Brushaloader Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (60)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en	50
de	6
es	2
ar	2

Country

us	42
ir	6
cn	4

Actors

Brushaloader	8
Xtreme RAT	1
Gootkit	1
ISFB	1
Gozi	1

Activities

Interest

Timeline

Type

Not Defined	16
Programming Language Software	4
Web Server	4
Firewall Software	2
Health Information Software	2

Vendor

Not Defined	22
Vesta	2
Microsoft	2
DZCP	2
Sophos	2

Product

Devilz Clanportal	4
PHP	4
Vesta Control Panel	2
Microsoft IIS	2
DZCP deV!L`z Clanportal	2

Vulnerabilities

#	Vulnerability	Base	Temp	0day	Today	Exp	Rem	CTI	EPSS	CVE
1	Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure	5.3	5.2	$5k-$25k	$0-$5k	High	Workaround	0.02	0.02016	CVE-2007-1192
2	DZCP deV!L`z Clanportal config.php code injection	7.3	6.6	$0-$5k	$0-$5k	Proof-of-Concept	Official Fix	0.62	0.00943	CVE-2010-0966
3	DZCP deV!L`z Clanportal browser.php information disclosure	5.3	5.0	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.71	0.02733	CVE-2007-1167
4	Siemens SIMATIC Drive Controller Service Port 102 memory corruption	7.3	7.1	$5k-$25k	$5k-$25k	Not Defined	Workaround	0.02	0.00526	CVE-2020-15782
5	Siemens SIMATIC S7-1200 PLC memory corruption	7.5	7.5	$5k-$25k	$5k-$25k	Not Defined	Not Defined	0.02	0.00261	CVE-2013-0700
6	Devilz Clanportal File Upload unknown vulnerability	5.3	4.4	$0-$5k	$0-$5k	Proof-of-Concept	Official Fix	0.08	0.05362	CVE-2006-6338
7	MGB OpenSource Guestbook email.php sql injection	7.3	7.3	$0-$5k	$0-$5k	High	Unavailable	0.50	0.01302	CVE-2007-0354
8	nginx request smuggling	6.9	6.9	$0-$5k	$0-$5k	Not Defined	Not Defined	0.09	0.00241	CVE-2020-12440
9	PHP Proxy improper authentication	6.4	5.8	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.00	0.03470	CVE-2018-19458
10	Apple watchOS Font Remote Code Execution	7.0	6.9	$0-$5k	$0-$5k	High	Official Fix	0.00	0.00073	CVE-2023-41990
11	Filebrowser cross-site request forgery	6.9	6.4	$0-$5k	$0-$5k	Functional	Official Fix	0.03	0.00762	CVE-2021-46398
12	cURL SOCKS5 Proxy heap-based overflow	4.6	4.4	$0-$5k	$0-$5k	Not Defined	Official Fix	0.02	0.00180	CVE-2023-38545
13	Phplinkdirectory PHP Link Directory conf_users_edit.php cross-site request forgery	6.3	6.0	$0-$5k	$0-$5k	Proof-of-Concept	Not Defined	0.00	0.00526	CVE-2011-0643
14	LogicBoard CMS away.php redirect	6.3	6.1	$0-$5k	$0-$5k	Not Defined	Unavailable	3.59	0.00000
15	Xoops URL Filter index.php redirect	6.6	6.4	$0-$5k	$0-$5k	Not Defined	Not Defined	0.05	0.00062	CVE-2017-12138
16	PHP phpinfo cross site scripting	4.3	3.9	$5k-$25k	$0-$5k	Proof-of-Concept	Official Fix	0.12	0.02101	CVE-2007-1287
17	Digium Asterisk SDP Negotiation res_pjsip_session.c denial of service	5.1	5.1	$0-$5k	$0-$5k	Not Defined	Official Fix	0.00	0.00193	CVE-2021-26906
18	Siemens SIMATIC S7-300 PN/SIMATIC S7-400 PN input validation	6.4	6.3	$5k-$25k	$0-$5k	Not Defined	Workaround	0.02	0.00373	CVE-2016-9158
19	BloodHound GenericAll.jsx command injection	7.9	7.9	$0-$5k	$0-$5k	Not Defined	Official Fix	0.02	0.00537	CVE-2021-3210
20	Microsoft IIS code injection	9.9	9.9	$25k-$100k	$5k-$25k	Not Defined	Not Defined	0.02	0.08875	CVE-2010-1256

IOC - Indicator of Compromise (40)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

