Exchange Marauder Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (347)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en284
zh50
fr6
ru6
ko2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

US: USA182
CN: China108
RU: Russia14
IO: British Indian Ocean Territory8
KR: South Korea4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Exchange Marauder12
United States of America3
Cobalt Strike2
RedLine Stealer2
FIN72

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined108
Operating System16
Content Management System16
Web Server14
Router Operating System12

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined104
Microsoft18
Apache10
Zoho ManageEngine8
Schneider Electric6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows10
Casdoor8
Nagios XI6
Apache HTTP Server6
MikroTik RouterOS4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaroundpossible0.029560.00CVE-2007-1192
2net2ftp path traversal7.36.4$0-$5k$0-$5kUnprovenOfficial fix 0.004300.00CVE-2008-5275
3gsap Package denial of service5.35.1$0-$5k$0-$5kNot definedOfficial fix 0.006270.01CVE-2020-28478
4Nextcloud NextcloudPi Web-Panel os command injection9.99.7$0-$5k$0-$5kNot definedOfficial fix 0.009900.08CVE-2024-30247
5Linux Kernel Pipe Dirty Pipe privilege escalation6.36.0$5k-$25k$0-$5kAttackedOfficial fixverified0.852350.00CVE-2022-0847
6Softnext SPAM SQR code injection7.27.2$0-$5k$0-$5kNot definedNot defined 0.002290.00CVE-2023-24835
7TikiWiki tiki-register.php input validation7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.042770.16CVE-2006-6168
8NextCloud Global Site Selector authentication bypass8.68.5$0-$5k$0-$5kNot definedOfficial fix 0.011510.00CVE-2024-22212
9MWChat Pro Help about.php file inclusion7.37.3$0-$5k$0-$5kNot definedNot defined 0.006120.00CVE-2006-5904
10Phicomm k2 command injection6.66.5$0-$5k$0-$5kNot definedNot defined 0.001100.00CVE-2023-40796
11Metalinks Metacart2 productsbycategory.asp sql injection7.37.3$0-$5k$0-$5kNot definedNot defined 0.006140.09CVE-2005-1363
12Yii Yii2 Gii cross site scripting4.44.4$0-$5k$0-$5kNot definedNot defined 0.001270.02CVE-2022-34297
13Microsoft Windows Clipboard User Service privilege escalation7.26.8$25k-$100k$5k-$25kUnprovenOfficial fix 0.004620.00CVE-2022-21869
14SourceCodester Online Flight Booking Management System POST Parameter review_search.php sql injection7.57.3$0-$5kCalculatingProof-of-ConceptNot defined 0.000570.07CVE-2023-0283
15Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial fix 0.155470.22CVE-2014-4078
16FuelPHP code injection7.37.3$0-$5k$0-$5kNot definedNot defined 0.019630.00CVE-2014-1999
17phpLDAPadmin cmd.php LDAP injection ldap injection8.57.7$0-$5kCalculatingProof-of-ConceptNot defined 0.004500.00CVE-2018-12689
18FreeBSD setrlimit memory corruption6.56.3$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.001440.02CVE-2017-1085
19DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial fix 0.009700.11CVE-2010-0966
20Zoho ManageEngine ServiceDesk Plus API Endpoint User credentials management5.35.3$0-$5k$0-$5kNot definedNot defined 0.046760.00CVE-2018-7248

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Exchange Marauder

IOC - Indicator of Compromise (13)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
15.254.43.18Exchange MarauderExchange Marauder05/31/2021verifiedLow
280.92.205.81vm302679.pq.hostingExchange MarauderExchange Marauder05/31/2021verifiedVery Low
3103.77.192.219Exchange MarauderExchange Marauder05/31/2021verifiedLow
4XXX.XXX.XXX.XXXxxxxxxxxx.xxxxxxxxx.xxxXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedLow
5XXX.XXX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedLow
6XXX.XX.XXX.XXxxx.xx.xxx.xx.xxxxx.xxxXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedVery Low
7XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxx.xxxXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedVery Low
8XXX.XXX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedLow
9XXX.XX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedLow
10XXX.XXX.XXX.XXxxxxxx.xxxxxxxxx.xxXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedLow
11XXX.XX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedLow
12XXX.XXX.XX.XXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedLow
13XXX.XX.XX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedLow

TTP - Tactics, Techniques, Procedures (22)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23, CWE-24Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-137CWE-88, CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79, CWE-80Basic Cross Site ScriptingpredictiveHigh
5T1068CAPEC-104CWE-250, CWE-264, CWE-269, CWE-284Execution with Unnecessary PrivilegespredictiveHigh
6TXXXX.XXXCWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveHigh
7TXXXXCAPEC-XXXCWE-XXXXxxx Xxx Xxxxxxxxx Xxxxxxxxxxx XxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-XXCWE-XXX, CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
9TXXXX.XXXCWE-XXXXxx-xxx Xxxx Xxxxxxx XxxxpredictiveHigh
10TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
11TXXXX.XXXCAPEC-XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
12TXXXXCAPEC-XCWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
13TXXXXCAPEC-XXXCWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
14TXXXXCWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-XXCWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
16TXXXX.XXXCAPEC-XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
17TXXXX.XXXCAPEC-XXXCWE-XXXXxxxxxxxpredictiveHigh
18TXXXXCAPEC-XXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
19TXXXX.XXXCWE-XXXxxxxxxxxxxxxpredictiveHigh
20TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
21TXXXX.XXXCWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
22TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (141)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.htaccesspredictiveMedium
2File/Admin/add-fee.phppredictiveHigh
3File/admin/educloud/videobind.htmlpredictiveHigh
4File/admin/invoice.phppredictiveHigh
5File/cgi-bin/luci/api/authpredictiveHigh
6File/conf/app.confpredictiveHigh
7File/filemanager/upload.phppredictiveHigh
8File/public/login.htmpredictiveHigh
9File/resources//../predictiveHigh
10File/sdTodoDetail.jsppredictiveHigh
11File/src/Illuminate/Laravel.phppredictiveHigh
12File/static/libs/common/jquery.stickyNavbar.min.jspredictiveHigh
13File/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.phppredictiveHigh
14File/usr/local/WowzaStreamingEngine/bin/predictiveHigh
15File/wp-json/oembed/1.0/embed?urlpredictiveHigh
16Fileabout.phppredictiveMedium
17Filexxxxx.xxxpredictiveMedium
18Filexxxxx/xxxxxxx/xxxxx/xx_xxxxxxx_xxxx.xxxpredictiveHigh
19Filexxxxxxx.xxxpredictiveMedium
20Filexxxxx_xxxxxxx.xxxpredictiveHigh
21Filexxx_xxxxxx.xxxpredictiveHigh
22Filexxxxxxxxxxx/xxxxxxxxxxx/xxxxx/xxxxxxxxx.xxxpredictiveHigh
23Filexxx.xxxpredictiveLow
24Filexxxxxx/xxxxxxxx.xxxxpredictiveHigh
25Filexxxxxxx.xxpredictiveMedium
26Filexxx-xxx/xxxxxx.xxxpredictiveHigh
27Filexxxxxxxxxx.xxxpredictiveHigh
28Filexxx.xxx?xxx=xxxxx_xxxxpredictiveHigh
29Filexxx.xxxpredictiveLow
30Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
31Filexxxxxxxx.xxxpredictiveMedium
32Filexxxx_xxxxxxx.xxxpredictiveHigh
33Filexxxxxxxxxxxxx.xxxpredictiveHigh
34Filexxx/xxxxxx/xxxxxx.xpredictiveHigh
35Filexxxxxxx.xxxpredictiveMedium
36Filexxxxxxxxx/xx/xxxxxxxxxxxx.xxxpredictiveHigh
37Filexx_xxxx.xxxpredictiveMedium
38Filexxxxxxxxx.xxxpredictiveHigh
39Filexxx/xxxxxx.xxxpredictiveHigh
40Filexxxxxxxx/xxxx/xxxxx-xxxxx.xxxpredictiveHigh
41Filexxxxx.xxxpredictiveMedium
42Filexxxxxxx/xxxxxxxx.xxxpredictiveHigh
43Filexx/xxxxxxxx.xxpredictiveHigh
44Filexxxxxx/xxx/xxxxxxxx.xpredictiveHigh
45Filexx_xxxxxx.xxxpredictiveHigh
46Filexxxxxxx.xxxpredictiveMedium
47Filexxxxxxxxx/xxxx_xxxxxxx.xxx.xxxpredictiveHigh
48Filexxxx/xxxxxxxxxx.xxxpredictiveHigh
