Mirrors
/
cyber_threat_intelligence
mirror of https://github.com/vuldb/cyber_threat_intelligence
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cyber_threat_intelligence/actors/BitRAT/README.md

13 KiB
Raw Blame History

BitRAT - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as BitRAT. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.bitrat

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with BitRAT:

There are 24 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of BitRAT.

ID IP address Hostname Campaign Confidence
1 2.56.57.68 holder.imatee.com - High
2 2.56.59.48 - - High
3 2.56.59.72 - - High
4 2.56.59.82 - - High
5 2.56.59.146 - - High
6 2.56.59.239 - - High
7 2.56.212.66 ip-2-56-212-66-82743.vps.hosted-by-mvps.net - High
8 2.56.212.226 no-reverse-yet.local - High
9 2.56.213.183 ip-2-56-213-183-92342.vps.hosted-by-mvps.net - High
10 2.58.149.245 - - High
11 2.59.254.205 - - High
12 2.59.254.206 - - High
13 3.21.21.95 ec2-3-21-21-95.us-east-2.compute.amazonaws.com - Medium
14 3.91.91.127 ec2-3-91-91-127.compute-1.amazonaws.com - Medium
15 4.236.162.205 - - High
16 5.181.7.60 - - High
17 5.181.234.150 - - High
18 5.189.188.138 vmi536257.contaboserver.net - High
19 5.206.224.224 metin2toplist - High
20 5.230.84.38 - - High
21 5.253.84.122 - - High
22 8.208.27.150 - - High
23 8.208.102.114 - - High
24 8.209.67.224 - - High
25 20.12.20.153 - - High
26 20.25.180.188 - - High
27 20.80.15.232 - - High
28 20.80.30.45 - - High
29 20.80.31.89 - - High
30 20.80.51.178 - - High
31 20.84.45.190 - - High
32 20.88.45.202 - - High
33 20.88.54.36 - - High
34 20.98.18.253 - - High
35 20.98.138.214 - - High
36 20.106.72.179 - - High
37 20.106.79.78 - - High
38 20.112.83.244 - - High
39 20.114.21.181 - - High
40 20.114.61.232 - - High
41 20.115.149.198 - - High
42 20.124.111.166 - - High
43 20.150.203.158 - - High
44 20.151.200.9 - - High
45 20.169.8.10 - - High
46 20.171.84.250 - - High
47 20.194.35.6 - - High
48 23.19.58.166 i58.166.lofame.net - High
49 23.19.227.243 - - High
50 23.84.180.96 023-084-180-096.res.spectrum.com - High
51 23.94.54.231 23-94-54-231-host.colocrossing.com - High
52 23.105.131.158 mail158.nessfist.com - High
53 23.105.131.186 mail186.nessfist.com - High
54 23.105.131.195 mail195.nessfist.com - High
55 23.105.131.209 mail209.nessfist.com - High
56 23.105.171.80 desiignplaza.world - High
57 23.146.242.85 - - High
58 23.239.28.245 23-239-28-245.ip.linodeusercontent.com - High
59 31.7.63.14 rack223ch.idfnv.ne - High
60 31.210.20.187 - - High
61 31.210.20.236 - - High
62 31.210.21.21 lilut.top - High
63 31.210.21.114 larul.top - High
64 31.220.4.216 haa02.sctio.com - High
65 31.220.44.253 - - High
66 34.121.150.14 14.150.121.34.bc.googleusercontent.com - Medium
67 37.0.8.108 lloydfox.capitolreservations.com - High
68 37.0.10.6 - - High
69 37.0.10.19 - - High
70 37.0.10.62 - - High
71 37.0.10.63 - - High
72 37.0.10.252 - - High
73 37.0.11.99 - - High
74 37.0.11.155 - - High
75 37.0.11.164 - - High
76 37.0.11.177 - - High
77 37.0.11.183 - - High
78 37.0.11.212 - - High
79 37.0.11.221 - - High
80 37.0.14.212 - - High
81 37.46.150.134 - - High
82 37.120.152.157 - - High
83 37.120.208.46 - - High
84 37.120.212.229 - - High
85 37.120.234.40 no-rdns.m247.com - High
86 37.139.128.233 - - High
87 40.82.152.253 - - High
88 40.88.44.226 - - High
89 41.36.83.211 host-41.36.83.211.tedata.net - High
90 41.102.8.156 - - High
91 41.102.33.8 - - High
92 41.102.231.123 - - High
93 41.216.183.61 - - High
94 ... ... ... ...

There are 371 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by BitRAT. This data is unique as it uses our predictive model for actor profiling.

ID Technique Weakness Description Confidence
1 T1006 CWE-21, CWE-22, CWE-23, CWE-25, CWE-36, CWE-425 Path Traversal High
2 T1040 CWE-319 Authentication Bypass by Capture-replay High
3 T1055 CWE-74 Injection High
4 T1059 CWE-88, CWE-94, CWE-1321 Argument Injection High
5 T1059.007 CWE-79, CWE-80 Cross Site Scripting High
6 ... ... ... ...

There are 22 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by BitRAT. This data is unique as it uses our predictive model for actor profiling.

ID Type Indicator Confidence
1 File %SYSTEMDRIVE%\node_modules\.bin\wmic.exe High
2 File /#ilang=DE&b=c_smartenergy_swgroups High
3 File //proc/kcore Medium
4 File /Account/login.php High
5 File /admin/ Low
6 File /admin/action/delete-vaccine.php High
7 File /admin/index2.html High
8 File /admin/save.php High
9 File /adminapi/system/crud High
10 File /adminapi/system/file/openfile High
11 File /admin_route/dec_service_credits.php High
12 File /api/v1/alerts High
13 File /api/v4/teams//channels/deleted High
14 File /api/v4/users/ids High
15 File /app/index/controller/Common.php High
16 File /Applications/Google\ Drive.app/Contents/MacOS High
17 File /b2b-supermarket/shopping-cart High
18 File /bitrix/admin/ldap_server_edit.php High
19 File /cgi-bin/cstecgi.cgi High
20 File /cgi-bin/vitogate.cgi High
21 File /change-language/de_DE High
22 File /debug/pprof Medium
23 File /devinfo Medium
24 File /dist/index.js High
25 File /etc/shadow Medium
26 File /fcgi/scrut_fcgi.fcgi High
27 File /forms/doLogin High
28 File /forum/away.php High
29 File /geoserver/gwc/rest.html High
30 File /goform/formSysCmd High
31 File /h/autoSaveDraft High
32 File /HNAP1 Low
33 File /hosts/firewall/ip High
34 File /index.jsp#settings High
35 File /index.php/ccm/system/file/upload High
36 File /listplace/user/ticket/create High
37 File /log/decodmail.php High
38 File /Main_Login.asp?flag=1&productname=RT-AC88U&url=/downloadmaster/task.asp High
39 File /novel/author/list High
40 File /novel/bookSetting/list High
41 File /novel/userFeedback/list High
42 File /oauth/idp/.well-known/openid-configuration High
43 File /OA_HTML/cabo/jsps/a.jsp High
44 File /php/ping.php High
45 File /protocol/iscgwtunnel/uploadiscgwrouteconf.php High
46 ... ... ...

There are 398 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

License

(c) 1997-2024 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!