DarkCrystalRAT Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (267)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en234
ru10
es10
de6
fr4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA80
RU: Russia24
ES: Spain8
DE: Germany4
RS: Serbia2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

DarkCrystalRAT3
FIN71
Meterpreter1
FelixRoot1
RedLine Stealer1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined102
Content Management System16
Router Operating System12
Web Browser8
Smartphone Operating System8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined66
Apple12
Google8
Oracle8
Cisco8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Google Chrome6
Qualcomm Snapdragon Auto6
Qualcomm Snapdragon Compute6
Qualcomm Snapdragon Connectivity6
Qualcomm Snapdragon Consumer IOT6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1PHP Link Directory Administration Page index.html cross site scripting4.34.3$0-$5k$0-$5kNot definedNot defined 0.002850.26CVE-2007-0529
2DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.009700.43CVE-2010-0966
3Microsoft Windows New Horizon Data Systems Boot Loader privilege escalation6.16.0$25k-$100k$0-$5kNot definedOfficial fix 0.000740.00CVE-2022-34302
4Rockwell Automation RSLinx Enterprise Service Port 4444 LogReceiver.exe out-of-bounds7.47.3$0-$5k$0-$5kNot definedWorkaround 0.000340.00CVE-2013-2807
5SAP NetWeaver Compare Systems information disclosure5.35.3$5k-$25k$0-$5kNot definedNot defined 0.004250.00CVE-2020-6366
6Microsoft Windows WDAC OLE DB Provider for SQL Server Remote Code Execution8.88.1$25k-$100k$5k-$25kUnprovenOfficial fix 0.154940.01CVE-2024-21391
7Watchguard Firebox/XTM Remote Code Execution8.68.5$0-$5k$0-$5kHighOfficial fixverified0.927620.04CVE-2022-26318
8Zentrack index.php privileges management7.37.0$0-$5k$0-$5kNot definedOfficial fix 0.000000.00
9Microsoft IIS uncpath cross site scripting5.25.0$5k-$25k$0-$5kProof-of-ConceptOfficial fix 0.013870.34CVE-2017-0055
10Matrix Synap JSON denial of service5.95.6$0-$5kCalculatingNot definedOfficial fix 0.009550.02CVE-2020-26890
11Invision Power Services IP.Board URL resource management5.35.1$0-$5kCalculatingNot definedOfficial fix 0.004910.00CVE-2015-6812
12TypeORM Prototype modification of assumed-immutable data8.58.5$0-$5k$0-$5kNot definedNot defined 0.002460.00CVE-2020-8158
13ORing IAP-420 Web Interface cross site scripting3.53.2$0-$5k$0-$5kProof-of-ConceptNot defined 0.002780.00CVE-2024-5410
14Apache HTTP Server race condition9.39.3$5k-$25k$0-$5kNot definedNot defined 0.000870.05CVE-2007-1741
15Green Packet DX-350 hard-coded credentials8.58.5$0-$5k$0-$5kNot definedNot defined 0.004410.00CVE-2017-9932
16Proxmox pve-manager handle_api2_request file inclusion6.66.5$0-$5k$0-$5kNot definedOfficial fix 0.000810.00CVE-2024-21545
17Asterisk SIP Request incorrect implementation of authentication algorithm5.55.4$0-$5k$0-$5kNot definedOfficial fix 0.001780.04CVE-2024-35190
