Avos Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (64)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en	54
fr	8
de	2

Country

fr	8
ru	4
us	4
de	2

Actors

AvosLocker	1
Tofsee	1
Amadey	1
RedLine Stealer	1
Cobalt Strike	1

Activities

Interest

Timeline

Type

Not Defined	18
Content Management System	4
Enterprise Resource Planning Software	2
Operating System	2
Anti-Malware Software	2

Vendor

Coinsoft Technologies	4
Microsoft	4
HP	4
GESIO	2
Basti2web	2

Product

Coinsoft Technologies phpCOIN	4
GESIO ERP	2
Basti2web Book Panel	2
Sitekit CMS	2
IW Guestbook	2

Vulnerabilities

#	Vulnerability	Base	Temp	0day	Today	Exp	Rem	CTI	EPSS	CVE
1	HP SAN/iQ hydra.exe credentials management	4.3	3.9	$25k-$100k	$0-$5k	Proof-of-Concept	Official Fix	0.04	0.00293	CVE-2012-4362
2	Hydra HTTP Header read.c process_header_end null pointer dereference	6.4	6.4	$0-$5k	$0-$5k	Not Defined	Not Defined	0.03	0.00117	CVE-2019-17502
3	IW Guestbook badwords_edit.asp sql injection	6.3	5.7	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.00	0.00000
4	Hydra authentication replay	5.6	5.0	$0-$5k	$0-$5k	Not Defined	Official Fix	0.04	0.00099	CVE-2020-5300
5	OmniSecure AddUrlShield index.php sql injection	6.3	5.7	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.08	0.00000
6	ORY Hydra error Reflected cross site scripting	5.2	5.1	$0-$5k	$0-$5k	Not Defined	Official Fix	0.05	0.00109	CVE-2019-8400
7	PHPGurukul Hospital Management System dashboard.php access control	5.5	5.5	$0-$5k	$0-$5k	Not Defined	Not Defined	0.04	0.00336	CVE-2020-35745
8	HP SAN/iQ Login hydra.exe memory corruption	10.0	9.5	$25k-$100k	$0-$5k	Proof-of-Concept	Official Fix	0.02	0.10070	CVE-2011-4157
9	HP LeftHand Virtual SAN Appliance hydra memory corruption	10.0	9.5	$25k-$100k	$0-$5k	High	Official Fix	0.03	0.94627	CVE-2013-2343
10	Coinsoft Technologies phpCOIN db.php file inclusion	7.3	6.6	$0-$5k	$0-$5k	Proof-of-Concept	Official Fix	0.05	0.07606	CVE-2005-4211
11	Coinsoft Technologies phpCOIN db.php path traversal	5.3	4.8	$0-$5k	$0-$5k	Proof-of-Concept	Official Fix	0.05	0.03877	CVE-2005-4212
12	Ilohamail cross site scripting	4.3	4.1	$0-$5k	$0-$5k	Not Defined	Official Fix	0.08	0.00000
13	Sitekit CMS registration-form.html cross site scripting	3.5	3.3	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.00	0.00000
14	Microsoft Windows Backup Service Privilege Escalation	7.7	7.1	$25k-$100k	$0-$5k	Proof-of-Concept	Official Fix	0.03	0.01557	CVE-2023-21752
15	SunHater KCFinder upload.php cross site scripting	5.7	5.7	$0-$5k	$0-$5k	Not Defined	Not Defined	0.03	0.00131	CVE-2019-14315
16	Canto Cumulus login server-side request forgery	8.0	7.9	$0-$5k	$0-$5k	Not Defined	Not Defined	0.03	0.00187	CVE-2022-40305
17	IW Guestbook messages_edit.asp sql injection	6.3	5.7	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.01	0.00000
18	CKEditor Clipboard Package code injection	6.3	6.0	$0-$5k	$0-$5k	Not Defined	Official Fix	0.03	0.00188	CVE-2021-32809
19	Microsoft Windows Remote Access Connection Manager Privilege Escalation	8.3	7.3	$100k and more	$5k-$25k	Unproven	Official Fix	0.00	0.00043	CVE-2021-33773
20	Microsoft Malware Protection Engine Defender Remote Code Execution	8.3	7.3	$25k-$100k	$0-$5k	Unproven	Official Fix	0.04	0.00329	CVE-2021-34522

IOC - Indicator of Compromise (2)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

ID	IP address	Hostname	Actor	Campaigns	Identified	Type	Confidence
1	45.136.230.191		Avos		07/29/2022	verified	High
2	XXX.XXX.XXX.XXX		Xxxx		07/29/2022	verified	High

TTP - Tactics, Techniques, Procedures (7)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Vulnerabilities	Access Vector	Type	Confidence
1	T1006	CWE-22	Pathname Traversal	predictive	High
2	T1040	CWE-294	Authentication Bypass by Capture-replay	predictive	High
3	TXXXX	CWE-XX	Xxxxx Xxxx Xxxxxxxxx	predictive	High
4	TXXXX.XXX	CWE-XX, CWE-XX	Xxxxx Xxxx Xxxxxxxxx	predictive	High
5	TXXXX	CWE-XXX	X2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxx Xxxxxxxxxxx Xxx Xxx Xxxxxxx	predictive	High
6	TXXXX	CWE-XX	Xxx Xxxxxxxxx	predictive	High
7	TXXXX	CWE-XXX	Xxx.xxx Xxxxxxxxxxxxxxxx: Xxxxxxxx Xx Xxxxxxxxxxxxx Xxxx	predictive	High

IOA - Indicator of Attack (26)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

ID	Class	Indicator	Type	Confidence
1	File	/cwc/login	predictive	Medium
2	File	/iwguestbook/admin/badwords_edit.asp	predictive	High
3	File	/iwguestbook/admin/messages_edit.asp	predictive	High
4	File	admin/dashboard.php	predictive	High
5	File	xxxxx.xxx	predictive	Medium
6	File	xxxx_xxxxxxxx/xx.xxx	predictive	High
7	File	xxxxx.xxx	predictive	Medium
8	File	xxxxx.xxx	predictive	Medium
9	File	xxxxx.xxx/xxxxxxxxxxxxx/xxx	predictive	High
10	File	xxxxxx/xxxxxxxxx/xxxxx	predictive	High
11	File	xxxx.x	predictive	Low
12	File	xxxxxxxxxxxx-xxxx.xxxx	predictive	High
13	File	xxxxxx.xxx	predictive	Medium
14	File	xx-xxxxx/xxxxx-xxxxxx.xxx	predictive	High
15	Argument	xxxxxx	predictive	Low
16	Argument	xxxxxxxxxxxxxxx	predictive	High
17	Argument	xxxxxxxxx	predictive	Medium
18	Argument	xxxxxxx-xxxxxx	predictive	High
19	Argument	xxxxx_xxxx	predictive	Medium
20	Argument	xxxxxx$xxxxx	predictive	Medium
21	Argument	xx	predictive	Low
22	Argument	xxxxx	predictive	Low
23	Argument	xxxx_xx	predictive	Low
24	Argument	xxxxxx	predictive	Low
25	Argument	_xxxx[_xxx_xxxx_xxxx	predictive	High
26	Input Value	x+xxxxx+xxxxxx+x,xxxxxxx,xxxxxxxxxxx+xxxx+xxxxx#	predictive	High

References (2)

The following list contains external sources which discuss the actor and the associated activities:

◂ PreviousOverviewNext ▸

Do you know our Splunk app?

Download it now for free!