Mirrors/cyber_threat_intelligence
6
0
Fork 0
mirror of https://github.com/vuldb/cyber_threat_intelligence synced 2024-07-05 18:01:41 +00:00
Code Issues Packages Projects Releases Wiki Activity
4357a66095
cyber_threat_intelligence/actors/Nanocore RAT/README.md
Marc Ruef 4357a66095 Update June 2023
2023-06-06 10:26:07 +02:00

28 KiB
Raw Blame History

Nanocore RAT - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as Nanocore RAT. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.nanocore_rat

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Nanocore RAT:

There are 9 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of Nanocore RAT.

ID IP address Hostname Campaign Confidence
1 2.3.155.124 lfbn-cle-1-64-124.w2-3.abo.wanadoo.fr - High
2 2.56.56.6 nus1.top - High
3 2.56.56.74 nut9.top - High
4 2.56.56.96 nutuc.top - High
5 2.56.56.102 nutus.top - High
6 2.56.56.117 notin.top - High
7 2.56.56.126 notut.top - High
8 2.56.57.129 thebestwebstore.com - High
9 2.56.57.130 anderson.thebestwebstore.com - High
10 2.56.57.143 rush.thebestwebstore.com - High
11 2.56.59.46 - - High
12 2.56.59.101 - - High
13 2.56.59.113 - - High
14 2.56.59.217 - - High
15 2.58.149.88 - - High
16 2.58.149.124 - - High
17 2.58.149.232 - - High
18 2.58.149.236 - - High
19 3.6.30.85 ec2-3-6-30-85.ap-south-1.compute.amazonaws.com - Medium
20 3.6.98.232 ec2-3-6-98-232.ap-south-1.compute.amazonaws.com - Medium
21 3.6.115.64 ec2-3-6-115-64.ap-south-1.compute.amazonaws.com - Medium
22 3.13.191.225 ec2-3-13-191-225.us-east-2.compute.amazonaws.com - Medium
23 3.14.182.203 ec2-3-14-182-203.us-east-2.compute.amazonaws.com - Medium
24 3.17.7.232 ec2-3-17-7-232.us-east-2.compute.amazonaws.com - Medium
25 3.19.130.43 ec2-3-19-130-43.us-east-2.compute.amazonaws.com - Medium
26 3.22.15.135 ec2-3-22-15-135.us-east-2.compute.amazonaws.com - Medium
27 3.22.30.40 ec2-3-22-30-40.us-east-2.compute.amazonaws.com - Medium
28 3.22.53.161 ec2-3-22-53-161.us-east-2.compute.amazonaws.com - Medium
29 3.67.15.169 ec2-3-67-15-169.eu-central-1.compute.amazonaws.com - Medium
30 3.67.62.142 ec2-3-67-62-142.eu-central-1.compute.amazonaws.com - Medium
31 3.67.112.102 ec2-3-67-112-102.eu-central-1.compute.amazonaws.com - Medium
32 3.68.56.232 ec2-3-68-56-232.eu-central-1.compute.amazonaws.com - Medium
33 3.92.185.198 ec2-3-92-185-198.compute-1.amazonaws.com - Medium
34 3.121.139.82 ec2-3-121-139-82.eu-central-1.compute.amazonaws.com - Medium
35 3.124.67.191 ec2-3-124-67-191.eu-central-1.compute.amazonaws.com - Medium
36 3.125.188.168 ec2-3-125-188-168.eu-central-1.compute.amazonaws.com - Medium
37 3.126.37.18 ec2-3-126-37-18.eu-central-1.compute.amazonaws.com - Medium
38 3.126.224.214 ec2-3-126-224-214.eu-central-1.compute.amazonaws.com - Medium
39 3.127.59.75 ec2-3-127-59-75.eu-central-1.compute.amazonaws.com - Medium
40 3.127.138.57 ec2-3-127-138-57.eu-central-1.compute.amazonaws.com - Medium
41 3.127.253.86 ec2-3-127-253-86.eu-central-1.compute.amazonaws.com - Medium
42 3.128.107.74 ec2-3-128-107-74.us-east-2.compute.amazonaws.com - Medium
43 3.129.187.220 ec2-3-129-187-220.us-east-2.compute.amazonaws.com - Medium
44 3.131.147.49 ec2-3-131-147-49.us-east-2.compute.amazonaws.com - Medium
45 3.131.207.170 ec2-3-131-207-170.us-east-2.compute.amazonaws.com - Medium
46 3.132.159.158 ec2-3-132-159-158.us-east-2.compute.amazonaws.com - Medium
47 3.133.207.110 ec2-3-133-207-110.us-east-2.compute.amazonaws.com - Medium
48 3.134.39.220 ec2-3-134-39-220.us-east-2.compute.amazonaws.com - Medium
49 3.134.125.175 ec2-3-134-125-175.us-east-2.compute.amazonaws.com - Medium
50 3.136.65.236 ec2-3-136-65-236.us-east-2.compute.amazonaws.com - Medium
51 3.138.45.170 ec2-3-138-45-170.us-east-2.compute.amazonaws.com - Medium
52 3.138.180.119 ec2-3-138-180-119.us-east-2.compute.amazonaws.com - Medium
53 3.140.223.7 ec2-3-140-223-7.us-east-2.compute.amazonaws.com - Medium
54 3.141.142.211 ec2-3-141-142-211.us-east-2.compute.amazonaws.com - Medium
