Brushaloader Analysis

IOB - Indicator of Behavior (58)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en42
de8
pl4
ar2
fr2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us42
ir8
cn2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

DZCP deV!L`z Clanportal4
Microsoft IIS4
LogicBoard CMS2
Devilz Clanportal2
BloodHound2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25k$0-$5kHighWorkaround0.070.02016CVE-2007-1192
2DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix1.650.00954CVE-2010-0966
3DZCP deV!L`z Clanportal browser.php information disclosure5.35.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.280.03045CVE-2007-1167
4Siemens SIMATIC Drive Controller Service Port 102 memory corruption7.37.1$5k-$25k$5k-$25kNot DefinedWorkaround0.040.00477CVE-2020-15782
5Siemens SIMATIC S7-1200 PLC memory corruption7.57.5$5k-$25k$5k-$25kNot DefinedNot Defined0.000.00268CVE-2013-0700
6Devilz Clanportal File Upload unknown vulnerability5.34.4$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.050.05362CVE-2006-6338
7MGB OpenSource Guestbook email.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable1.150.02982CVE-2007-0354
8Apple watchOS Font Remote Code Execution7.06.9$0-$5k$0-$5kHighOfficial Fix0.060.00076CVE-2023-41990
9Filebrowser cross-site request forgery6.96.4$0-$5k$0-$5kFunctionalOfficial Fix0.050.00762CVE-2021-46398
10cURL SOCKS5 Proxy heap-based overflow4.64.4$0-$5k$0-$5kNot DefinedOfficial Fix0.050.00065CVE-2023-38545
11Phplinkdirectory PHP Link Directory conf_users_edit.php cross-site request forgery6.36.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.090.00526CVE-2011-0643
12LogicBoard CMS away.php redirect6.36.1$0-$5k$0-$5kNot DefinedUnavailable2.430.00000
13Xoops URL Filter index.php redirect6.66.4$0-$5k$0-$5kNot DefinedNot Defined0.040.00062CVE-2017-12138
14PHP phpinfo cross site scripting4.33.9$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.530.01639CVE-2007-1287
15Digium Asterisk SDP Negotiation res_pjsip_session.c denial of service5.15.1$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00193CVE-2021-26906
16Siemens SIMATIC S7-300 PN/SIMATIC S7-400 PN input validation6.46.3$5k-$25k$0-$5kNot DefinedWorkaround0.030.00373CVE-2016-9158
17BloodHound GenericAll.jsx command injection7.97.9$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00537CVE-2021-3210
18Microsoft IIS code injection9.99.9$25k-$100k$5k-$25kNot DefinedNot Defined0.040.10375CVE-2010-1256
19Sophos SFOS Administration Service/User Portal sql injection9.18.7$5k-$25k$0-$5kHighOfficial Fix0.020.01173CVE-2020-12271
20Citrix ShareFile StorageZones path traversal7.47.4$5k-$25k$5k-$25kNot DefinedNot Defined0.000.02073CVE-2020-8983