ID	IP address	Hostname	Actor	Identified	Type	Confidence
1	64.110.25.146	webmail.jqluvhost.net	Brushaloader	04/12/2022	verified	High
2	64.110.25.147	webmail.jqluvhost.net	Brushaloader	04/12/2022	verified	High
3	64.110.25.148	xaeoi7a.npermit.top	Brushaloader	04/12/2022	verified	High
4	64.110.25.150	webmail.jqluvhost.net	Brushaloader	04/12/2022	verified	High
5	64.110.25.151	moiu0ae.lplaced.top	Brushaloader	04/12/2022	verified	High
6	64.110.25.152	h2iuode.hairrestoredfast.top	Brushaloader	04/12/2022	verified	High
7	64.110.25.153	vaxoiu5.shadego.top	Brushaloader	04/12/2022	verified	High
8	64.110.25.154	nae2oiu.sidedgo.top	Brushaloader	04/12/2022	verified	High
9	XXX.XXX.XXX.XXX	xxx-xxx-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
10	XXX.XXX.XXX.XXX	xxx-xxx-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
11	XXX.XXX.XXX.XX		Xxxxxxxxxxxx	04/12/2022	verified	High
12	XXX.XXX.XXX.XXX	xxx-xxx-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
13	XXX.XXX.XX.XXX		Xxxxxxxxxxxx	04/12/2022	verified	High
14	XXX.X.XX.XXX	xxx-x-xx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
15	XXX.X.XX.XXX	xxx-x-xx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
16	XXX.X.XX.XX	xxx-x-xx-xx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
17	XXX.X.XX.XX	xxx-x-xx-xx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
18	XXX.X.XX.XX	xxx-x-xx-xx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
19	XXX.X.XX.XX	xxx-x-xx-xx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
20	XXX.X.XX.XX	xxx-x-xx-xx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
21	XXX.X.XXX.XXX	xxxx.xxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
22	XXX.X.XXX.XXX	xxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
23	XXX.X.XXX.XXX	xxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
24	XXX.X.XXX.XXX	xxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
25	XXX.X.XXX.XXX	xxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
26	XXX.X.XXX.XXX	xxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
27	XXX.X.XXX.XXX	xxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
28	XXX.X.XXX.XXX	xxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
29	XXX.X.XXX.XXX	xxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
30	XXX.X.XXX.XXX	xxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
31	XXX.X.XXX.XXX	xxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
32	XXX.X.XXX.XXX	xxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
33	XXX.X.XXX.XXX	xxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
34	XXX.X.XXX.XXX	xxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
35	XXX.X.XXX.XXX	xxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
36	XXX.X.XXX.XXX	xxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
37	XXX.X.XXX.XXX	xxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
38	XXX.X.XXX.XXX	xxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
39	XXX.X.XXX.XXX	xxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High
40	XXX.X.XXX.XXX	xxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxx	Xxxxxxxxxxxx	04/12/2022	verified	High

TTP - Tactics, Techniques, Procedures (8)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Vulnerabilities	Access Vector	Type	Confidence
1	T1006	CWE-22	Path Traversal	predictive	High
2	T1059	CWE-94	Argument Injection	predictive	High
3	TXXXX.XXX	CWE-XX, CWE-XX	Xxxxx Xxxx Xxxxxxxxx	predictive	High
4	TXXXX	CWE-XXX	Xxxxxxxxx Xxxx Xxxxxxxxxxx Xxxxxxxxxx	predictive	High
5	TXXXX	CWE-XX, CWE-XX	Xxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx Xxxxxxxxx	predictive	High
6	TXXXX.XXX	CWE-XXX	Xxxx Xxxxxxxx	predictive	High
7	TXXXX	CWE-XX	Xxx Xxxxxxxxx	predictive	High
8	TXXXX	CWE-XXX	Xxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx Xxxxxxxxxxx	predictive	High

IOA - Indicator of Attack (28)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

ID	Class	Indicator	Type	Confidence
1	File	/forum/away.php	predictive	High
2	File	/horde/util/go.php	predictive	High
3	File	/modules/profile/index.php	predictive	High
4	File	admin/conf_users_edit.php	predictive	High
5	File	xxxxxxx_xxx.xxx	predictive	High
6	File	xxxxxxxxxx/xxxxxx/xxxxxxxxx/xxxxxxxxxx/xxxxxxxxxx.xxx	predictive	High
7	File	xxxx/xxxxxxxxxxxxxxx.xxx	predictive	High
8	File	xxxxx.xxx	predictive	Medium
9	File	xxxx.xxx	predictive	Medium
10	File	xxx/xxxxxx.xxx	predictive	High
11	File	xxx/xxxxxxxxxxx/xxxxxxx.xxx	predictive	High
12	File	xxxxx.xxx	predictive	Medium
13	File	xxxxx.xxx?x=xxxx://	predictive	High
14	File	xxxx/xxxxxx/xxxxx.xxx	predictive	High
15	File	xxxx/xxxxxxxxxxx-xxxxxx-xxxxx.xxx	predictive	High
16	File	xxx_xxxx.xxx	predictive	Medium
17	File	xxxxxxxx.xxx	predictive	Medium
18	File	xxx_xxxxx_xxxxxxx.x	predictive	High
19	Argument	xxxxxx	predictive	Low
20	Argument	xxxxxxxx	predictive	Medium
21	Argument	xxxxxxx	predictive	Low
22	Argument	xxxx	predictive	Low
23	Argument	xxxx_xxxxx	predictive	Medium
24	Argument	xx	predictive	Low
25	Argument	xxxxxxxx	predictive	Medium
26	Argument	xxxx_xxxx	predictive	Medium
27	Argument	xxx	predictive	Low
28	Network Port	xxx/xx	predictive	Low

References (2)

The following list contains external sources which discuss the actor and the associated activities:

◂ PreviousOverviewNext ▸

Do you know our Splunk app?

Download it now for free!