Mirrors/cyber_threat_intelligence
6
0
Fork 0
mirror of https://github.com/vuldb/cyber_threat_intelligence synced 2024-07-05 18:01:41 +00:00
Code Issues Packages Projects Releases Wiki Activity
4357a66095
cyber_threat_intelligence/actors/Remcos/README.md
Marc Ruef 4357a66095 Update June 2023
2023-06-06 10:26:07 +02:00

67 KiB
Raw Blame History

Remcos - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as Remcos. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.remcos

Campaigns

The following campaigns are known and can be associated with Remcos:

  • Ukraine

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Remcos:

There are 19 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of Remcos.

ID IP address Hostname Campaign Confidence
1 2.58.47.203 - - High
2 3.13.31.214 ec2-3-13-31-214.us-east-2.compute.amazonaws.com - Medium
3 3.64.163.50 ec2-3-64-163-50.eu-central-1.compute.amazonaws.com - Medium
4 3.94.41.167 ec2-3-94-41-167.compute-1.amazonaws.com - Medium
5 3.230.36.58 ec2-3-230-36-58.compute-1.amazonaws.com - Medium
6 5.2.75.164 - - High
7 5.42.199.110 - - High
8 5.45.87.29 - - High
9 5.61.37.41 - - High
10 5.61.56.10 - - High
11 5.181.234.139 - - High
12 5.181.234.145 - - High
13 5.206.227.115 1877 - High
14 5.249.226.166 uw19.uniweb.no - High
15 8.253.139.120 - - High
16 10.11.0.5 - - High
17 10.15.0.17 - - High
18 10.15.0.18 - - High
19 10.15.0.19 - - High
20 10.15.0.23 - - High
21 10.15.0.30 - - High
22 10.16.0.13 - - High
23 10.16.0.30 - - High
24 13.107.21.200 - - High
25 13.107.42.12 1drv.ms - High
26 13.107.42.13 - - High
27 13.107.43.12 - - High
28 13.107.43.13 - - High
29 13.225.214.71 server-13-225-214-71.ewr50.r.cloudfront.net - High
30 13.225.214.91 server-13-225-214-91.ewr50.r.cloudfront.net - High
31 13.225.214.108 server-13-225-214-108.ewr50.r.cloudfront.net - High
32 13.225.230.20 server-13-225-230-20.jfk51.r.cloudfront.net - High
33 13.250.255.10 ec2-13-250-255-10.ap-southeast-1.compute.amazonaws.com - Medium
34 15.197.142.173 a4ec4c6ea1c92e2e6.awsglobalaccelerator.com - High
35 15.235.53.10 ns5012329.ip-15-235-53.net - High
36 15.237.137.33 ec2-15-237-137-33.eu-west-3.compute.amazonaws.com - Medium
37 18.214.132.216 ec2-18-214-132-216.compute-1.amazonaws.com - Medium
38 18.218.132.40 ec2-18-218-132-40.us-east-2.compute.amazonaws.com - Medium
39 20.7.43.70 - - High
40 20.36.253.92 - - High
41 20.38.32.202 - - High
42 20.42.73.27 - - High
43 20.69.164.162 - - High
44 20.106.76.138 - - High
45 20.106.94.110 - - High
46 20.110.185.77 - - High
47 20.110.197.26 - - High
48 20.112.83.244 - - High
49 20.114.21.181 - - High
50 20.124.111.166 - - High
51 20.190.151.7 - - High
52 20.190.151.8 - - High
53 20.190.151.68 - - High
54 20.190.151.70 - - High
55 20.190.151.131 - - High
56 20.190.151.132 - - High
57 20.190.151.133 - - High
58 20.190.152.21 - - High
59 20.190.154.139 - - High
60 20.225.154.34 - - High
61 20.251.10.189 - - High
62 23.3.13.88 a23-3-13-88.deploy.static.akamaitechnologies.com - High
63 23.3.13.154 a23-3-13-154.deploy.static.akamaitechnologies.com - High
64 23.19.227.82 - - High
65 23.19.227.171 - - High
66 23.19.227.243 - - High
67 23.21.27.29 ec2-23-21-27-29.compute-1.amazonaws.com - Medium
68 23.21.205.229 ec2-23-21-205-229.compute-1.amazonaws.com - Medium
69 23.21.213.140 ec2-23-21-213-140.compute-1.amazonaws.com - Medium
70 23.38.131.139 a23-38-131-139.deploy.static.akamaitechnologies.com - High
71 23.46.239.18 a23-46-239-18.deploy.static.akamaitechnologies.com - High
72 23.56.9.181 a23-56-9-181.deploy.static.akamaitechnologies.com - High
73 23.78.173.83 a23-78-173-83.deploy.static.akamaitechnologies.com - High
74 23.82.12.29 - - High
75 23.105.131.132 mail132.nessfist.com - High
76 23.105.131.141 mail141.nessfist.com - High
77 23.105.131.186 mail186.nessfist.com - High
78 23.105.131.193 - - High
79 23.105.131.206 mail206.nessfist.com - High
80 23.105.131.209 - - High
81 23.105.131.211 mail211.nessfist.com - High
82 23.105.131.220 mail220.nessfist.com - High
83 23.105.131.222 - - High
84 23.105.131.235 mail235.nessfist.com - High
85 23.105.131.238 mail238.nessfist.com - High
86 23.105.131.244 mail244.nessfist.com - High
87 23.106.124.111 - - High
88 23.146.242.71 - - High
89 23.146.242.110 - - High
90 23.196.74.222 a23-196-74-222.deploy.static.akamaitechnologies.com - High
91 23.199.63.11 a23-199-63-11.deploy.static.akamaitechnologies.com - High
92 23.199.63.83 a23-199-63-83.deploy.static.akamaitechnologies.com - High
93 23.223.37.181 a23-223-37-181.deploy.static.akamaitechnologies.com - High
94 23.226.128.197 23.226.128.197.static.quadranet.com - High
95 23.227.38.74 - - High
96 31.3.152.100 100.152.3.31.in-addr.arpa - High
97 31.192.232.48 lindaj18.barber.pserver.space - High
98 31.210.20.56 - - High
99 31.210.20.130 - - High
100 31.210.20.224 - - High
