Mirrors/cyber_threat_intelligence
6
0
Fork 0
mirror of https://github.com/vuldb/cyber_threat_intelligence synced 2024-06-29 02:12:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
a4924b8159
cyber_threat_intelligence/actors/AsyncRAT
History
Marc Ruef a4924b8159 Update August 2023
2023-08-01 08:06:09 +02:00
..
README.md Update August 2023 2023-08-01 08:06:09 +02:00

README.md

AsyncRAT - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as AsyncRAT. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.asyncrat

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with AsyncRAT:

There are 12 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of AsyncRAT.

ID IP address Hostname Campaign Confidence
1 2.56.56.88 nutir.top - High
2 2.56.56.122 notos.top - High
3 2.56.56.180 nuler.top - High
4 2.56.57.55 jenkins.fruttadelmondo.com - High
5 2.56.57.68 holder.imatee.com - High
6 2.56.57.210 lewischavez.arekliniken.com - High
7 2.56.57.226 maxwellweeks.arekliniken.com - High
8 2.56.59.167 - - High
9 2.56.59.189 - - High
10 2.56.59.219 - - High
11 2.58.56.22 powered.by.rdp.sh - High
12 2.58.56.32 powered.by.rdp.sh - High
13 2.58.56.41 powered.by.rdp.sh - High
14 2.58.56.44 powered.by.rdp.sh - High
15 2.58.56.106 powered.by.rdp.sh - High
16 2.58.56.120 powered.by.rdp.sh - High
17 2.58.56.143 powered.by.rdp.sh - High
18 2.58.56.148 powered.by.rdp.sh - High
19 2.58.56.183 powered.by.rdp.sh - High
20 2.58.56.243 powered.by.rdp.sh - High
21 2.59.119.56 lumajobedis.site - High
22 2.59.119.66 webmafyasi.net - High
23 2.59.119.84 cukurovayasam.com - High
24 2.207.101.83 dslb-002-207-101-083.002.207.pools.vodafone-ip.de - High
25 2.224.144.191 2-224-144-191.ip170.fastwebnet.it - High
26 3.13.191.225 ec2-3-13-191-225.us-east-2.compute.amazonaws.com - Medium
27 3.19.130.43 ec2-3-19-130-43.us-east-2.compute.amazonaws.com - Medium
28 3.66.38.117 ec2-3-66-38-117.eu-central-1.compute.amazonaws.com - Medium
29 3.68.95.191 ec2-3-68-95-191.eu-central-1.compute.amazonaws.com - Medium
30 3.68.171.119 ec2-3-68-171-119.eu-central-1.compute.amazonaws.com - Medium
31 3.69.115.178 ec2-3-69-115-178.eu-central-1.compute.amazonaws.com - Medium
32 3.69.157.220 ec2-3-69-157-220.eu-central-1.compute.amazonaws.com - Medium
33 3.88.20.74 ec2-3-88-20-74.compute-1.amazonaws.com - Medium
34 3.125.115.192 ec2-3-125-115-192.eu-central-1.compute.amazonaws.com - Medium
35 3.129.187.220 ec2-3-129-187-220.us-east-2.compute.amazonaws.com - Medium
36 3.136.65.236 ec2-3-136-65-236.us-east-2.compute.amazonaws.com - Medium
37 3.138.45.170 ec2-3-138-45-170.us-east-2.compute.amazonaws.com - Medium
38 3.138.180.119 ec2-3-138-180-119.us-east-2.compute.amazonaws.com - Medium
39 3.138.228.94 ec2-3-138-228-94.us-east-2.compute.amazonaws.com - Medium
40 3.141.142.211 ec2-3-141-142-211.us-east-2.compute.amazonaws.com - Medium
41 3.141.210.37 ec2-3-141-210-37.us-east-2.compute.amazonaws.com - Medium
42 3.142.81.166 ec2-3-142-81-166.us-east-2.compute.amazonaws.com - Medium
43 3.142.129.56 ec2-3-142-129-56.us-east-2.compute.amazonaws.com - Medium
44 3.142.167.4 ec2-3-142-167-4.us-east-2.compute.amazonaws.com - Medium
45 3.142.167.54 ec2-3-142-167-54.us-east-2.compute.amazonaws.com - Medium
46 3.144.124.4 ec2-3-144-124-4.us-east-2.compute.amazonaws.com - Medium
47 3.219.26.62 ec2-3-219-26-62.compute-1.amazonaws.com - Medium
48 3.237.100.172 ec2-3-237-100-172.compute-1.amazonaws.com - Medium
49 4.227.187.147 - - High
50 4.229.235.23 - - High
51 4.231.233.180 - - High
52 5.39.15.167 - - High
53 5.68.138.73 05448a49.skybroadband.com - High
54 5.68.199.16 0544c710.skybroadband.com - High
55 5.78.65.18 static.18.65.78.5.clients.your-server.de - High
56 5.161.76.198 static.198.76.161.5.clients.your-server.de - High
57 5.161.115.90 static.90.115.161.5.clients.your-server.de - High
58 5.161.139.136 static.136.139.161.5.clients.your-server.de - High
59 5.161.192.28 static.28.192.161.5.clients.your-server.de - High
60 5.180.104.172 protection.sdflare.com - High
61 5.180.107.130 ip.serverscity.net - High
62 5.181.80.120 alarmedbook.de - High
63 5.181.234.149 - - High
64 5.188.51.32 vps.43284172.llhost-inc.eu - High
65 5.188.86.237 - - High
66 5.196.35.57 ip57.ip-5-196-35.eu - High
67 5.196.102.93 ip93.ip-5-196-102.eu - High
68 5.196.174.49 - - High
