Exchange Marauder Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (319)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en264
zh44
fr4
ru2
ko2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA174
CN: China92
RU: Russia18
KR: South Korea2
IN: India2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Exchange Marauder11
FIN72
RedLine Stealer2
Cobalt Strike2
UNC48411

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined90
Operating System18
Content Management System16
Log Management Software12
Web Server12

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined86
Apache12
Microsoft10
SolarWinds8
Linux6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Nagios XI6
Microsoft Windows6
Linux Kernel6
Apache HTTP Server6
phpMyAdmin4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
2net2ftp path traversal7.36.4$0-$5k$0-$5kUnprovenOfficial Fix0.035010.00CVE-2008-5275
3Nextcloud NextcloudPi Web-Panel os command injection9.99.7$0-$5k$0-$5kNot DefinedOfficial Fix0.000430.05CVE-2024-30247
4Linux Kernel Pipe Dirty Pipe Privilege Escalation6.36.0$5k-$25k$0-$5kHighOfficial Fix0.120910.00CVE-2022-0847
5NextCloud Global Site Selector authentication bypass8.68.5$0-$5k$0-$5kNot DefinedOfficial Fix0.000970.00CVE-2024-22212
6MWChat Pro Help about.php file inclusion7.37.3$0-$5kCalculatingNot DefinedNot Defined0.007340.00CVE-2006-5904
7Phicomm k2 command injection6.66.5$0-$5k$0-$5kNot DefinedNot Defined0.000440.06CVE-2023-40796
8Metalinks Metacart2 productsbycategory.asp sql injection7.37.3$0-$5k$0-$5kNot DefinedNot Defined0.001420.05CVE-2005-1363
9Yii Yii2 Gii cross site scripting4.44.4$0-$5k$0-$5kNot DefinedNot Defined0.000580.00CVE-2022-34297
10Microsoft Windows Clipboard User Service Privilege Escalation7.26.5$25k-$100k$5k-$25kUnprovenOfficial Fix0.000430.12CVE-2022-21869
11SourceCodester Online Flight Booking Management System POST Parameter review_search.php sql injection7.57.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.001470.00CVE-2023-0283
12Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial Fix0.008170.16CVE-2014-4078
13FuelPHP code injection7.37.3$0-$5k$0-$5kNot DefinedNot Defined0.031290.05CVE-2014-1999
14phpLDAPadmin LDAP injection ldap injection8.57.7$0-$5k$0-$5kProof-of-ConceptNot Defined0.029800.08CVE-2018-12689
15FreeBSD setrlimit memory corruption6.56.3$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.001260.00CVE-2017-1085
16DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.009430.35CVE-2010-0966
17Zoho ManageEngine ServiceDesk Plus API Endpoint User credentials management5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.004660.05CVE-2018-7248
18WebARX Plugin Stored cross site scripting5.25.2$0-$5k$0-$5kNot DefinedNot Defined0.002130.00CVE-2019-17213
19jforum User input validation5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.002890.04CVE-2019-7550
20ShowDoc access control5.35.3$0-$5k$0-$5kNot DefinedOfficial Fix0.001250.04CVE-2018-19620

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Exchange Marauder

IOC - Indicator of Compromise (13)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
15.254.43.18Exchange MarauderExchange Marauder05/31/2021verifiedLow
280.92.205.81vm302679.pq.hostingExchange MarauderExchange Marauder05/31/2021verifiedVery Low
3103.77.192.219Exchange MarauderExchange Marauder05/31/2021verifiedLow
4XXX.XXX.XXX.XXXxxxxxxxxx.xxxxxxxxx.xxxXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedLow
5XXX.XXX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedLow
6XXX.XX.XXX.XXxxx.xx.xxx.xx.xxxxx.xxxXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedVery Low
7XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxx.xxxXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedVery Low
8XXX.XXX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedLow
9XXX.XX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedLow
10XXX.XXX.XXX.XXxxxxxx.xxxxxxxxx.xxXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedLow
11XXX.XX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedLow
12XXX.XXX.XX.XXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedLow
13XXX.XX.XX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedLow

TTP - Tactics, Techniques, Procedures (20)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23, CWE-24Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-137CWE-88, CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-104CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-16CWE-XXX, CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-CWE-XXXXxx-xxx Xxxx Xxxxxxx XxxxpredictiveHigh
8TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-1CWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
11TXXXXCAPEC-108CWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXXCAPEC-CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-38CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
14TXXXX.XXXCAPEC-459CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
15TXXXX.XXXCAPEC-133CWE-XXXXxxxxxxxpredictiveHigh
16TXXXXCAPEC-116CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
17TXXXX.XXXCAPEC-CWE-XXXxxxxxxxxxxxxpredictiveHigh
18TXXXXCAPEC-157CWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
19TXXXX.XXXCAPEC-CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
20TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (125)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.htaccesspredictiveMedium
2File/cgi-bin/luci/api/authpredictiveHigh
3File/filemanager/upload.phppredictiveHigh
4File/resources//../predictiveHigh
5File/src/Illuminate/Laravel.phppredictiveHigh
6File/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.phppredictiveHigh
7File/usr/local/WowzaStreamingEngine/bin/predictiveHigh
8File/wp-json/oembed/1.0/embed?urlpredictiveHigh
9Fileabout.phppredictiveMedium
10Fileadmin/modules/tools/ip_history_logs.phppredictiveHigh
11Fileadminer.phppredictiveMedium
12Fileadmin_feature.phppredictiveHigh
13Fileapi_poller.phppredictiveHigh
14Fileapplication/controllers/admin/dataentry.phppredictiveHigh
15Filexxx.xxxpredictiveLow
16Filexxxxxx/xxxxxxxx.xxxxpredictiveHigh
17Filexxxxxxx.xxpredictiveMedium
18Filexxx-xxx/xxxxxx.xxxpredictiveHigh
19Filexxxxxxxxxx.xxxpredictiveHigh
20Filexxx.xxx?xxx=xxxxx_xxxxpredictiveHigh
21Filexxx.xxxpredictiveLow
22Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
23Filexxxxxxxx.xxxpredictiveMedium
24Filexxxx_xxxxxxx.xxxpredictiveHigh
25Filexxxxxxxxxxxxx.xxxpredictiveHigh
26Filexxx/xxxxxx/xxxxxx.xpredictiveHigh
27Filexxxxxxx.xxxpredictiveMedium
28Filexxxxxxxxx/xx/xxxxxxxxxxxx.xxxpredictiveHigh
29Filexx_xxxx.xxxpredictiveMedium
30Filexxxxxxxxx.xxxpredictiveHigh
31Filexxx/xxxxxx.xxxpredictiveHigh
32Filexxxxxxxx/xxxx/xxxxx-xxxxx.xxxpredictiveHigh
33Filexxxxx.xxxpredictiveMedium
34Filexxxxxxx/xxxxxxxx.xxxpredictiveHigh
35Filexxxxxx/xxx/xxxxxxxx.xpredictiveHigh
36Filexx_xxxxxx.xxxpredictiveHigh
37Filexxxxxxx.xxxpredictiveMedium
38Filexxxxxxxxx/xxxx_xxxxxxx.xxx.xxxpredictiveHigh
39Filexxxx/xxxxxxxxxx.xxxpredictiveHigh
40Filexxx.xxxpredictiveLow
41Filexxxxxx.xxpredictiveMedium
42Filexxxxxxx/xx?xxxxxxxx=predictiveHigh
43Filexxxxxxxxxxx-xxxx.xxpredictiveHigh
44Filexxx/xxxxxxx/xxx.xxxpredictiveHigh
45Filexxxxx.xxxpredictiveMedium
46Filexxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
47Filexxxxxxx_xxxx.xxxpredictiveHigh
48Filexxxxxxx/xxxxx/xxxxxxxxxxx/xxxxx.xxxpredictiveHigh
49Filexxxxxxxx.xxxpredictiveMedium
50Filexxxx.xxxpredictiveMedium
51Filexxxxx-xxxxxxpredictiveMedium
52Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictiveHigh
53Filexxxxxxx.xxxpredictiveMedium
54Filexxxxxx_xxxxxx.xxxpredictiveHigh
55Filexxxxxx/xxx/xx/xxx.xxpredictiveHigh
56Filexxxxxxxxxx.xxxxpredictiveHigh
57Filexxxxxx_xxx_xxxxxx.xxxpredictiveHigh
58Filexxxxxx_xxxxx.xxx/xxxxx_xxxxxxx_xxxxxxxxxx.xxpredictiveHigh
59Filexxxxxx.xpredictiveMedium
60Filexxxxxxx/xxxx/xxxxxxx_xxxxxxxx_xxxx.xxxpredictiveHigh
61Filexxxx/xxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
62Filexx/xx_xxxxxx.xxxpredictiveHigh
63Filexx\xxxxxxx.xxxxpredictiveHigh
64Filexxxx-xxxxxxx-xxxxxx.xxxpredictiveHigh
65File\xxxxxxx\xxxxxxxxxxxx.xxxxpredictiveHigh
66Library/xxx/xxx/xxxx.xxxpredictiveHigh
67Libraryxxxxxx[xxxxxx_xxxxpredictiveHigh
68Libraryxxxx.xxx.xxxpredictiveMedium
69Libraryxxxxxx.xxxpredictiveMedium
70Libraryxx-xxxxxxx/xxxxxxx/xx-xxxx-xxxxxxx/xxx/xxxxx/predictiveHigh
71Argument%xpredictiveLow
72ArgumentxxxxxxxpredictiveLow
73ArgumentxxxpredictiveLow
74Argumentxxxxxx_xxxxpredictiveMedium
75ArgumentxxxxxxxxpredictiveMedium
76ArgumentxxxxpredictiveLow
77ArgumentxxxpredictiveLow
78ArgumentxxxxxpredictiveLow
79ArgumentxxxxxxxpredictiveLow
80ArgumentxxxpredictiveLow
81ArgumentxxxxxxxxpredictiveMedium
82ArgumentxxxxxxxxxpredictiveMedium
83Argumentxxxxxx[xxxxxx_xxxx]predictiveHigh
84Argumentxxxxxx_xxxxx_xxxxxxxxxxxxxpredictiveHigh
85ArgumentxxpredictiveLow
86ArgumentxxxxxxxxxxxpredictiveMedium
87ArgumentxxxxpredictiveLow
88ArgumentxxxxxpredictiveLow
89Argumentxx-xxxxpredictiveLow
90ArgumentxxxxxxxxpredictiveMedium
91ArgumentxxpredictiveLow
92Argumentxx_xxxxpredictiveLow
93ArgumentxxxxxxxxxpredictiveMedium
94Argumentxxxx/xxx_xxxxpredictiveHigh
95ArgumentxxxxxxxpredictiveLow
96ArgumentxxxpredictiveLow
97Argumentxxxxxxx/xxxxxxx/xxxxxxpredictiveHigh
98ArgumentxxxxpredictiveLow
99Argumentxxxxx_xxpredictiveMedium
100Argumentxxxx_xxpredictiveLow
101ArgumentxxxxxxxxxxxxxpredictiveHigh
102Argumentxxxx_xxpredictiveLow
103Argumentxxxxx_xxxxxxpredictiveMedium
104Argumentxxxxxx xxxxpredictiveMedium
105ArgumentxxxxxxxpredictiveLow
106Argumentxxxxxxx xxxxpredictiveMedium
107ArgumentxxxxxxpredictiveLow
108Argumentxxxxxx_xxpredictiveMedium
109ArgumentxxxxpredictiveLow
110Argumentxxxx_xxxxxx/xxxxxx/xxxxxxpredictiveHigh
111Argumentxxxxxxxx_xxxxxpredictiveHigh
112ArgumentxxxpredictiveLow
113Argumentxxxxxxxxxx/xxxxxxxxxxxxxxxpredictiveHigh
114ArgumentxxxxxxxxxpredictiveMedium
115ArgumentxxxpredictiveLow
116ArgumentxxxpredictiveLow
117ArgumentxxxxxxxxxpredictiveMedium
118ArgumentxxxxxxpredictiveLow
119Argumentxxxx_xxpredictiveLow
120ArgumentxxxpredictiveLow
121Argumentx-xxxxxxxxx-xxxpredictiveHigh
122Argumentx_xxpredictiveLow
123Argumentxx_xxxx_xxxxxpredictiveHigh
124Argument_xxxpredictiveLow
125Input Valuexxxx%xxxxxpredictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!