101 31.210.20.236 - - High
102 31.210.21.205 lit4.top - High
103 34.96.116.138 138.116.96.34.bc.googleusercontent.com - Medium
104 34.102.136.180 180.136.102.34.bc.googleusercontent.com - Medium
105 34.117.168.233 233.168.117.34.bc.googleusercontent.com - Medium
106 34.192.250.175 ec2-34-192-250-175.compute-1.amazonaws.com - Medium
107 34.197.12.81 ec2-34-197-12-81.compute-1.amazonaws.com - Medium
108 34.202.33.33 ec2-34-202-33-33.compute-1.amazonaws.com - Medium
109 34.239.194.181 ec2-34-239-194-181.compute-1.amazonaws.com - Medium
110 35.205.61.67 67.61.205.35.bc.googleusercontent.com - Medium
111 35.214.144.124 124.144.214.35.bc.googleusercontent.com - Medium
112 37.0.10.217 - - High
113 37.0.11.114 - - High
114 37.0.11.230 - - High
115 37.0.14.195 - - High
116 37.0.14.198 - - High
117 37.0.14.199 - - High
118 37.0.14.203 - - High
119 37.0.14.204 - - High
120 37.0.14.206 - - High
121 37.0.14.207 - - High
122 37.0.14.209 - - High
123 37.0.14.210 host-37-0-14-210.static.deli-one.co.uk - High
124 37.0.14.211 - - High
125 37.0.14.216 - - High
126 37.0.14.217 - - High
127 37.1.206.16 free.ispiria.net - High
128 37.1.206.146 - - High
129 37.19.193.217 unn-37-19-193-217.cdn77.com - High
130 37.46.150.211 convert-concern.needratio.com - High
131 37.120.138.222 - - High
132 37.120.155.179 - - High
133 37.120.210.219 - - High
134 37.120.217.243 - - High
135 37.123.118.150 - - High
136 37.139.64.106 - - High
137 37.139.128.4 - - High
138 37.139.128.24 - - High
139 37.139.129.142 - - High
140 37.230.130.153 - - High
141 37.230.178.57 - - High
142 37.235.1.174 resolver1.freedns.zone.powered.by.virtexxa.com - High
143 37.235.1.177 resolver2.freedns.zone.powered.by.virtexxa.com - High
144 38.26.191.78 - - High
145 38.68.53.190 - - High
146 38.242.134.118 vmi997441.contaboserver.net - High
147 38.242.246.175 vmi838644.contaboserver.net - High
148 40.126.26.134 - - High
149 40.126.28.12 - - High
150 40.126.28.22 - - High
151 41.190.3.209 www.9mobile.com.ng - High
152 41.216.183.96 - - High
153 41.216.183.195 - - High
154 41.216.183.226 - - High
155 43.226.229.83 - - High
156 44.230.27.49 ec2-44-230-27-49.us-west-2.compute.amazonaws.com - Medium
157 44.238.161.76 ec2-44-238-161-76.us-west-2.compute.amazonaws.com - Medium
158 45.15.143.148 - - High
159 45.62.170.248 - - High
160 45.66.151.212 - - High
161 45.74.32.12 - - High
162 45.81.39.21 - - High
163 45.81.243.246 - - High
164 45.82.84.10 45.82.84.10.deltahost-ptr - High
165 45.83.129.166 - - High
166 45.87.61.104 - - High
167 45.88.66.122 runningegg.xyz - High
168 45.90.222.204 45-90-222-204-hostedby.bcr.host - High
169 45.95.168.62 maxko-hosting.com - High
170 45.128.234.54 - - High
171 45.133.1.34 - - High
172 45.133.1.47 - - High
173 45.133.1.72 - - High
174 45.133.174.55 - - High
175 45.133.174.77 - - High
176 45.133.174.177 - - High
177 45.133.174.187 - - High
178 45.137.22.52 hosted-by.rootlayer.net - High
179 45.137.22.77 mail.governorsperic.xyz - High
180 45.137.22.101 hosted-by.rootlayer.net - High
181 45.137.22.104 hosted-by.rootlayer.net - High
182 45.137.22.107 hosted-by.rootlayer.net - High
183 45.137.22.116 hosted-by.rootlayer.net - High
184 45.137.22.236 hosted-by.rootlayer.net - High
185 45.137.22.248 hosted-by.rootlayer.net - High
186 45.137.116.253 rs-zap1025641-3.zap-srv.com - High
187 45.137.118.105 - - High
188 45.138.16.39 - - High
189 45.138.172.94 - - High
190 45.139.105.174 - - High
191 45.144.225.112 - - High
192 45.144.225.213 - - High
193 45.144.225.221 - - High
194 45.148.17.62 mail.spokel.se - High
195 45.154.4.64 - - High
196 45.155.165.117 - - High
197 45.155.165.139 - - High
198 45.155.165.160 - - High
199 46.2.255.122 - - High
200 46.8.211.72 - - High
201 46.105.127.143 ns385442.ip-46-105-127.eu - High
202 46.183.216.163 tagoe.lstartanalystconcepts.org.uk - High
203 46.183.217.11 raimis.comanchor.com - High
204 46.183.220.61 ip-220-61.dataclub.info - High
205 46.183.220.67 ip-220-67.dataclub.info - High
206 46.183.220.203 ip-220-203.dataclub.info - High
207 46.183.223.57 ip-223-57.dataclub.info - High
208 46.243.147.194 - - High
209 46.243.239.36 - - High
210 46.243.239.153 - - High
211 46.243.249.150 - - High
212 46.246.80.68 c-46-246-80-68.ip4.frootvpn.com - High
213 47.254.172.117 - - High
214 50.16.234.229 ec2-50-16-234-229.compute-1.amazonaws.com - Medium
215 50.63.202.36 ip-50-63-202-36.ip.secureserver.net - High
216 51.15.229.127 127-229-15-51.instances.scw.cloud - High
217 51.75.209.242 ip242.ip-51-75-209.eu - High
218 51.75.209.245 ip245.ip-51-75-209.eu - High
219 51.81.193.203 ip203.ip-51-81-193.us - High
220 51.91.236.193 cluster028.hosting.ovh.net - High
221 51.103.16.165 - - High
222 51.161.212.232 ip232.ip-51-161-212.net - High
223 51.195.57.234 ip234.ip-51-195-57.eu - High
224 ... ... ... ...