49Filexxx.xxxpredictiveLow
50Filexxxxxx.xxpredictiveMedium
51Filexxxxxxx/xx?xxxxxxxx=predictiveHigh
52Filexxxxxxxxxxx-xxxx.xxpredictiveHigh
53Filexxx/xxxxxxx/xxx.xxxpredictiveHigh
54Filexxxxx.xxxpredictiveMedium
55Filexxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
56Filexxxxxxx_xxxx.xxxpredictiveHigh
57Filexxxxxxx/xxxxx/xxxxxxxxxxx/xxxxx.xxxpredictiveHigh
58Filexxxxxxxx.xxxpredictiveMedium
59Filexxxx.xxxpredictiveMedium
60Filexxxxx-xxxxxxpredictiveMedium
61Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictiveHigh
62Filexxxxxxx.xxxpredictiveMedium
63Filexxxxxx_xxxxxx.xxxpredictiveHigh
64Filexxxxxx/xxx/xx/xxx.xxpredictiveHigh
65Filexxxxxxxxxx.xxxxpredictiveHigh
66Filexxxxxx_xxx_xxxxxx.xxxpredictiveHigh
67Filexxxxxx_xxxxx.xxx/xxxxx_xxxxxxx_xxxxxxxxxx.xxpredictiveHigh
68Filexxxxxx.xpredictiveMedium
69Filexxx/xxxxxxx/xxxxxxx/xxxxx.xxpredictiveHigh
70Filexxxx-xxxxxxxx.xxxpredictiveHigh
71Filexxxxxxx/xxxx/xxxxxxx_xxxxxxxx_xxxx.xxxpredictiveHigh
72Filexxxxxxxxxxxxxx.xxxxpredictiveHigh
73Filexxxx/xxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
74Filexx/xx_xxxxxx.xxxpredictiveHigh
75Filexx\xxxxxxx.xxxxpredictiveHigh
76Filexxxx-xxxxxxx-xxxxxx.xxxpredictiveHigh
77File\xxxxxxx\xxxxxxxxxxxx.xxxxpredictiveHigh
78Library/xxx/xxx/xxxx.xxxpredictiveHigh
79Libraryxxxxxx[xxxxxx_xxxxpredictiveHigh
80Libraryxxxx.xxx.xxxpredictiveMedium
81Libraryxxxxxx.xxxpredictiveMedium
82Libraryxx-xxxxxxx/xxxxxxx/xx-xxxx-xxxxxxx/xxx/xxxxx/predictiveHigh
83Argument%xpredictiveLow
84ArgumentxxxxxxxpredictiveLow
85ArgumentxxxpredictiveLow
86Argumentxxxxxx_xxxxpredictiveMedium
87ArgumentxxxxxxxxpredictiveMedium
88ArgumentxxxxpredictiveLow
89ArgumentxxxpredictiveLow
90ArgumentxxxxxpredictiveLow
91ArgumentxxxxxxxpredictiveLow
92ArgumentxxxpredictiveLow
93ArgumentxxxxxxxxpredictiveMedium
94ArgumentxxxxxxxxxpredictiveMedium
95Argumentxxxxxx[xxxxxx_xxxx]predictiveHigh
96Argumentxxxxxx_xxxxx_xxxxxxxxxxxxxpredictiveHigh
97ArgumentxxpredictiveLow
98ArgumentxxxxxxxxxxxpredictiveMedium
99ArgumentxxxxpredictiveLow
100ArgumentxxxxxpredictiveLow
101ArgumentxxxxxxpredictiveLow
102Argumentxx-xxxxpredictiveLow
103ArgumentxxxxxxxxpredictiveMedium
104ArgumentxxpredictiveLow
105Argumentxx_xxxxpredictiveLow
106ArgumentxxxxxxxxxpredictiveMedium
107Argumentxxx_xxpredictiveLow
108Argumentxxxx/xxx_xxxxpredictiveHigh
109ArgumentxxxxxxxpredictiveLow
110ArgumentxxxpredictiveLow
111Argumentxxxxxxx/xxxxxxx/xxxxxxpredictiveHigh
112ArgumentxxxxpredictiveLow
113Argumentxxxxx_xxpredictiveMedium
114Argumentxxxx_xxpredictiveLow
115ArgumentxxxxxxxxxxxxxpredictiveHigh
116Argumentxxxx_xxpredictiveLow
117Argumentxxxxx_xxxxxxpredictiveMedium
118Argumentxxxxxx xxxxpredictiveMedium
119ArgumentxxxxxxxpredictiveLow
120Argumentxxxxxxx xxxxpredictiveMedium
121ArgumentxxxxxxpredictiveLow
122Argumentxxxxxx_xxpredictiveMedium
123ArgumentxxxxxxxxxxxxxpredictiveHigh
124ArgumentxxxxpredictiveLow
125Argumentxxxx_xxxxxx/xxxxxx/xxxxxxpredictiveHigh
126Argumentxxxxxxxx_xxxxxpredictiveHigh
127ArgumentxxxpredictiveLow
128ArgumentxxxxxxpredictiveLow
129Argumentxxxxxxxxxx/xxxxxxxxxxxxxxxpredictiveHigh
130ArgumentxxxxxxxxxpredictiveMedium
131ArgumentxxxpredictiveLow
132ArgumentxxxpredictiveLow
133ArgumentxxxxxxxxxpredictiveMedium
134ArgumentxxxxxxpredictiveLow
135Argumentxxxx_xxpredictiveLow
136ArgumentxxxpredictiveLow
137Argumentx-xxxxxxxxx-xxxpredictiveHigh
138Argumentx_xxpredictiveLow
139Argumentxx_xxxx_xxxxxpredictiveHigh
140Argument_xxxpredictiveLow
141Input Valuexxxx%xxxxxpredictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!