Mirrors/cyber_threat_intelligence
6
0
Fork 0
mirror of https://github.com/vuldb/cyber_threat_intelligence synced 2024-06-29 02:12:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
a4924b8159
cyber_threat_intelligence/actors/Remcos
History
Marc Ruef a4924b8159 Update August 2023
2023-08-01 08:06:09 +02:00
..
README.md Update August 2023 2023-08-01 08:06:09 +02:00

README.md

Remcos - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as Remcos. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.remcos

Campaigns

The following campaigns are known and can be associated with Remcos:

  • Ukraine

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Remcos:

There are 19 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of Remcos.

ID IP address Hostname Campaign Confidence
1 2.58.47.203 - - High
2 2.59.255.57 - - High
3 2.59.255.202 - - High
4 3.13.31.214 ec2-3-13-31-214.us-east-2.compute.amazonaws.com - Medium
5 3.64.163.50 ec2-3-64-163-50.eu-central-1.compute.amazonaws.com - Medium
6 3.94.41.167 ec2-3-94-41-167.compute-1.amazonaws.com - Medium
7 3.230.36.58 ec2-3-230-36-58.compute-1.amazonaws.com - Medium
8 5.2.75.164 - - High
9 5.42.199.110 - - High
10 5.45.87.29 - - High
11 5.61.37.41 - - High
12 5.61.56.10 - - High
13 5.181.234.139 - - High
14 5.181.234.145 - - High
15 5.206.227.115 1877 - High
16 5.249.226.166 uw19.uniweb.no - High
17 5.253.114.108 - - High
18 6.43.51.17 - - High
19 8.253.139.120 - - High
20 10.11.0.5 - - High
21 10.15.0.17 - - High
22 10.15.0.18 - - High
23 10.15.0.19 - - High
24 10.15.0.23 - - High
25 10.15.0.30 - - High
26 10.16.0.13 - - High
27 10.16.0.18 - - High
28 10.16.0.30 - - High
29 10.140.226.6 - - High
30 13.107.21.200 - - High
31 13.107.42.12 1drv.ms - High
32 13.107.42.13 - - High
33 13.107.43.12 - - High
34 13.107.43.13 - - High
35 13.225.214.71 server-13-225-214-71.ewr50.r.cloudfront.net - High
36 13.225.214.91 server-13-225-214-91.ewr50.r.cloudfront.net - High
37 13.225.214.108 server-13-225-214-108.ewr50.r.cloudfront.net - High
38 13.225.230.20 server-13-225-230-20.jfk51.r.cloudfront.net - High
39 13.250.255.10 ec2-13-250-255-10.ap-southeast-1.compute.amazonaws.com - Medium
40 15.197.142.173 a4ec4c6ea1c92e2e6.awsglobalaccelerator.com - High
41 15.235.53.10 ns5012329.ip-15-235-53.net - High
42 15.237.137.33 ec2-15-237-137-33.eu-west-3.compute.amazonaws.com - Medium
43 18.214.132.216 ec2-18-214-132-216.compute-1.amazonaws.com - Medium
44 18.218.132.40 ec2-18-218-132-40.us-east-2.compute.amazonaws.com - Medium
45 20.7.43.70 - - High
46 20.36.253.92 - - High
47 20.38.32.202 - - High
48 20.42.73.27 - - High
49 20.69.164.162 - - High
50 20.106.76.138 - - High
51 20.106.94.110 - - High
52 20.110.185.77 - - High
53 20.110.197.26 - - High
54 20.112.83.244 - - High
55 20.114.21.181 - - High
56 20.124.111.166 - - High
57 20.190.151.7 - - High
58 20.190.151.8 - - High
59 20.190.151.68 - - High
60 20.190.151.70 - - High
61 20.190.151.131 - - High
62 20.190.151.132 - - High
63 20.190.151.133 - - High
64 20.190.152.21 - - High
65 20.190.154.139 - - High
66 20.225.154.34 - - High
67 20.251.10.189 - - High
68 23.3.13.88 a23-3-13-88.deploy.static.akamaitechnologies.com - High
69 23.3.13.154 a23-3-13-154.deploy.static.akamaitechnologies.com - High
70 23.19.227.82 - - High
71 23.19.227.171 - - High
72 23.19.227.243 - - High
73 23.21.27.29 ec2-23-21-27-29.compute-1.amazonaws.com - Medium