55 3.141.177.1 ec2-3-141-177-1.us-east-2.compute.amazonaws.com - Medium
56 3.141.210.37 ec2-3-141-210-37.us-east-2.compute.amazonaws.com - Medium
57 3.142.81.166 ec2-3-142-81-166.us-east-2.compute.amazonaws.com - Medium
58 3.142.129.56 ec2-3-142-129-56.us-east-2.compute.amazonaws.com - Medium
59 3.142.167.4 ec2-3-142-167-4.us-east-2.compute.amazonaws.com - Medium
60 3.142.167.54 ec2-3-142-167-54.us-east-2.compute.amazonaws.com - Medium
61 3.145.201.105 ec2-3-145-201-105.us-east-2.compute.amazonaws.com - Medium
62 5.134.196.78 - - High
63 5.181.234.149 - - High
64 10.35.70.148 - - High
65 13.58.157.220 ec2-13-58-157-220.us-east-2.compute.amazonaws.com - Medium
66 13.59.15.185 ec2-13-59-15-185.us-east-2.compute.amazonaws.com - Medium
67 18.156.13.209 ec2-18-156-13-209.eu-central-1.compute.amazonaws.com - Medium
68 18.157.68.73 ec2-18-157-68-73.eu-central-1.compute.amazonaws.com - Medium
69 18.158.58.205 ec2-18-158-58-205.eu-central-1.compute.amazonaws.com - Medium
70 18.189.106.45 ec2-18-189-106-45.us-east-2.compute.amazonaws.com - Medium
71 18.192.93.86 ec2-18-192-93-86.eu-central-1.compute.amazonaws.com - Medium
72 18.197.239.5 ec2-18-197-239-5.eu-central-1.compute.amazonaws.com - Medium
73 18.198.77.177 ec2-18-198-77-177.eu-central-1.compute.amazonaws.com - Medium
74 20.52.46.119 - - High
75 20.79.206.212 - - High
76 20.91.192.34 - - High
77 20.185.47.68 - - High
78 20.197.234.75 - - High
79 20.203.173.201 - - High
80 23.94.54.224 23-94-54-224-host.colocrossing.com - High
81 23.102.1.5 - - High
82 23.105.131.166 mail166.nessfist.com - High
83 23.105.131.186 mail186.nessfist.com - High
84 23.105.131.196 mail196.nessfist.com - High
85 23.105.131.206 mail206.nessfist.com - High
86 23.105.131.228 mail228.nessfist.com - High
87 23.105.131.237 mail237.nessfist.com - High
88 23.105.131.249 mail249.nessfist.com - High
89 23.105.171.87 teluisd.tienda - High
90 23.146.242.147 - - High
91 23.229.34.114 noncurrent.specialtyway.com - High
92 23.237.25.128 - - High
93 23.237.25.205 - - High
94 24.133.1.29 - - High
95 24.135.175.197 cable-24-135-175-197.dynamic.sbb.rs - High
96 27.254.163.12 static-27-254-163-12.bangmod.cloud - High
97 31.210.20.18 - - High
98 31.210.20.129 - - High
99 31.210.20.215 - - High
100 31.210.55.103 31-210-55-103.hostlab.net.tr - High
101 34.139.92.250 250.92.139.34.bc.googleusercontent.com - Medium
102 34.201.133.83 ec2-34-201-133-83.compute-1.amazonaws.com - Medium
103 34.221.57.122 ec2-34-221-57-122.us-west-2.compute.amazonaws.com - Medium
104 34.223.5.56 ec2-34-223-5-56.us-west-2.compute.amazonaws.com - Medium
105 35.158.159.254 ec2-35-158-159-254.eu-central-1.compute.amazonaws.com - Medium
106 35.198.98.125 125.98.198.35.bc.googleusercontent.com - Medium
107 36.90.214.84 - - High
108 37.0.8.61 joneswilson.springtimemartialarts.com - High
109 37.0.8.98 - - High
110 37.0.8.115 brownfarmer.capitolreservations.com - High
111 37.0.8.138 holland.athinneru.com - High
112 37.0.8.214 ramos.cartierevannucci.com - High
113 37.0.8.234 bradley.cartierevannucci.com - High
114 37.0.10.22 - - High
115 37.0.10.38 - - High
116 37.0.10.144 - - High
117 37.0.10.190 - - High
118 37.0.11.6 - - High
119 37.0.11.76 - - High
120 37.0.11.164 - - High
121 37.0.11.250 - - High
122 37.0.11.252 - - High
123 37.0.14.195 - - High
124 37.0.14.196 - - High
125 37.0.14.197 - - High
126 37.0.14.198 - - High
127 37.0.14.203 - - High
128 37.0.14.206 - - High
129 37.0.14.210 host-37-0-14-210.static.deli-one.co.uk - High
130 37.0.14.216 - - High
131 37.120.141.153 - - High
132 37.120.141.168 - - High
133 37.120.210.211 - - High
134 37.120.210.219 - - High
135 37.139.128.94 - - High
136 37.139.129.71 - - High
137 37.139.129.91 - - High
138 41.216.183.49 - - High
139 41.216.183.170 - - High
140 43.154.234.84 - - High
141 45.11.231.129 45-11-231-129.freemesh.co.uk - High
142 45.12.253.26 - - High
143 45.12.253.242 - - High
144 45.14.165.113 webserver-ltd.ml - High
145 45.35.105.148 unassigned.psychz.net - High
146 45.59.127.4 - - High
147 ... ... ... ...