18Fortinet FortiGate Log privileges management4.03.8$0-$5k$0-$5kNot definedOfficial fix 0.002780.04CVE-2020-12818
19Softaculous Loginizer Plugin cross-site request forgery5.85.8$0-$5k$0-$5kNot definedNot defined 0.000600.00CVE-2022-45079
20Terrasoft Bpm'online CRM-System SDK Terrasoft.Core.DB.Column.Const sql injection8.58.5$0-$5k$0-$5kNot definedNot defined 0.003070.00CVE-2019-15301

IOC - Indicator of Compromise (4)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
131.7.58.82no-rdns.offshorededicated.netDarkCrystalRAT07/21/2022verifiedMedium
2XX.XXX.X.XXXxxxxxxxxxxxxx07/29/2022verifiedMedium
3XXX.XX.XXX.XXXxxx-xx-xxx-xxx.xxxxxx.xxxxxxx-xxx.xxxXxxxxxxxxxxxxx07/21/2022verifiedMedium
4XXX.XX.XXX.XXXxxxxxxxxxxxxx07/21/2022verifiedMedium

TTP - Tactics, Techniques, Procedures (20)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-294Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCAPEC-XXXCWE-XX, CWE-XXXxxxx Xxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXX.XXXCWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-XXXCWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
9TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
10TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
11TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
12TXXXXCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
13TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
14TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
16TXXXX.XXXCAPEC-XXXCWE-XXXXxxxxxxxxxxxpredictiveHigh
17TXXXX.XXXCAPEC-XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
18TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
19TXXXXCAPEC-XXXCWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
20TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (100)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/backupsettings.confpredictiveHigh
2File/exportpredictiveLow
3File/horde/util/go.phppredictiveHigh
4File/show_news.phppredictiveHigh
5File/uncpath/predictiveMedium
6Fileadclick.phppredictiveMedium
7Fileadmin/dashboard.phppredictiveHigh
8Fileadmin/index.phppredictiveHigh
9Fileadmin/tools/dolibarr_export.phppredictiveHigh
10Fileadv_remotelog.asppredictiveHigh
11Fileapi.phppredictiveLow
12Filexxx/xxxxx/xxxxxxxxxx/xxxx.xxxpredictiveHigh
13Filexxxx-xxxx.xpredictiveMedium
14Filexxxxxxx.xxpredictiveMedium
15Filexxxx.xxxpredictiveMedium
16Filex:\xxxxxxxxxxpredictiveHigh
17Filexxx.xxxpredictiveLow
18Filexxx.xxxpredictiveLow
19Filexxx_xxx_xxx.xxxpredictiveHigh
20Filexxxxxxxxxx.xxxxxx.xxxpredictiveHigh
21Filexxxxxxxxxx_xxxxx.xxxpredictiveHigh
22Filexxxxxx.xxpredictiveMedium
23Filexxxx/xxx/xxxxx/xxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxx.xxxxxxxxpredictiveHigh
24Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
25Filexxxxxxxxxx_xxxxxx.xpredictiveHigh
26Filexxx.xxxpredictiveLow
27Filexxxxxxx.xxxpredictiveMedium
28Filexxxxx.xxxpredictiveMedium