74 23.21.205.229 ec2-23-21-205-229.compute-1.amazonaws.com - Medium
75 23.21.213.140 ec2-23-21-213-140.compute-1.amazonaws.com - Medium
76 23.38.131.139 a23-38-131-139.deploy.static.akamaitechnologies.com - High
77 23.46.239.18 a23-46-239-18.deploy.static.akamaitechnologies.com - High
78 23.56.9.181 a23-56-9-181.deploy.static.akamaitechnologies.com - High
79 23.78.173.83 a23-78-173-83.deploy.static.akamaitechnologies.com - High
80 23.82.12.29 - - High
81 23.105.131.132 mail132.nessfist.com - High
82 23.105.131.141 mail141.nessfist.com - High
83 23.105.131.186 mail186.nessfist.com - High
84 23.105.131.193 - - High
85 23.105.131.206 mail206.nessfist.com - High
86 23.105.131.209 - - High
87 23.105.131.211 mail211.nessfist.com - High
88 23.105.131.220 mail220.nessfist.com - High
89 23.105.131.222 - - High
90 23.105.131.235 mail235.nessfist.com - High
91 23.105.131.238 mail238.nessfist.com - High
92 23.105.131.244 mail244.nessfist.com - High
93 23.106.124.111 - - High
94 23.146.242.71 - - High
95 23.146.242.110 - - High
96 23.196.74.222 a23-196-74-222.deploy.static.akamaitechnologies.com - High
97 23.199.63.11 a23-199-63-11.deploy.static.akamaitechnologies.com - High
98 23.199.63.83 a23-199-63-83.deploy.static.akamaitechnologies.com - High
99 23.223.37.181 a23-223-37-181.deploy.static.akamaitechnologies.com - High
100 23.226.128.197 23.226.128.197.static.quadranet.com - High
101 23.227.38.74 - - High
102 23.227.196.61 glamercircle.store - High
103 24.152.37.94 24-152-37-94.masterdaweb.com - High
104 31.3.152.100 100.152.3.31.in-addr.arpa - High
105 31.192.232.48 lindaj18.barber.pserver.space - High
106 31.210.20.56 - - High
107 31.210.20.130 - - High
108 31.210.20.224 - - High
109 31.210.20.236 - - High
110 31.210.21.205 lit4.top - High
111 34.96.116.138 138.116.96.34.bc.googleusercontent.com - Medium
112 34.102.136.180 180.136.102.34.bc.googleusercontent.com - Medium
113 34.117.168.233 233.168.117.34.bc.googleusercontent.com - Medium
114 34.192.250.175 ec2-34-192-250-175.compute-1.amazonaws.com - Medium
115 34.197.12.81 ec2-34-197-12-81.compute-1.amazonaws.com - Medium
116 34.202.33.33 ec2-34-202-33-33.compute-1.amazonaws.com - Medium
117 34.239.194.181 ec2-34-239-194-181.compute-1.amazonaws.com - Medium
118 35.205.61.67 67.61.205.35.bc.googleusercontent.com - Medium
119 35.214.144.124 124.144.214.35.bc.googleusercontent.com - Medium
120 37.0.10.217 - - High
121 37.0.11.114 - - High
122 37.0.11.230 - - High
123 37.0.14.195 - - High
124 37.0.14.198 - - High
125 37.0.14.199 - - High
126 37.0.14.203 - - High
127 37.0.14.204 - - High
128 37.0.14.206 - - High
129 37.0.14.207 - - High
130 37.0.14.209 - - High
131 37.0.14.210 host-37-0-14-210.static.deli-one.co.uk - High
132 37.0.14.211 - - High
133 37.0.14.216 - - High
134 37.0.14.217 - - High
135 37.1.206.16 free.ispiria.net - High
136 37.1.206.146 - - High
137 37.19.193.217 unn-37-19-193-217.cdn77.com - High
138 37.46.150.211 convert-concern.needratio.com - High
139 37.120.138.222 - - High
140 37.120.155.179 - - High
141 37.120.210.219 - - High
142 37.120.217.243 - - High
143 37.123.118.150 - - High
144 37.139.64.106 - - High
145 37.139.128.4 - - High
146 37.139.128.24 - - High
147 37.139.129.142 - - High
148 37.230.130.153 - - High
149 37.230.178.57 - - High
150 37.235.1.174 resolver1.freedns.zone.powered.by.virtexxa.com - High
151 37.235.1.177 resolver2.freedns.zone.powered.by.virtexxa.com - High
