ajax.php` | High
16 | File | `admin.php` | Medium
17 | File | `admin/class-bulk-editor-list-table.php` | High
18 | File | `ajax/render/widget_php` | High
19 | ... | ... | ...
There are 89 more IOA items available. Please use our online service to access the data.
There are 152 more IOA items available. Please use our online service to access the data.
## References
@ -108,4 +137,4 @@ The following articles explain our unique predictive cyber threat intelligence:
## License
(c) [1997-2021](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

75
Zeus/README.md
View File

@ -1,6 +1,6 @@
# Zeus - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [Zeus](https://vuldb.com/?actor.zeus). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [Zeus](https://vuldb.com/?actor.zeus). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.zeus](https://vuldb.com/?actor.zeus)
@ -8,12 +8,12 @@ Live data and more analysis capabilities are available at [https://vuldb.com/?ac
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Zeus:
* DE
* ES
* US
* RU
* FR
* ...
There are 24 more country items available. Please use our online service to access the data.
There are 7 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -41,9 +41,31 @@ ID | IP address | Hostname | Confidence
18 | 60.13.186.5 | - | High
19 | 60.241.184.209 | 60-241-184-209.static.tpgi.com.au | High
20 | 62.14.215.109 | 109.215.14.62.static.jazztel.es | High
21 | ... | ... | ...
21 | 63.249.131.74 | - | High
22 | 63.249.133.74 | - | High
23 | 63.249.138.74 | - | High
24 | 63.249.141.74 | - | High
25 | 63.249.142.74 | - | High
26 | 63.249.143.70 | - | High
27 | 63.249.143.74 | - | High
28 | 63.249.146.74 | - | High
29 | 63.249.147.74 | - | High
30 | 63.249.148.74 | - | High
31 | 64.70.19.202 | mailrelay.202.website.ws | High
32 | 64.74.223.48 | - | High
33 | 64.85.233.8 | astound-64-85-233-8.ca.astound.net | High
34 | 64.90.187.131 | 64.90.187.131.static.nyinternet.net | High
35 | 64.127.71.73 | vcg2-4.slc1.tnltd.net | High
36 | 64.182.0.64 | - | High
37 | 64.182.1.64 | - | High
38 | 64.182.6.64 | - | High
39 | 64.182.10.64 | - | High
40 | 64.182.12.64 | hobart2.dal01.corespace.com | High
41 | 64.182.13.64 | - | High
42 | 64.182.16.64 | - | High
43 | ... | ... | ...
There are 189 more IOC items available. Please use our online service to access the data.
There are 167 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -54,10 +76,9 @@ ID | Technique | Description | Confidence
1 | T1059.007 | Cross Site Scripting | High
2 | T1068 | Execution with Unnecessary Privileges | High
3 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
4 | T1211 | 7PK Security Features | High
5 | ... | ... | ...
4 | ... | ... | ...
There are 7 more TTP items available. Please use our online service to access the data.
There are 5 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -65,19 +86,27 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `%2a` | Low
2 | File | `%SYSTEMDRIVE%` | High
3 | File | `.asp` | Low
4 | File | `.htaccess` | Medium
5 | File | `.imwheelrc` | Medium
6 | File | `.joerc` | Low
7 | File | `.jpilot` | Low
8 | File | `.php` | Low
9 | File | `.plan` | Low
10 | File | `.procmailrc` | Medium
11 | ... | ... | ...
1 | File | `/cgi-bin/user/Config.cgi` | High
2 | File | `/htdocs/cgibin` | High
3 | File | `/payu/icpcheckout/` | High
4 | File | `/uncpath/` | Medium
5 | File | `/videotalk` | Medium
6 | File | `14all.cgi/14all-1.1.cgi/traffic.cgi/mrtg.cgi` | High
7 | File | `activity_log.php` | High
8 | File | `adm/systools.asp` | High
9 | File | `admin.php` | Medium
10 | File | `admin/getparam.cgi` | High
11 | File | `adminCons.php` | High
12 | File | `ajax_list_accounts.php` | High
13 | File | `asn1fix_retrieve.c` | High
14 | File | `auth-options.c` | High
15 | File | `bigsam_guestbook.php` | High
16 | File | `books.php` | Medium
17 | File | `card/pay/.../amount` | High
18 | File | `category.cfm` | Medium
19 | ... | ... | ...
There are 2494 more IOA items available. Please use our online service to access the data.
There are 152 more IOA items available. Please use our online service to access the data.
## References
@ -89,9 +118,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!