69 5.224.222.63 5-224-222-63.red-acceso.airtel.net - High
70 5.224.222.214 5-224-222-214.red-acceso.airtel.net - High
71 5.230.68.234 placeholder.noezserver.de - High
72 5.230.69.11 placeholder.noezserver.de - High
73 5.230.70.13 placeholder.noezserver.de - High
74 5.230.70.106 placeholder.noezserver.de - High
75 5.230.72.132 placeholder.noezserver.de - High
76 5.230.84.50 - - High
77 5.249.165.85 vps-zap756760-2.zap-srv.com - High
78 5.252.165.130 - - High
79 8.39.147.42 jinis.co.uk - High
80 8.210.121.56 - - High
81 10.0.10.128 - - High
82 13.36.178.139 ec2-13-36-178-139.eu-west-3.compute.amazonaws.com - Medium
83 13.59.15.185 ec2-13-59-15-185.us-east-2.compute.amazonaws.com - Medium
84 13.66.153.98 - - High
85 13.72.107.36 - - High
86 13.76.94.179 - - High
87 13.77.222.211 - - High
88 13.233.168.154 ec2-13-233-168-154.ap-south-1.compute.amazonaws.com - Medium
89 14.17.115.109 - - High
90 14.173.70.169 static.vnpt.vn - High
91 14.186.155.171 static.vnpt.vn - High
92 14.191.50.101 static.vnpt.vn - High
93 15.165.236.45 ec2-15-165-236-45.ap-northeast-2.compute.amazonaws.com - Medium
94 15.204.170.1 ip1.ip-15-204-170.us - High
95 15.235.10.108 ns5008350.ip-15-235-10.net - High
96 15.235.13.122 ns5009176.ip-15-235-13.net - High
97 18.133.124.202 ec2-18-133-124-202.eu-west-2.compute.amazonaws.com - Medium
98 18.139.9.214 ec2-18-139-9-214.ap-southeast-1.compute.amazonaws.com - Medium
99 18.141.129.246 ec2-18-141-129-246.ap-southeast-1.compute.amazonaws.com - Medium
100 18.188.14.8 ec2-18-188-14-8.us-east-2.compute.amazonaws.com - Medium
101 18.192.31.165 ec2-18-192-31-165.eu-central-1.compute.amazonaws.com - Medium
102 18.195.138.26 ec2-18-195-138-26.eu-central-1.compute.amazonaws.com - Medium
103 18.207.218.15 ec2-18-207-218-15.compute-1.amazonaws.com - Medium
104 20.4.6.16 - - High
105 20.8.122.174 - - High
106 20.12.204.46 - - High
107 20.16.8.148 - - High
108 20.25.94.83 - - High
109 20.42.114.46 - - High
110 20.52.33.123 - - High
111 20.52.138.14 - - High
112 20.52.142.130 - - High
113 20.52.151.53 - - High
114 20.52.178.148 - - High
115 20.54.113.5 - - High
116 20.62.3.66 - - High
117 20.67.243.141 - - High
118 20.68.110.75 - - High
119 20.69.124.187 - - High
120 20.69.152.28 - - High
121 20.77.254.176 - - High
122 20.83.245.27 - - High
123 20.86.25.230 - - High
124 20.98.96.97 - - High
125 20.98.113.24 - - High
126 20.98.203.218 - - High
127 20.100.196.69 - - High
128 20.107.115.162 - - High
129 20.108.44.45 - - High
130 20.111.19.215 - - High
131 20.111.34.199 - - High
132 20.111.63.231 - - High
133 20.113.159.145 - - High
134 20.114.139.208 - - High
135 20.117.208.193 - - High
136 20.123.180.103 - - High
137 20.124.90.72 - - High
138 20.125.118.35 - - High
139 20.125.122.98 - - High
140 20.127.4.172 - - High
141 20.150.193.28 - - High
142 20.151.221.59 - - High
143 20.166.62.124 - - High
144 20.169.37.196 - - High
145 20.169.104.228 - - High
146 20.171.107.243 - - High
147 20.184.2.45 - - High
148 20.197.177.229 - - High
149 20.197.196.201 - - High
150 20.197.226.40 - - High
151 20.199.101.68 - - High
152 20.199.112.16 - - High
153 20.199.120.149 - - High
154 20.199.121.197 - - High
155 20.200.63.2 - - High
156 20.203.178.116 - - High
157 20.211.5.151 - - High
158 20.212.19.59 - - High
159 20.224.162.224 - - High
160 20.226.0.95 - - High
161 20.226.101.17 - - High
162 20.226.120.127 - - High
163 20.238.78.172 - - High
164 20.240.61.211 - - High
165 23.94.82.24 23-94-82-24-host.colocrossing.com - High
166 23.94.159.212 23-94-159-212-host.colocrossing.com - High
167 23.94.236.147 23-94-236-147-host.colocrossing.com - High
168 23.95.13.189 23-95-13-189-host.colocrossing.com - High
169 23.95.115.74 rawss.futurce.org.uk - High
170 23.101.143.72 - - High
171 23.101.213.237 - - High
172 23.102.1.5 - - High
173 23.102.122.72 - - High
174 23.102.129.234 - - High
175 23.105.131.196 mail196.nessfist.com - High
176 23.105.131.207 mail207.nessfist.com - High
177 23.105.131.209 mail209.nessfist.com - High
178 23.105.131.212 mail212.nessfist.com - High
179 23.105.131.236 mail236.nessfist.com - High
180 23.105.131.239 mail239.nessfist.com - High
181 23.129.232.160 - - High
182 23.146.242.100 - - High
183 23.226.77.22 we.love.servers.at.ioflood.net - High
184 23.229.67.133 gallerymethodwakebottom.as - High
185 23.237.25.246 - - High
