Mirrors/cyber_threat_intelligence
6
0
Fork 0
mirror of https://github.com/vuldb/cyber_threat_intelligence synced 2024-06-28 18:03:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
0955ba53e2
cyber_threat_intelligence/actors/Remcos
History
Marc Ruef 0955ba53e2 Update June 2023
2023-06-23 09:10:04 +02:00
..
README.md Update June 2023 2023-06-23 09:10:04 +02:00

README.md

Remcos - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as Remcos. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.remcos

Campaigns

The following campaigns are known and can be associated with Remcos:

  • Ukraine

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Remcos:

There are 19 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of Remcos.

ID IP address Hostname Campaign Confidence
1 2.58.47.203 - - High
2 3.13.31.214 ec2-3-13-31-214.us-east-2.compute.amazonaws.com - Medium
3 3.64.163.50 ec2-3-64-163-50.eu-central-1.compute.amazonaws.com - Medium
4 3.94.41.167 ec2-3-94-41-167.compute-1.amazonaws.com - Medium
5 3.230.36.58 ec2-3-230-36-58.compute-1.amazonaws.com - Medium
6 5.2.75.164 - - High
7 5.42.199.110 - - High
8 5.45.87.29 - - High
9 5.61.37.41 - - High
10 5.61.56.10 - - High
11 5.181.234.139 - - High
12 5.181.234.145 - - High
13 5.206.227.115 1877 - High
14 5.249.226.166 uw19.uniweb.no - High
15 5.253.114.108 - - High
16 6.43.51.17 - - High
17 8.253.139.120 - - High
18 10.11.0.5 - - High
19 10.15.0.17 - - High
20 10.15.0.18 - - High
21 10.15.0.19 - - High
22 10.15.0.23 - - High
23 10.15.0.30 - - High
24 10.16.0.13 - - High
25 10.16.0.18 - - High
26 10.16.0.30 - - High
27 10.140.226.6 - - High
28 13.107.21.200 - - High
29 13.107.42.12 1drv.ms - High
30 13.107.42.13 - - High
31 13.107.43.12 - - High
32 13.107.43.13 - - High
33 13.225.214.71 server-13-225-214-71.ewr50.r.cloudfront.net - High
34 13.225.214.91 server-13-225-214-91.ewr50.r.cloudfront.net - High
35 13.225.214.108 server-13-225-214-108.ewr50.r.cloudfront.net - High
36 13.225.230.20 server-13-225-230-20.jfk51.r.cloudfront.net - High
37 13.250.255.10 ec2-13-250-255-10.ap-southeast-1.compute.amazonaws.com - Medium
38 15.197.142.173 a4ec4c6ea1c92e2e6.awsglobalaccelerator.com - High
39 15.235.53.10 ns5012329.ip-15-235-53.net - High
40 15.237.137.33 ec2-15-237-137-33.eu-west-3.compute.amazonaws.com - Medium
41 18.214.132.216 ec2-18-214-132-216.compute-1.amazonaws.com - Medium
42 18.218.132.40 ec2-18-218-132-40.us-east-2.compute.amazonaws.com - Medium
43 20.7.43.70 - - High
44 20.36.253.92 - - High
45 20.38.32.202 - - High
46 20.42.73.27 - - High
47 20.69.164.162 - - High
48 20.106.76.138 - - High
49 20.106.94.110 - - High
50 20.110.185.77 - - High
51 20.110.197.26 - - High
52 20.112.83.244 - - High
53 20.114.21.181 - - High
54 20.124.111.166 - - High
55 20.190.151.7 - - High
56 20.190.151.8 - - High
57 20.190.151.68 - - High
58 20.190.151.70 - - High
59 20.190.151.131 - - High
60 20.190.151.132 - - High
61 20.190.151.133 - - High
62 20.190.152.21 - - High
63 20.190.154.139 - - High
64 20.225.154.34 - - High
65 20.251.10.189 - - High
66 23.3.13.88 a23-3-13-88.deploy.static.akamaitechnologies.com - High
67 23.3.13.154 a23-3-13-154.deploy.static.akamaitechnologies.com - High
68 23.19.227.82 - - High
69 23.19.227.171 - - High
70 23.19.227.243 - - High
71 23.21.27.29 ec2-23-21-27-29.compute-1.amazonaws.com - Medium