90
xHunt/README.md
View File

@ -1,6 +1,6 @@
# xHunt - Cyber Threat Intelligence
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?doc.cti) of the actor known as [xHunt](https://vuldb.com/?actor.xhunt). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
The indicators are related to [VulDB CTI analysis](https://vuldb.com/?kb.cti) of the actor known as [xHunt](https://vuldb.com/?actor.xhunt). The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.
Live data and more analysis capabilities are available at [https://vuldb.com/?actor.xhunt](https://vuldb.com/?actor.xhunt)
@ -15,11 +15,11 @@ The following campaigns are known and can be associated with xHunt:
These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with xHunt:
* US
* GB
* CN
* NL
* ...
There are 49 more country items available. Please use our online service to access the data.
There are 31 more country items available. Please use our online service to access the data.
## IOC - Indicator of Compromise
@ -34,13 +34,9 @@ ID | IP address | Hostname | Confidence
5 | 82.102.21.219 | - | High
6 | 84.17.55.68 | unn-84-17-55-68.cdn77.com | High
7 | 85.203.46.99 | - | High
8 | 89.26.241.70 | 70.serverhs.org | High
9 | 89.238.137.37 | no-mans-land.m247.com | High
10 | 89.238.139.52 | no-mans-land.m247.com | High
11 | 91.92.109.59 | - | High
12 | ... | ... | ...
8 | ... | ... | ...
There are 22 more IOC items available. Please use our online service to access the data.
There are 26 more IOC items available. Please use our online service to access the data.
## TTP - Tactics, Techniques, Procedures
@ -51,11 +47,9 @@ ID | Technique | Description | Confidence
1 | T1040 | Authentication Bypass by Capture-replay | High
2 | T1059.007 | Cross Site Scripting | High
3 | T1068 | Execution with Unnecessary Privileges | High
4 | T1110.001 | Improper Restriction of Excessive Authentication Attempts | High
5 | T1211 | 7PK Security Features | High
6 | ... | ... | ...
4 | ... | ... | ...
There are 8 more TTP items available. Please use our online service to access the data.
There are 9 more TTP items available. Please use our online service to access the data.
## IOA - Indicator of Attack
@ -63,19 +57,61 @@ These indicators of attack list the potential fragments used for technical activ
ID | Type | Indicator | Confidence
-- | ---- | --------- | ----------
1 | File | `.htaccess` | Medium
2 | File | `.procmailrc` | Medium
3 | File | `/.dbus-keyrings` | High
4 | File | `/.env` | Low
5 | File | `//etc/RT2870STA.dat` | High
6 | File | `/account/register` | High
7 | File | `/adfs/ls` | Medium
8 | File | `/admin/conferences/list/` | High
9 | File | `/admin/login.php` | High
10 | File | `/ajax-files/postComment.php` | High
11 | ... | ... | ...
1 | File | `.procmailrc` | Medium
2 | File | `/account/register` | High
3 | File | `/app1/admin#foo` | High
4 | File | `/articles/welcome-to-your-site#comments-head` | High
5 | File | `/assets/ctx` | Medium
6 | File | `/cgi-mod/lookup.cgi` | High
7 | File | `/cgi?` | Low
8 | File | `/cgi?1&5` | Medium
9 | File | `/ClickAndBanexDemo/admin/admin.asp` | High
10 | File | `/config/getuser` | High
11 | File | `/configs/application.ini` | High
12 | File | `/debug/pprof` | Medium
13 | File | `/forum/away.php` | High
14 | File | `/getcfg.php` | Medium
15 | File | `/gracemedia-media-player/templates/files/ajax_controller.php` | High
16 | File | `/iissamples/sdk/asp/interaction/Form_JScript.asp` | High
17 | File | `/index.php?controller=calendar&format=raw&cat[0]=SQLi&task=events` | High
18 | File | `/index.pl` | Medium
19 | File | `/iwgallery/admin/pictures_edit.asp` | High
20 | File | `/osm/REGISTER.cmd` | High
21 | File | `/plugin/file_manager/` | High
22 | File | `/public/plugins/` | High
23 | File | `/replication` | Medium
24 | File | `/restapi/v1/certificates/FFM-SSLInspect` | High
25 | File | `/sbin/gs_config` | High
26 | File | `/settings` | Medium
27 | File | `/Storage/Emulated/0/Telegram/Telegram` | High
28 | File | `/uncpath/` | Medium
29 | File | `/Upload/admin/index.php?module=forum-management&action=add` | High
30 | File | `/uploads/dede` | High
31 | File | `/var/log/messages` | High
32 | File | `/WEB-INF/web.xml` | High
33 | File | `/webman/info.cgi` | High
34 | File | `/wp-json/wc/v3/webhooks` | High
35 | File | `/_next` | Low
36 | File | `AccessPoint.aspx` | High
37 | File | `actions.hsp` | Medium
38 | File | `activateuser.aspx` | High
39 | File | `AdHocQuery_Processor.aspx` | High
40 | File | `admin.asp` | Medium
41 | File | `admin.php?m=admin&c=site&a=save` | High
42 | File | `admin/admin.asp` | High
43 | File | `admin/backupdb.php` | High
44 | File | `admin/bitrix.mpbuilder_step2.php` | High
45 | File | `admin/bitrix.xscan_worker.php` | High
46 | File | `admin/gb-dashboard-widget.php` | High
47 | File | `admin/images.aspx` | High
48 | File | `admin/login.asp` | High
49 | File | `admin/mcart_xls_import.php` | High
50 | File | `admin/modules/tools/ip_history_logs.php` | High
51 | File | `admin/orion.extfeedbackform_efbf_forms.php` | High
52 | File | `admin/ueditor/uploadFile` | High
53 | ... | ... | ...
There are 1788 more IOA items available. Please use our online service to access the data.
There are 458 more IOA items available. Please use our online service to access the data.
## References
@ -88,9 +124,9 @@ The following list contains external sources which discuss the actor and the ass
The following articles explain our unique predictive cyber threat intelligence:
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?doc.cti)
* [VulDB Cyber Threat Intelligence Documentation](https://vuldb.com/?kb.cti)
* [Cyber Threat Intelligence - Early Anticipation of Attacks](https://www.scip.ch/en/?labs.20201022)
## License
(c) [1997-2021](https://vuldb.com/?doc.changelog) by [vuldb.com](https://vuldb.com/?doc.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?doc.faq), read the [documentation](https://vuldb.com/?doc) or [contact us](https://vuldb.com/?contact)!
(c) [1997-2022](https://vuldb.com/?kb.changelog) by [vuldb.com](https://vuldb.com/?kb.about). All data on this page is shared under the license [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/). Questions? Check the [FAQ](https://vuldb.com/?kb.faq), read the [documentation](https://vuldb.com/?kb) or [contact us](https://vuldb.com/?contact)!