186 23.238.217.173 orja4.teki.notredamians.org - High
187 23.254.130.126 hwsrv-1069616.hostwindsdns.com - High
188 23.254.227.121 hwsrv-1063912.hostwindsdns.com - High
189 23.254.231.83 hwsrv-1070248.hostwindsdns.com - High
190 31.41.244.135 - - High
191 31.170.22.28 - - High
192 31.192.236.139 winupdate02.pserver.ru - High
193 31.210.20.79 - - High
194 31.210.20.167 - - High
195 31.210.20.192 - - High
196 31.210.21.188 linir.top - High
197 34.69.119.138 138.119.69.34.bc.googleusercontent.com - Medium
198 34.71.81.158 158.81.71.34.bc.googleusercontent.com - Medium
199 34.125.144.45 45.144.125.34.bc.googleusercontent.com - Medium
200 34.140.211.85 85.211.140.34.bc.googleusercontent.com - Medium
201 35.239.113.160 160.113.239.35.bc.googleusercontent.com - Medium
202 36.255.96.200 - - High
203 37.0.8.17 stokes.springtimemartialarts.com - High
204 37.0.8.20 jacksonirwin.springtimemartialarts.com - High
205 37.0.8.67 willis.capitolreservations.com - High
206 37.0.8.93 shawtran.capitolreservations.com - High
207 37.0.8.191 frederick.athinneru.com - High
208 37.0.10.214 - - High
209 37.0.11.45 - - High
210 37.0.11.246 - - High
211 37.0.14.196 - - High
212 37.0.14.197 - - High
213 37.0.14.198 - - High
214 37.0.14.203 - - High
215 37.0.14.204 - - High
216 37.49.230.185 - - High
217 37.120.208.36 - - High
218 37.120.210.219 - - High
219 37.120.212.235 - - High
220 37.120.217.243 - - High
221 37.120.247.24 - - High
222 37.196.152.120 m37-196-152-120.cust.tele2.se - High
223 37.221.121.20 chvt-mail-129.stashkeen.com - High
224 37.221.122.76 server.modernizmir.net - High
225 37.249.78.26 apn-37-249-78-26.dynamic.gprs.plus.pl - High
226 38.17.51.104 - - High
227 38.47.205.151 - - High
228 38.105.209.167 vmi737189.contaboserver.net - High
229 38.130.221.190 38.130.221.190.hosted.at.cloudsouth.com - High
230 38.132.99.156 - - High
231 38.242.242.149 vmi1313701.contaboserver.net - High
232 40.90.210.21 - - High
233 40.113.131.31 - - High
234 40.118.53.192 - - High
235 40.122.131.23 - - High
236 41.72.146.10 - - High
237 41.141.211.80 - - High
238 41.216.183.61 - - High
239 41.216.183.175 - - High
240 41.250.187.176 - - High
241 41.251.4.158 - - High
242 41.251.51.168 - - High
243 43.138.160.55 - - High
244 43.139.124.22 - - High
245 43.154.97.109 - - High
246 43.226.49.147 - - High
247 43.249.30.55 - - High
248 44.192.67.149 ec2-44-192-67-149.compute-1.amazonaws.com - Medium
249 45.12.253.31 - - High
250 45.12.253.58 - - High
251 45.12.253.107 - - High
252 45.14.224.94 web117.excw.nl - High
253 45.15.143.183 - - High
254 45.15.143.191 - - High
255 45.15.143.199 - - High
256 45.32.99.249 45.32.99.249.vultrusercontent.com - High
257 45.32.211.35 45.32.211.35.vultrusercontent.com - High
258 45.58.190.125 - - High
259 45.66.248.114 - - High
260 45.74.4.244 - - High
261 45.74.38.17 - - High
262 45.76.56.26 45.76.56.26.vultrusercontent.com - High
263 45.77.142.82 45.77.142.82.vultrusercontent.com - High
264 45.80.29.139 hostifox.com.tr - High
265 45.80.158.57 - - High
266 45.80.158.65 - - High
267 45.80.158.108 - - High
268 45.80.158.114 - - High
269 45.80.158.116 - - High
270 45.80.158.127 - - High
271 45.80.158.160 - - High
272 45.80.158.237 - - High
273 45.81.243.217 - - High
274 45.88.67.9 - - High
275 45.88.67.12 - - High
276 45.88.79.224 free.example.com - High
277 45.92.1.24 - - High
278 45.92.1.59 - - High
279 45.92.1.71 - - High
280 45.95.168.110 news.maxko.hr - High
281 45.95.168.116 maxko-hosting.com - High
282 45.95.169.112 xdhmhs.com - High
283 45.119.84.166 - - High
284 45.125.48.112 - - High
285 45.131.1.70 ip.serverscity.net - High
286 45.133.1.47 - - High
287 45.133.1.152 - - High
288 45.133.174.122 - - High
289 45.134.140.152 unn-45-134-140-152.datapacket.com - High
290 45.134.142.193 unn-45-134-142-193.datapacket.com - High
291 45.134.142.211 unn-45-134-142-211.datapacket.com - High
292 45.136.4.99 host-45.136.4.99.saga.net.tr - High
293 45.136.4.101 host-45.136.4.101.saga.net.tr - High
294 45.136.6.79 - - High
295 45.137.22.41 hosted-by.rootlayer.net - High
296 45.137.22.70 hosted-by.rootlayer.net - High
297 45.137.22.111 hosted-by.rootlayer.net - High
298 45.137.22.115 hosted-by.rootlayer.net - High
299 45.137.22.182 hosted-by.rootlayer.net - High
300 45.138.16.39 - - High
301 ... ... ... ...

