Dalbit Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (148)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en84
zh64

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

CN: China112
US: USA26
CH: Switzerland6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Dalbit5
Cobalt Strike4
Mirai2
Havoc1
Meterpreter1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined74
Operating System10
Virtualization Software6
Firewall Software6
SCADA Software6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined50
Microsoft10
ONLYOFFICE8
Oracle4
Fortinet4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

ONLYOFFICE Document Server8
Microsoft Windows6
LiveCMS4
Redis4
Fortinet FortiOS4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1jQuery jQuery.globalEval DOM cross site scripting6.36.3$0-$5k$0-$5kNot definedOfficial fix 0.000000.04CVE-2017-16012
2Openfind Mail2000 Email Content cross site scripting5.05.0$0-$5k$0-$5kNot definedNot defined 0.000540.07CVE-2023-28705
3Microsoft IIS uncpath cross site scripting5.25.0$5k-$25k$0-$5kProof-of-ConceptOfficial fix 0.013870.06CVE-2017-0055
4Apache HTTP Server HTTP/2 Request request smuggling6.46.4$25k-$100k$5k-$25kNot definedNot definedpossible0.758240.05CVE-2020-9490
5Trend Micro Apex One privileges management6.56.5$5k-$25k$0-$5kAttackedNot definedverified0.010170.09CVE-2020-24557
6Red Hat WildFly Blacklist Filter File information disclosure7.57.1$5k-$25k$0-$5kProof-of-ConceptOfficial fix 0.248300.02CVE-2016-0793
7D-Link DIR-605 B2 POST Request getcfg.php information disclosure6.26.2$5k-$25k$0-$5kAttackedNot definedverified0.934960.00CVE-2021-40655
8SourceCodester Online Eyewear Shop view_category.php sql injection7.57.3$0-$5k$0-$5kProof-of-ConceptNot defined 0.000620.02CVE-2024-9081
9y_project RuoYi Backend User Import SysUserServiceImpl.java SysUserServiceImpl cross site scripting4.14.0$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.001380.00CVE-2024-9048
10Stirling-Tools Stirling-PDF Markdown-to-PDF cross site scripting3.53.5$0-$5k$0-$5kNot definedOfficial fix 0.000240.02CVE-2024-9075
11code-projects Patient Record Management System login.php sql injection7.36.9$0-$5k$0-$5kProof-of-ConceptNot defined 0.000210.06CVE-2024-9034
12code-projects Blood Bank System bbms.php cross site scripting5.35.3$0-$5k$0-$5kProof-of-ConceptNot defined 0.000770.04CVE-2024-9084
13PrestaShop information disclosure5.35.2$0-$5k$0-$5kNot definedOfficial fix 0.000640.00CVE-2024-34717
14LiveCMS Error Message categoria.php information disclosure9.89.5$0-$5k$0-$5kHighUnavailablepossible0.035040.00CVE-2007-3290
15LiveCMS article.php cross site scripting4.33.9$0-$5k$0-$5kProof-of-ConceptUnavailable 0.024430.00CVE-2007-3291
16ZTE Router HTTPD Binary webPrivateDecrypt stack-based overflow9.89.8$0-$5k$0-$5kNot definedNot defined 0.004170.05CVE-2024-45414
17SourceCodester Employee Management System add-admin.php cross site scripting2.42.3$0-$5k$0-$5kProof-of-ConceptNot defined 0.000810.04CVE-2024-9083
18SourceCodester Online Eyewear Shop User Creation Users.php improper authorization8.17.8$0-$5k$0-$5kProof-of-ConceptNot defined 0.002300.06CVE-2024-9082
19code-projects Student Record System pincode-verification.php sql injection8.17.9$0-$5k$0-$5kProof-of-ConceptNot defined 0.001630.04CVE-2024-9080
20Python CPython zipfile Module extractall infinite loop7.57.3$0-$5k$0-$5kNot definedOfficial fix 0.000910.03CVE-2024-8088

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • South Korea

IOC - Indicator of Compromise (9)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
145.93.28.103DalbitSouth Korea03/02/2023verifiedMedium
245.93.31.75DalbitSouth Korea03/02/2023verifiedMedium
3XX.XX.XX.XXXXxxxxxXxxxx Xxxxx03/02/2023verifiedMedium
4XX.XXX.XXX.XXxx.xxx.xxx.xx.xxxxxx.xxxx.xxxXxxxxxXxxxx Xxxxx03/02/2023verifiedMedium
5XX.XXX.XXX.XXXxx.xxx.xxx.xxx.xxxxxx.xxxx.xxxXxxxxxXxxxx Xxxxx03/02/2023verifiedMedium
6XX.XXX.XXX.XXXXxxxxxXxxxx Xxxxx03/02/2023verifiedMedium
7XXX.XX.XXX.XXXxxxxxXxxxx Xxxxx03/02/2023verifiedMedium
8XXX.XXX.XX.XXXxxx.xxx.xx.xxx.xxxxxx.xxxxxx.xxxXxxxxxXxxxx Xxxxx03/02/2023verifiedMedium
9XXX.XXX.XXX.XXXxxxxxXxxxx Xxxxx03/02/2023verifiedMedium