72 23.21.205.229 ec2-23-21-205-229.compute-1.amazonaws.com - Medium
73 23.21.213.140 ec2-23-21-213-140.compute-1.amazonaws.com - Medium
74 23.38.131.139 a23-38-131-139.deploy.static.akamaitechnologies.com - High
75 23.46.239.18 a23-46-239-18.deploy.static.akamaitechnologies.com - High
76 23.56.9.181 a23-56-9-181.deploy.static.akamaitechnologies.com - High
77 23.78.173.83 a23-78-173-83.deploy.static.akamaitechnologies.com - High
78 23.82.12.29 - - High
79 23.105.131.132 mail132.nessfist.com - High
80 23.105.131.141 mail141.nessfist.com - High
81 23.105.131.186 mail186.nessfist.com - High
82 23.105.131.193 - - High
83 23.105.131.206 mail206.nessfist.com - High
84 23.105.131.209 - - High
85 23.105.131.211 mail211.nessfist.com - High
86 23.105.131.220 mail220.nessfist.com - High
87 23.105.131.222 - - High
88 23.105.131.235 mail235.nessfist.com - High
89 23.105.131.238 mail238.nessfist.com - High
90 23.105.131.244 mail244.nessfist.com - High
91 23.106.124.111 - - High
92 23.146.242.71 - - High
93 23.146.242.110 - - High
94 23.196.74.222 a23-196-74-222.deploy.static.akamaitechnologies.com - High
95 23.199.63.11 a23-199-63-11.deploy.static.akamaitechnologies.com - High
96 23.199.63.83 a23-199-63-83.deploy.static.akamaitechnologies.com - High
97 23.223.37.181 a23-223-37-181.deploy.static.akamaitechnologies.com - High
98 23.226.128.197 23.226.128.197.static.quadranet.com - High
99 23.227.38.74 - - High
100 24.152.37.94 24-152-37-94.masterdaweb.com - High
101 31.3.152.100 100.152.3.31.in-addr.arpa - High
102 31.192.232.48 lindaj18.barber.pserver.space - High
103 31.210.20.56 - - High
104 31.210.20.130 - - High
105 31.210.20.224 - - High
106 31.210.20.236 - - High
107 31.210.21.205 lit4.top - High
108 34.96.116.138 138.116.96.34.bc.googleusercontent.com - Medium
109 34.102.136.180 180.136.102.34.bc.googleusercontent.com - Medium
110 34.117.168.233 233.168.117.34.bc.googleusercontent.com - Medium
111 34.192.250.175 ec2-34-192-250-175.compute-1.amazonaws.com - Medium
112 34.197.12.81 ec2-34-197-12-81.compute-1.amazonaws.com - Medium
113 34.202.33.33 ec2-34-202-33-33.compute-1.amazonaws.com - Medium
114 34.239.194.181 ec2-34-239-194-181.compute-1.amazonaws.com - Medium
115 35.205.61.67 67.61.205.35.bc.googleusercontent.com - Medium
116 35.214.144.124 124.144.214.35.bc.googleusercontent.com - Medium
117 37.0.10.217 - - High
118 37.0.11.114 - - High
119 37.0.11.230 - - High
120 37.0.14.195 - - High
121 37.0.14.198 - - High
122 37.0.14.199 - - High
123 37.0.14.203 - - High
124 37.0.14.204 - - High
125 37.0.14.206 - - High
126 37.0.14.207 - - High
127 37.0.14.209 - - High
128 37.0.14.210 host-37-0-14-210.static.deli-one.co.uk - High
129 37.0.14.211 - - High
130 37.0.14.216 - - High
131 37.0.14.217 - - High
132 37.1.206.16 free.ispiria.net - High
133 37.1.206.146 - - High
134 37.19.193.217 unn-37-19-193-217.cdn77.com - High
135 37.46.150.211 convert-concern.needratio.com - High
136 37.120.138.222 - - High
137 37.120.155.179 - - High
138 37.120.210.219 - - High
139 37.120.217.243 - - High
140 37.123.118.150 - - High
141 37.139.64.106 - - High
142 37.139.128.4 - - High
143 37.139.128.24 - - High
144 37.139.129.142 - - High
145 37.230.130.153 - - High
146 37.230.178.57 - - High
147 37.235.1.174 resolver1.freedns.zone.powered.by.virtexxa.com - High
148 37.235.1.177 resolver2.freedns.zone.powered.by.virtexxa.com - High