There are 583 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by Nanocore RAT. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1006 CWE-21, CWE-22 Pathname Traversal High
2 T1040 CWE-319 Authentication Bypass by Capture-replay High
3 T1055 CWE-74 Injection High
4 T1059 CWE-88, CWE-94, CWE-1321 Cross Site Scripting High
5 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
6 ... ... ... ...

There are 20 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Nanocore RAT. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File /?p=products Medium
2 File /admin/?page=product/manage_product&id=2 High
3 File /admin/casedetails.php High
4 File /admin/index2.html High
5 File /admin/maintenance/brand.php High
6 File /admin/mechanics/manage_mechanic.php High
7 File /admin/user/manage_user.php High
8 File /admin/voters_row.php High
9 File /ad_js.php Medium
10 File /agc/vicidial.php High
11 File /ajax/myshop Medium
12 File /alumni/admin/ajax.php?action=save_settings High
13 File /api/gen/clients/{language} High
14 File /apply.cgi Medium
15 File /APR/signup.php High
16 File /authenticationendpoint/login.do High
17 File /aux Low
18 File /backup.pl Medium
19 File /cas/logout Medium
20 File /categorypage.php High
21 File /cgi-bin-sdb/ExportSettings.sh High
22 File /cgi-bin/system_mgr.cgi High
23 File /cha.php Medium
24 File /cimom Low
25 File /College/admin/teacher.php High
26 File /contactform/contactform.php High
27 File /dayrui/Fcms/View/system_log.html High
28 File /drivers/block/floppy.c High
29 File /ebics-server/ebics.aspx High
30 File /ecommerce/admin/category/controller.php High
31 File /etc/config/product.ini High
32 File /etc/crash Medium
33 File /etc/shadow Medium
34 File /fos/admin/ajax.php High
35 File /goform/aspForm High
36 File /HNAP1 Low
37 File /HNAP1/SetClientInfo High
38 File /index.php Medium
39 File /kelasdosen/data High
40 File /login/index.php High
41 File /medicines/profile.php High
42 File /modules/profile/index.php High
43 File /modules/projects/vw_files.php High
44 File /Moosikay/order.php High
45 File /multi-vendor-shopping-script/product-list.php High
46 File /nasm/nasm-parse.c High
47 File /ordering/admin/orders/loaddata.php High
48 File /ordering/admin/stockin/loaddata.php High
49 File /owa/auth/logon.aspx High
50 File /philosophy/admin/login.php High
51 File /php-opos/login.php High
52 File /priv_mgt.html High
53 File /resources//../ High
54 File /see_more_details.php High
55 File /squashfs-root/www/HNAP1/control/SetMasterWLanSettings.php High
56 File /sys/dict/queryTableData High
57 File /user/updatePwd High
58 File /users/delete/2 High
59 File /webroot/inc/utility_all.php High
60 File /zm/index.php High
61 File 3G/UMTS Low
62 ... ... ...

There are 538 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2023 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!