TTP - Tactics, Techniques, Procedures (16)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-137CWE-88Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79, CWE-80Basic Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
7TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
8TXXXXCWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
9TXXXXCAPEC-XXXCWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
10TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
11TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
12TXXXXCAPEC-XXCWE-XXXXxxxxxxxx Xxxxxxx Xx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
14TXXXXCWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
15TXXXX.XXXCWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
16TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (60)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/Admin/add-admin.phppredictiveHigh
2File/baseOpLog.dopredictiveHigh
3File/cgi-bin/luci/api/authpredictiveHigh
4File/classes/Users.php?f=savepredictiveHigh
5File/debug/pprofpredictiveMedium
6File/getcfg.phppredictiveMedium
7File/pincode-verification.phppredictiveHigh
8File/xxxxxxx/predictiveMedium
9File/xxxxxxpredictiveLow
10File/xxxxx.xxxx=xxxxpredictiveHigh
11File/xx-xxxxx/xxxxx-xxxx.xxxpredictiveHigh
12Filexxxxx.xxx?xxxxxx=xxxxxx_xxxxxxxpredictiveHigh
13Filexxxxx.xxx?x=xxxxx&x=xxxx&x=xxxxpredictiveHigh
14Filexxxxxxx.xxxpredictiveMedium
15Filexxxx.xxxpredictiveMedium
16Filexxxx_xx.xxpredictiveMedium
17Filexxxxxxxxx.xxxpredictiveHigh
18Filexxx-xxxxxxx.xxxxpredictiveHigh
19Filexxxxxxxxxxx.xxx.xxxpredictiveHigh
20Filexxxxxxx.xxxpredictiveMedium
21Filexxxxxxxxxxxxxx-xxxxxxxxxxxxx/xxx/xxxx/xxxx/xxx/xxxxxxxxxxxx/xxxxxxxxx/xxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
22Filexxxxx.xxxpredictiveMedium
23Filexxxx.xpredictiveLow
24Filexxxxxx.xx.x.xpredictiveHigh
25Filexxxxxxxxx/xxxxxxx/xxxxxx/xxxxxxxxxx.xxxpredictiveHigh
26Filexxxxx.xxxpredictiveMedium
27Filexxx_xxxxxx.xpredictiveMedium
28Filexxx/xxxx/xxx_xxxxx.xpredictiveHigh
29Filexxxxxxxxxxx_xxxxxxxxxxxx.xxpredictiveHigh
30Filexxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xpredictiveHigh
31Filexxxxxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
32Filexxxxxxxxxx_xxxxxxx.xxxpredictiveHigh
33Filexxxxx-xxxxxxpredictiveMedium
34Filexxxxx-xxxxxx/xxx/xxxx/xxxx/xxx/xxxxx/xxxxxx/xxxxxxx/xxxx/xxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
35Filexxxxxx.xxxpredictiveMedium
36Filexxxx_xxxxxxxx.xxxpredictiveHigh
37Libraryxxxxxxxxxx.xxxpredictiveHigh
38Libraryxxxxxx.xx.xpredictiveMedium
39Libraryxxxx.xxxpredictiveMedium
40Argument$_xxxxxx[xxxx_xxxx]predictiveHigh
41ArgumentxxxxxxxxxpredictiveMedium
42ArgumentxxxpredictiveLow
43ArgumentxxxxxxxxxxxxxpredictiveHigh
44ArgumentxxxxxpredictiveLow
45ArgumentxxxxxxpredictiveLow
46ArgumentxxxxxxxxpredictiveMedium
47Argumentxxxxxxxx/xxx/xxxxxxxxxx/xxxx/xxxx/xxxxxxpredictiveHigh
48ArgumentxxpredictiveLow
49ArgumentxxxxxxxxxpredictiveMedium
50Argumentxxxxxxxxxxx/xxxxxxxxxpredictiveHigh
51Argumentxxxxxx.xxxxpredictiveMedium
52ArgumentxxxxxxxpredictiveLow
53ArgumentxxxxxxxxpredictiveMedium
54Argumentxxxxxx_xxxpredictiveMedium
55ArgumentxxxxxxpredictiveLow
56Argumentxxxxx_xxpredictiveMedium
57ArgumentxxxxxxpredictiveLow
58ArgumentxxxxxxxxxxxpredictiveMedium
59ArgumentxxxxpredictiveLow
60ArgumentxxxxxxxxpredictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!