149 38.26.191.78 - - High
150 38.68.53.190 - - High
151 38.242.134.118 vmi997441.contaboserver.net - High
152 38.242.246.175 vmi838644.contaboserver.net - High
153 40.126.26.134 - - High
154 40.126.28.12 - - High
155 40.126.28.22 - - High
156 41.190.3.209 www.9mobile.com.ng - High
157 41.216.183.96 - - High
158 41.216.183.195 - - High
159 41.216.183.226 - - High
160 43.226.229.83 - - High
161 44.230.27.49 ec2-44-230-27-49.us-west-2.compute.amazonaws.com - Medium
162 44.238.161.76 ec2-44-238-161-76.us-west-2.compute.amazonaws.com - Medium
163 45.12.253.190 - - High
164 45.15.143.148 - - High
165 45.62.170.248 - - High
166 45.66.151.212 - - High
167 45.67.231.82 vm906070.stark-industries.solutions - High
168 45.74.32.12 - - High
169 45.81.39.21 - - High
170 45.81.243.246 - - High
171 45.82.84.10 45.82.84.10.deltahost-ptr - High
172 45.83.129.166 - - High
173 45.87.61.104 - - High
174 45.88.66.122 runningegg.xyz - High
175 45.90.222.204 45-90-222-204-hostedby.bcr.host - High
176 45.95.168.62 maxko-hosting.com - High
177 45.128.234.54 - - High
178 45.133.1.34 - - High
179 45.133.1.47 - - High
180 45.133.1.72 - - High
181 45.133.174.55 - - High
182 45.133.174.77 - - High
183 45.133.174.177 - - High
184 45.133.174.187 - - High
185 45.137.22.52 hosted-by.rootlayer.net - High
186 45.137.22.77 mail.governorsperic.xyz - High
187 45.137.22.101 hosted-by.rootlayer.net - High
188 45.137.22.104 hosted-by.rootlayer.net - High
189 45.137.22.107 hosted-by.rootlayer.net - High
190 45.137.22.116 hosted-by.rootlayer.net - High
191 45.137.22.236 hosted-by.rootlayer.net - High
192 45.137.22.248 hosted-by.rootlayer.net - High
193 45.137.116.253 rs-zap1025641-3.zap-srv.com - High
194 45.137.118.105 - - High
195 45.138.16.39 - - High
196 45.138.172.94 - - High
197 45.139.105.174 - - High
198 45.141.152.68 45-141-152-68.pool.ovpn.com - High
199 45.144.225.112 - - High
200 45.144.225.213 - - High
201 45.144.225.221 - - High
202 45.148.17.62 mail.spokel.se - High
203 45.154.4.64 - - High
204 45.155.165.117 - - High
205 45.155.165.139 - - High
206 45.155.165.160 - - High
207 46.2.255.122 - - High
208 46.8.211.72 - - High
209 46.105.127.143 ns385442.ip-46-105-127.eu - High
210 46.183.216.163 tagoe.lstartanalystconcepts.org.uk - High
211 46.183.217.11 raimis.comanchor.com - High
212 46.183.220.61 ip-220-61.dataclub.info - High
213 46.183.220.67 ip-220-67.dataclub.info - High
214 46.183.220.203 ip-220-203.dataclub.info - High
215 46.183.223.57 ip-223-57.dataclub.info - High
216 46.243.147.194 - - High
217 46.243.239.36 - - High
218 46.243.239.153 - - High
219 46.243.249.150 - - High
220 46.246.6.9 c-46-246-6-9.ip4.frootvpn.com - High
221 46.246.80.68 c-46-246-80-68.ip4.frootvpn.com - High
222 47.254.172.117 - - High
223 50.16.234.229 ec2-50-16-234-229.compute-1.amazonaws.com - Medium
224 50.63.202.36 ip-50-63-202-36.ip.secureserver.net - High
225 51.15.229.127 127-229-15-51.instances.scw.cloud - High
226 51.75.209.242 ip242.ip-51-75-209.eu - High
227 51.75.209.245 ip245.ip-51-75-209.eu - High
228 51.81.193.203 ip203.ip-51-81-193.us - High
229 51.91.236.193 cluster028.hosting.ovh.net - High
230 51.103.16.165 - - High
231 51.161.212.232 ip232.ip-51-161-212.net - High
232 51.195.57.234 ip234.ip-51-195-57.eu - High
233 51.210.137.26 ip26.ip-51-210-137.eu - High
234 ... ... ... ...