IOC - Indicator of Compromise (40)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
164.110.25.146webmail.jqluvhost.netBrushaloader04/12/2022verifiedHigh
264.110.25.147webmail.jqluvhost.netBrushaloader04/12/2022verifiedHigh
364.110.25.148xaeoi7a.npermit.topBrushaloader04/12/2022verifiedHigh
464.110.25.150webmail.jqluvhost.netBrushaloader04/12/2022verifiedHigh
564.110.25.151moiu0ae.lplaced.topBrushaloader04/12/2022verifiedHigh
664.110.25.152h2iuode.hairrestoredfast.topBrushaloader04/12/2022verifiedHigh
764.110.25.153vaxoiu5.shadego.topBrushaloader04/12/2022verifiedHigh
864.110.25.154nae2oiu.sidedgo.topBrushaloader04/12/2022verifiedHigh
9XXX.XXX.XXX.XXXxxx-xxx-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
10XXX.XXX.XXX.XXXxxx-xxx-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
11XXX.XXX.XXX.XXXxxxxxxxxxxx04/12/2022verifiedHigh
12XXX.XXX.XXX.XXXxxx-xxx-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
13XXX.XXX.XX.XXXXxxxxxxxxxxx04/12/2022verifiedHigh
14XXX.X.XX.XXXxxx-x-xx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
15XXX.X.XX.XXXxxx-x-xx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
16XXX.X.XX.XXxxx-x-xx-xx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
17XXX.X.XX.XXxxx-x-xx-xx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
18XXX.X.XX.XXxxx-x-xx-xx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
19XXX.X.XX.XXxxx-x-xx-xx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
20XXX.X.XX.XXxxx-x-xx-xx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
21XXX.X.XXX.XXXxxxx.xxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
22XXX.X.XXX.XXXxxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
23XXX.X.XXX.XXXxxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
24XXX.X.XXX.XXXxxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
25XXX.X.XXX.XXXxxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
26XXX.X.XXX.XXXxxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
27XXX.X.XXX.XXXxxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
28XXX.X.XXX.XXXxxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
29XXX.X.XXX.XXXxxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
30XXX.X.XXX.XXXxxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
31XXX.X.XXX.XXXxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
32XXX.X.XXX.XXXxxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
33XXX.X.XXX.XXXxxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
34XXX.X.XXX.XXXxxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
35XXX.X.XXX.XXXxxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
36XXX.X.XXX.XXXxxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
37XXX.X.XXX.XXXxxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
38XXX.X.XXX.XXXxxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
39XXX.X.XXX.XXXxxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh
40XXX.X.XXX.XXXxxx-x-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxx04/12/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (8)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-22Pathname TraversalpredictiveHigh
2T1059CWE-94Cross Site ScriptingpredictiveHigh
3TXXXX.XXXCWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
4TXXXXCWE-XXXX2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxx Xxxxxxxxxxx Xxx Xxx XxxxxxxpredictiveHigh
5TXXXXCWE-XX, CWE-XXXxxxxxx XxxxxxxxxpredictiveHigh
6TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
7TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
8TXXXXCWE-XXXXxxxxxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (27)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/forum/away.phppredictiveHigh
2File/horde/util/go.phppredictiveHigh
3File/modules/profile/index.phppredictiveHigh
4Fileadmin/conf_users_edit.phppredictiveHigh
5Filexxxxxxx_xxx.xxxpredictiveHigh
6Filexxxxxxxxxx/xxxxxx/xxxxxxxxx/xxxxxxxxxx/xxxxxxxxxx.xxxpredictiveHigh
7Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
8Filexxxxx.xxxpredictiveMedium
9Filexxxx.xxxpredictiveMedium
10Filexxx/xxxxxx.xxxpredictiveHigh
11Filexxx/xxxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
12Filexxxxx.xxxpredictiveMedium
13Filexxxx/xxxxxx/xxxxx.xxxpredictiveHigh
14Filexxxx/xxxxxxxxxxx-xxxxxx-xxxxx.xxxpredictiveHigh
15Filexxx_xxxx.xxxpredictiveMedium
16Filexxxxxxxx.xxxpredictiveMedium
17Filexxx_xxxxx_xxxxxxx.xpredictiveHigh
18ArgumentxxxxxxpredictiveLow
19ArgumentxxxxxxxxpredictiveMedium
20ArgumentxxxxxxxpredictiveLow
21ArgumentxxxxpredictiveLow
22Argumentxxxx_xxxxxpredictiveMedium
23ArgumentxxpredictiveLow
24ArgumentxxxxxxxxpredictiveMedium
25Argumentxxxx_xxxxpredictiveMedium
26ArgumentxxxpredictiveLow
27Network Portxxx/xxpredictiveLow

References (2)

The following list contains external sources which discuss the actor and the associated activities:

Do you know our Splunk app?

Download it now for free!