152 38.26.191.78 - - High
153 38.68.53.190 - - High
154 38.242.134.118 vmi997441.contaboserver.net - High
155 38.242.246.175 vmi838644.contaboserver.net - High
156 40.126.26.134 - - High
157 40.126.28.12 - - High
158 40.126.28.22 - - High
159 41.190.3.209 www.9mobile.com.ng - High
160 41.216.183.96 - - High
161 41.216.183.195 - - High
162 41.216.183.226 - - High
163 43.226.229.83 - - High
164 44.230.27.49 ec2-44-230-27-49.us-west-2.compute.amazonaws.com - Medium
165 44.238.161.76 ec2-44-238-161-76.us-west-2.compute.amazonaws.com - Medium
166 45.12.253.190 - - High
167 45.15.143.148 - - High
168 45.62.170.248 - - High
169 45.66.151.212 - - High
170 45.67.231.82 vm906070.stark-industries.solutions - High
171 45.74.32.12 - - High
172 45.81.39.21 - - High
173 45.81.243.246 - - High
174 45.82.84.10 45.82.84.10.deltahost-ptr - High
175 45.83.129.166 - - High
176 45.87.61.104 - - High
177 45.88.66.122 runningegg.xyz - High
178 45.90.222.204 45-90-222-204-hostedby.bcr.host - High
179 45.95.168.62 maxko-hosting.com - High
180 45.128.234.54 - - High
181 45.133.1.34 - - High
182 45.133.1.47 - - High
183 45.133.1.72 - - High
184 45.133.174.55 - - High
185 45.133.174.77 - - High
186 45.133.174.177 - - High
187 45.133.174.187 - - High
188 45.137.22.52 hosted-by.rootlayer.net - High
189 45.137.22.77 mail.governorsperic.xyz - High
190 45.137.22.101 hosted-by.rootlayer.net - High
191 45.137.22.104 hosted-by.rootlayer.net - High
192 45.137.22.107 hosted-by.rootlayer.net - High
193 45.137.22.116 hosted-by.rootlayer.net - High
194 45.137.22.236 hosted-by.rootlayer.net - High
195 45.137.22.248 hosted-by.rootlayer.net - High
196 45.137.116.253 rs-zap1025641-3.zap-srv.com - High
197 45.137.118.105 - - High
198 45.138.16.39 - - High
199 45.138.172.94 - - High
200 45.139.105.174 - - High
201 45.141.152.68 45-141-152-68.pool.ovpn.com - High
202 45.144.225.112 - - High
203 45.144.225.213 - - High
204 45.144.225.221 - - High
205 45.148.17.62 mail.spokel.se - High
206 45.154.4.64 - - High
207 45.155.165.117 - - High
208 45.155.165.139 - - High
209 45.155.165.160 - - High
210 46.2.255.122 - - High
211 46.8.211.72 - - High
212 46.105.127.143 ns385442.ip-46-105-127.eu - High
213 46.183.216.163 tagoe.lstartanalystconcepts.org.uk - High
214 46.183.217.11 raimis.comanchor.com - High
215 46.183.220.61 ip-220-61.dataclub.info - High
216 46.183.220.67 ip-220-67.dataclub.info - High
217 46.183.220.203 ip-220-203.dataclub.info - High
218 46.183.223.57 ip-223-57.dataclub.info - High
219 46.243.147.194 - - High
220 46.243.239.36 - - High
221 46.243.239.153 - - High
222 46.243.249.150 - - High
223 46.246.6.9 c-46-246-6-9.ip4.frootvpn.com - High
224 46.246.80.68 c-46-246-80-68.ip4.frootvpn.com - High
225 47.254.172.117 - - High
226 50.16.234.229 ec2-50-16-234-229.compute-1.amazonaws.com - Medium
227 50.63.202.36 ip-50-63-202-36.ip.secureserver.net - High
228 51.15.229.127 127-229-15-51.instances.scw.cloud - High
229 51.75.209.242 ip242.ip-51-75-209.eu - High
230 51.75.209.245 ip245.ip-51-75-209.eu - High
231 51.81.193.203 ip203.ip-51-81-193.us - High
232 51.91.236.193 cluster028.hosting.ovh.net - High
233 51.103.16.165 - - High
234 51.161.212.232 ip232.ip-51-161-212.net - High
235 51.195.57.234 ip234.ip-51-195-57.eu - High
236 51.210.137.26 ip26.ip-51-210-137.eu - High
237 51.210.170.199 ip199.ip-51-210-170.eu - High
238 51.222.10.175 ns575857.ip-51-222-10.net - High
239 ... ... ... ...