29Filexxxxx.xxxpredictiveMedium
30Filexxxxxxxx/xxxxxx/xxxxx.xxxpredictiveHigh
31Filexxxxxxxx.xxxpredictiveMedium
32Filexxxxxx/x.xxxpredictiveMedium
33Filexxx/xxxxxx.xxxpredictiveHigh
34Filexxxxxxxx/xxxxxxx/xxxxx_xxxxxxx.xxxpredictiveHigh
35Filexxxxx.xxxxpredictiveMedium
36Filexxxxx.xxxpredictiveMedium
37Filexx xxx/xxxx/xxxx.xpredictiveHigh
38Filexxx/xxxxxx.xxxpredictiveHigh
39Filexxxxxx/xxx/xxxxxxxx.xpredictiveHigh
40Filexxxxxxxxxxx/xx_xxxxxxxxxx.xpredictiveHigh
41Filexxxx/xxxxxxx/xxxxxxxxxxxxx.xxpredictiveHigh
42Filexxxx/xxxxxxx/xxxxxxx.xpredictiveHigh
43Filexxxxx.xxxpredictiveMedium
44Filexxxxxxxxxxx.xxxpredictiveHigh
45Filexxxx/xxxxxxxx/xxxxxx_xxxx.xxxpredictiveHigh
46Filexxxxxxx/xxxxxxxx/xxxxxxxx/xxxxxx.xxxpredictiveHigh
47Filexxxxx.xxxpredictiveMedium
48Filexxxxxxxxx/xxxx-xxxxpredictiveHigh
49Filexxxxxxx.xxxpredictiveMedium
50Filexxxxxxxxxxxx.xxpredictiveHigh
51Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictiveHigh
52Filexxxxxx.xpredictiveMedium
53Filexxxx_xxxxxxx.xxxpredictiveHigh
54Filexxxxx.xpredictiveLow
55Filexxxx.xxpredictiveLow
56Filexxxxxxxx.xxxpredictiveMedium
57Filexxxxxx.xxxpredictiveMedium
58Filexxxxxxxx/xxxxx_xxxxxpredictiveHigh
59Filexxxx-xxxxxxx-xxxxxx.xxxpredictiveHigh
60Filexxxxxx/xx/xxxx.xxxpredictiveHigh
61Filexx-xxxxx/xxxxxxxx/xxxxx-xx-xxxxx-xxxx.xxxpredictiveHigh
62Filexx-xxxx.xxxpredictiveMedium
63Filexx/xxx.xxxpredictiveMedium
64File~/xxx/xxxx-xxxxxxxxx.xxxpredictiveHigh
65ArgumentxxxxxxxxpredictiveMedium
66Argumentxxx_xxxxxx_xpredictiveMedium
67ArgumentxxxpredictiveLow
68ArgumentxxxxxxpredictiveLow
69ArgumentxxxxxxxxxxpredictiveMedium
70ArgumentxxxxpredictiveLow
71ArgumentxxxxxxxxxxxxpredictiveMedium
72Argumentxxxxx xxxx/xxxx xxxxpredictiveHigh
73ArgumentxxxxxxxpredictiveLow
74ArgumentxxxxxpredictiveLow
75Argumentxxxx_xxxpredictiveMedium
76ArgumentxxxxpredictiveLow
77ArgumentxxpredictiveLow
78Argumentxx_xxxxxxxpredictiveMedium
79ArgumentxxxxxxpredictiveLow
80Argumentxxxxxxxx_xxxpredictiveMedium
81ArgumentxxxxpredictiveLow
82Argumentx_xxx_xxxxxxpredictiveMedium
83ArgumentxxxxxxxxxxxxpredictiveMedium
84Argumentxxxx_xxxxxpredictiveMedium
85ArgumentxxxxxxxxpredictiveMedium
86ArgumentxxxxxxxxxxxpredictiveMedium
87ArgumentxxxxxxxxxpredictiveMedium
88Argumentxxxx_xxxxxx/xxxxxx/xxxxxxpredictiveHigh
89ArgumentxxxxxxxxxxxxxxxxpredictiveHigh
90ArgumentxxxxxpredictiveLow
91ArgumentxxxxpredictiveLow
92ArgumentxxxpredictiveLow
93ArgumentxxxpredictiveLow
94ArgumentxxxxpredictiveLow
95ArgumentxxxxxpredictiveLow
96Argumentxxxxxxxxxxx_xxxxxxxxpredictiveHigh
97Input Valuex.x.x.x%xxxxxx+-x+x+xxx.xxx.x.xx%xxpredictiveHigh
98Input Valuexxx (xxxxxx xxxx xxxx(xxxxxx xxxxx(*),xxxxxx(xxxxxxxxxxxx,(xxxxxx (xxx(xxxx=xxxx,x))),xxxxxxxxxxxx,xxxxx(xxxx(x)*x))x xxxx xxxxxxxxxxx_xxxxxx.xxxxxxxxx_xxxx xxxxx xx x)x)predictiveHigh
99Network Portxxx/xxxxxpredictiveMedium
100Network Portxxx/xxxxpredictiveMedium

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!