There are 891 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by Remcos. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1006 CWE-21, CWE-22, CWE-23, CWE-36, CWE-37 Pathname Traversal High
2 T1040 CWE-294, CWE-319 Authentication Bypass by Capture-replay High
3 T1055 CWE-74 Injection High
4 T1059 CWE-88, CWE-94, CWE-1321 Cross Site Scripting High
5 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
6 ... ... ... ...

There are 20 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Remcos. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File /?ajax-request=jnews High
2 File /admin/delete_user.php High
3 File /admin/index2.html High
4 File /admin/products/manage_product.php High
5 File /admin/userprofile.php High
6 File /administrator/components/table_manager/ High
7 File /blog/blog.php High
8 File /BRS_netgear_success.html High
9 File /cgi-bin-sdb/ExportSettings.sh High
10 File /College/admin/teacher.php High
11 File /common/info.cgi High
12 File /Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashx High
13 File /databases/database/list High
14 File /dcim/rack-roles/ High
15 File /E-mobile/App/System/File/downfile.php High
16 File /edoc/doctor/patient.php High
17 File /etc/sudoers Medium
18 File /ext/phar/phar_object.c High
19 File /forum/away.php High
20 File /goform/aspForm High
21 File /inc/topBarNav.php High
22 File /index.php?app=main&func=passport&action=login High
23 File /iwgallery/pictures/details.asp High
24 File /kelas/data Medium
25 File /kelasdosen/data High
26 File /librarian/bookdetails.php High
27 File /mcategory.php High
28 File /messageboard/view.php High
29 File /mhds/clinic/view_details.php High
30 File /MIME/INBOX-MM-1/ High
31 File /movie.php Medium
32 File /osm/REGISTER.cmd High
33 File /out.php Medium
34 File /reservation/add_message.php High
35 File /reviewer/system/system/admins/manage/users/user-update.php High
36 File /reviewer_0/admins/assessments/pretest/questions-view.php High
37 File /rom-0 Low
38 File /sbin/orthrus High
39 File /sbin/rtspd Medium
40 File /textpattern/index.php High
41 File /tmp Low
42 File /uncpath/ Medium
43 File /usr/bin/at Medium
44 File /var/www/video/mp4ts High
45 File /wabt/bin/poc.wasm High
46 File /wp-admin/admin-ajax.php High
47 ... ... ...

There are 404 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2023 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!