There are 950 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by Remcos. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1006 CWE-21, CWE-22, CWE-23, CWE-24, CWE-27, CWE-36, CWE-37, CWE-50 Pathname Traversal High
2 T1040 CWE-294, CWE-319 Authentication Bypass by Capture-replay High
3 T1055 CWE-74 Injection High
4 T1059 CWE-88, CWE-94, CWE-1321 Cross Site Scripting High
5 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
6 ... ... ... ...

There are 20 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Remcos. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File /admin/edit_subject.php High
2 File /admin/products/manage_product.php High
3 File /admin/reg.php High
4 File /admin/reminders/manage_reminder.php High
5 File /administrator/components/table_manager/ High
6 File /api/baskets/{name} High
7 File /api/geojson Medium
8 File /api/login Medium
9 File /Applications/Content%20Manager/Execute.aspx?cmd=convert&mode=HTML High
10 File /blog/blog.php High
11 File /booking/show_bookings/ High
12 File /cgi-bin-sdb/ExportSettings.sh High
13 File /Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashx High
14 File /csms/?page=contact_us High
15 File /csms/admin/inquiries/view_details.php High
16 File /databases/database/list High
17 File /dcim/rack-roles/ High
18 File /dipam/athlete-profile.php High
19 File /E-mobile/App/System/File/downfile.php High
20 File /ext/phar/phar_object.c High
21 File /forum/away.php High
22 File /goform/telnet High
23 File /include/chart_generator.php High
24 File /index.php Medium
25 File /index.php?app=main&func=passport&action=login High
26 File /kelas/data Medium
27 File /kelasdosen/data High
28 File /MIME/INBOX-MM-1/ High
29 File /modules/projects/vw_files.php High
30 File /osm/REGISTER.cmd High
31 File /out.php Medium
32 File /paysystem/datatable.php High
33 File /reviewer/system/system/admins/manage/users/user-update.php High
34 File /send_order.cgi?parameter=restart High
35 File /SVFE2/pages/feegroups/country_group.jsf High
36 File /view-pass-detail.php High
37 File /wp-admin/admin-ajax.php High
38 File 123flashchat.php High
39 File 404.php Low
40 File ?page=rooms Medium
41 File ActiveServices.java High
42 File adclick.php Medium
43 ... ... ...

There are 373 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2023 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!