Astro Locker Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (46)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en38
ru4
zh4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA32
RU: Russia6
IR: Iran4
CN: China2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

IcedID3
Astro Locker3
Feodo2
Cobalt Strike2
Rhysida1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined12
Operating System6
Router Operating System4
Content Management System4
Mail Server Software2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined14
Microsoft6
Cisco4
Linux2
Omron2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows4
Linux Kernel2
Wazuh2
Exim2
Omron NJ2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1Microsoft Windows Win32k Local Privilege Escalation7.87.1$25k-$100k$5k-$25kUnprovenOfficial fix 0.016700.07CVE-2023-36743
2zoujingli ThinkAdmin Update.php deserialization8.08.0$0-$5k$0-$5kNot definedNot defined 0.126870.00CVE-2020-23653
3Apache HTTP Server ETag information disclosure5.35.1$5k-$25k$0-$5kNot definedOfficial fix 0.003210.03CVE-2003-1418
4Huawei Flybox B660 indexdefault.asp improper authentication7.36.7$5k-$25k$0-$5kProof-of-ConceptWorkaround 0.000000.00
5TikiWiki tiki-register.php input validation7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.042770.70CVE-2006-6168
6OpenKM Community Edition XMLReader Parser XMLTextExtractor.java xml external entity reference8.28.1$0-$5k$0-$5kNot definedNot defined 0.000410.08CVE-2022-2131
7OpenKM FileUtils.java getFileExtension temp file3.63.5$0-$5k$0-$5kNot definedOfficial fix 0.000300.00CVE-2022-3969
8Linux Kernel smb2ops.c smb2_dump_detail out-of-bounds6.56.4$0-$5k$0-$5kProof-of-ConceptNot defined 0.000100.06CVE-2023-6610
9Microsoft Windows Local Security Authority Subsystem Service information disclosure5.14.7$25k-$100k$5k-$25kUnprovenOfficial fix 0.001270.09CVE-2023-36428
10Linux Kernel io_uring Subsystem toctou7.57.4$5k-$25kCalculatingNot definedOfficial fix 0.000200.00CVE-2023-1295
11Microsoft Exchange Server privilege escalation8.37.6$25k-$100k$5k-$25kUnprovenOfficial fixpossible0.769030.06CVE-2023-36745
12Microsoft Windows TPM Device Driver untrusted pointer dereference8.07.6$25k-$100k$5k-$25kAttackedOfficial fixverified0.150040.07CVE-2023-29360
13Wazuh Dashboard authorization7.57.4$0-$5k$0-$5kNot definedOfficial fix 0.001420.00CVE-2023-42455
14Microsoft Exchange Server ProxyShell9.49.0$25k-$100k$5k-$25kAttackedOfficial fixverified0.941490.00CVE-2021-34523
15Microsoft Exchange Server ProxyShell server-side request forgery9.59.1$25k-$100k$5k-$25kAttackedOfficial fixverified0.943020.02CVE-2021-34473
16Microsoft Exchange Server privilege escalation8.07.3$5k-$25k$0-$5kUnprovenOfficial fix 0.142500.05CVE-2023-28310
17Linux Kernel use after free7.47.2$5k-$25k$0-$5kNot definedOfficial fix 0.001200.00CVE-2023-0461
18Red Hat DataGrid/Infinispan REST Endpoint improper authentication6.36.3$5k-$25k$5k-$25kNot definedNot defined 0.004310.05CVE-2021-31917
19libssh pki_verify_data_signature access control5.55.5$0-$5k$0-$5kNot definedNot defined 0.003000.00CVE-2023-2283
20Microsoft Windows HTTP Protocol Stack Remote Code Execution9.88.9$25k-$100k$5k-$25kUnprovenOfficial fix 0.055660.06CVE-2023-23392

IOC - Indicator of Compromise (4)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
145.134.21.8Astro Locker05/31/2021verifiedLow
2XX.XX.XXX.XXXxxx.xxx.xx.xx.xxxxxx.xxxxxxxx.xxxXxxxx Xxxxxx05/31/2021verifiedLow
3XXX.XX.XXX.XXXxxxx Xxxxxx05/31/2021verifiedLow
4XXX.XX.XXX.XXXxxxx Xxxxxx05/31/2021verifiedLow

TTP - Tactics, Techniques, Procedures (9)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1068CAPEC-19CWE-284Execution with Unnecessary PrivilegespredictiveHigh
2T1078.001CWE-259Use of Hard-coded PasswordpredictiveHigh
3TXXXX.XXXCAPEC-XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
4TXXXXCAPEC-XXXCWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
5TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
6TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
7TXXXXCWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-XXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
9TXXXX.XXXCWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh

IOA - Indicator of Attack (21)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/htmlcode/html/indexdefault.asppredictiveHigh
2Fileajax_admin_apis.phppredictiveHigh
3Fileajax_php_pecl.phppredictiveHigh
4Filexxx/xxxxx/xxxxxxxxxx/xxx/xxxxxx.xxxpredictiveHigh
5Filexxxxx.xxxpredictiveMedium
6Filexxxxxxxx.xxxpredictiveMedium
7Filexxxxxx.xpredictiveMedium
8Filexx/xxx/xxxxxx/xxxxxxx.xpredictiveHigh
9Filexxx/xxxx/xxxx/xxx/xxxxxx/xxxx/xxxxxxxxx.xxxxpredictiveHigh
10Filexxxx-xxxxxxxx.xxxpredictiveHigh
11Filexxxxxxxxxxxxxxxx.xxxxpredictiveHigh
12ArgumentxxxxxxpredictiveLow
13ArgumentxxxpredictiveLow
14Argumentxxxxxxxx_xxpredictiveMedium
15ArgumentxxxxpredictiveLow
16Argumentxxxxxxx.xxx_xxxxxxxxxxpredictiveHigh
17ArgumentxxxxxxxxxxpredictiveMedium
18ArgumentxxpredictiveLow
19Input Valuexxxx:xxxxxxxxpredictiveHigh
20Input ValuexxxxxxxxpredictiveMedium
21Network Portxxx/xxxxpredictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!