There are 933 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by Remcos. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1006 CWE-21, CWE-22, CWE-23, CWE-24, CWE-27, CWE-36, CWE-37, CWE-50 Pathname Traversal High
2 T1040 CWE-294, CWE-319 Authentication Bypass by Capture-replay High
3 T1055 CWE-74 Injection High
4 T1059 CWE-88, CWE-94, CWE-1321 Cross Site Scripting High
5 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
6 ... ... ... ...

There are 20 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Remcos. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File /admin/edit_subject.php High
2 File /admin/index2.html High
3 File /admin/products/manage_product.php High
4 File /admin/userprofile.php High
5 File /administrator/components/table_manager/ High
6 File /api/login Medium
7 File /blog/blog.php High
8 File /BRS_netgear_success.html High
9 File /cgi-bin-sdb/ExportSettings.sh High
10 File /College/admin/teacher.php High
11 File /common/info.cgi High
12 File /Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashx High
13 File /databases/database/list High
14 File /dcim/rack-roles/ High
15 File /E-mobile/App/System/File/downfile.php High
16 File /ext/phar/phar_object.c High
17 File /forum/away.php High
18 File /goform/aspForm High
19 File /inc/topBarNav.php High
20 File /index.php?app=main&func=passport&action=login High
21 File /iwgallery/pictures/details.asp High
22 File /kelas/data Medium
23 File /kelasdosen/data High
24 File /librarian/bookdetails.php High
25 File /mcategory.php High
26 File /messageboard/view.php High
27 File /mhds/clinic/view_details.php High
28 File /MIME/INBOX-MM-1/ High
29 File /movie.php Medium
30 File /osm/REGISTER.cmd High
31 File /out.php Medium
32 File /reviewer/system/system/admins/manage/users/user-update.php High
33 File /sbin/orthrus High
34 File /sbin/rtspd Medium
35 File /send_order.cgi?parameter=restart High
36 File /textpattern/index.php High
37 File /tmp Low
38 File /uncpath/ Medium
39 File /var/www/video/mp4ts High
40 File /view-pass-detail.php High
41 File /wp-admin/admin-ajax.php High
42 File 123flashchat.php High
43 File 404.php Low
44 File ActiveServices.java High
45 File adclick.php Medium
46 ... ... ...

There are 396 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2023 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!