There are 1202 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by AsyncRAT. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1006 CWE-21, CWE-22, CWE-23, CWE-29, CWE-36 Pathname Traversal High
2 T1055 CWE-74 Injection High
3 T1059 CWE-88, CWE-94, CWE-1321 Cross Site Scripting High
4 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
5 T1068 CWE-250, CWE-264, CWE-269, CWE-284 J2EE Misconfiguration: Weak Access Permissions for EJB Methods High
6 ... ... ... ...

There are 21 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by AsyncRAT. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File .github/workflows/comment.yml High
2 File //proc/kcore Medium
3 File /admin/?page=user/manage_user&id=3 High
4 File /admin/del_feedback.php High
5 File /admin/edit-accepted-appointment.php High
6 File /admin/modal_add_product.php High
7 File /admin/reminders/manage_reminder.php High
8 File /api/baskets/{name} High
9 File /api/common/ping High
10 File /api/upload.php High
11 File /api?path=profile High
12 File /App_Resource/UEditor/server/upload.aspx High
13 File /authenticationendpoint/login.do High
14 File /booking/show_bookings/ High
15 File /category.php High
16 File /cgi-bin/wlogin.cgi High
17 File /chaincity/user/ticket/create High
18 File /classes/Users.php?f=save High
19 File /contact/store High
20 File /Controller/Ajaxfileupload.ashx High
21 File /csms/admin/inquiries/view_details.php High
22 File /Duty/AjaxHandle/UploadHandler.ashx High
23 File /ecommerce/support_ticket High
24 File /forum/away.php High
25 File /friends/ajax_invite High
26 File /FuguHub/cmsdocs/ High
27 File /graphql Medium
28 File /h/autoSaveDraft High
29 File /HNAP1 Low
30 File /home/filter_listings High
31 File /include/chart_generator.php High
32 File /index.php Medium
33 File /index.php/client/message/message_read/xxxxxxxx[random-msg-hash] High
34 File /index.php?app=main&func=passport&action=login High
35 File /librarian/bookdetails.php High
36 File /matchmakings/question High
37 File /osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php High
38 File /out.php Medium
39 ... ... ...

There are 332 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2023 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!