PoshC2 Analysis

IOB - Indicator of Behavior (508)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en370
de96
zh22
pl8
ru4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us388
cn34
ru16
tr4
gb4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows10
Apple QuickTime8
Cisco Small Business RV0164
Cisco Small Business RV0424
Cisco Small Business RV042G4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25k$0-$5kHighWorkaround0.020.02016CVE-2007-1192
2DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.690.00943CVE-2010-0966
3TikiWiki tiki-register.php input validation7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix7.090.01009CVE-2006-6168
4FreeBSD FPU x87 Register information disclosure4.03.8$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00000
5Russcom Network Loginphp register.php cross site scripting4.34.1$0-$5k$0-$5kProof-of-ConceptUnavailable0.040.00677CVE-2006-2160
6Jelsoft vBulletin register.php denial of service7.37.3$0-$5k$0-$5kNot DefinedNot Defined0.000.01562CVE-2006-4272
7CONTROLzx HMS register_domain.php cross site scripting3.53.3$0-$5kCalculatingProof-of-ConceptNot Defined0.000.00000
8Ultimate PHP Board register.php unknown vulnerability5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.000.00317CVE-2006-3206
9SloughFlash SF-Users register.php cross site scripting4.34.1$0-$5k$0-$5kProof-of-ConceptNot Defined0.000.00587CVE-2006-2167
10Linux Kernel FXSAVE x87 Register cryptographic issues4.33.9$5k-$25kCalculatingProof-of-ConceptOfficial Fix0.020.00101CVE-2006-1056
11MGB OpenSource Guestbook email.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.600.01302CVE-2007-0354
12Cisco AnyConnect Secure Mobility Client Profile Editor xml external entity reference4.94.9$0-$5k$0-$5kNot DefinedNot Defined0.000.00074CVE-2018-0100
13Citrix Workspace App Automatic Updater Service access control7.57.5$5k-$25k$5k-$25kNot DefinedOfficial Fix0.030.00088CVE-2020-8207
14X7 Group X7 Chat register.php cross site scripting4.33.9$0-$5kCalculatingProof-of-ConceptOfficial Fix0.020.00615CVE-2006-2282
15Kailash Nadh boastMachine Admin Interface register.php cross site scripting4.33.8$0-$5kCalculatingProof-of-ConceptUnavailable0.020.00807CVE-2006-3826
16GeoClassifieds Enterprise register.php cross site scripting3.53.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.020.00000
17PhotoPost PHP register.php privileges management5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.020.00000
18Tritanium Bulletin Board register.php cross site scripting4.34.1$0-$5k$0-$5kProof-of-ConceptNot Defined0.030.00677CVE-2006-1815
19nginx request smuggling6.96.9$0-$5k$0-$5kNot DefinedNot Defined0.090.00241CVE-2020-12440
20Asus RT-AX82U HTTP Request get_IFTTTTtoken.cgi a key past its expiration date8.58.4$0-$5k$0-$5kNot DefinedNot Defined0.030.00218CVE-2022-35401

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • PoshC2

IOC - Indicator of Compromise (36)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
13.120.209.174ec2-3-120-209-174.eu-central-1.compute.amazonaws.comPoshC201/16/2024verifiedMedium
23.253.77.60ec2-3-253-77-60.eu-west-1.compute.amazonaws.comPoshC210/27/2023verifiedMedium
313.48.77.144ec2-13-48-77-144.eu-north-1.compute.amazonaws.comPoshC211/01/2023verifiedMedium
413.78.10.244PoshC202/13/2024verifiedHigh
518.134.14.164ec2-18-134-14-164.eu-west-2.compute.amazonaws.comPoshC210/11/2023verifiedMedium
635.80.38.180ec2-35-80-38-180.us-west-2.compute.amazonaws.comPoshC201/02/2024verifiedMedium
735.202.253.4545.253.202.35.bc.googleusercontent.comPoshC203/27/2022verifiedMedium
845.79.196.20345-79-196-203.ip.linodeusercontent.comPoshC210/19/2023verifiedHigh
9XX.XXX.XXX.XXXXxxxxx01/27/2024verifiedHigh
10XX.XXX.XXX.XXXXxxxxx06/22/2021verifiedHigh
11XX.XXX.XX.XXXxxxxx11/22/2023verifiedHigh
12XX.XX.XX.XXXxx.xx.xx.xxx.xxxxxxxxxxxxxxxx.xxxXxxxxx01/04/2024verifiedHigh
13XX.XXX.XXX.XXXXxxxxx11/15/2023verifiedHigh
14XX.XX.XXX.XXxxxxxxxxxxxxxxxxx.xx.xxxxxxxxx.xxxXxxxxx12/10/2023verifiedHigh
15XX.XXX.XXX.XXxxxxxxxxx.xxxxxxxxxxxxx.xxxXxxxxx11/11/2023verifiedHigh
16XX.XXX.X.XXXxxxxxxxx.xxxxxx-xx-xxxxxx.xxXxxxxx10/16/2023verifiedHigh
17XX.XX.XXX.XXxxxxxxxx.xx-xx-xx-xxx.xxXxxxxx10/26/2023verifiedHigh
18XX.XXX.XX.XXXxxxxxxx.xxxxxx.xxxXxxxxx10/09/2023verifiedHigh
19XX.XXX.XXX.XXXXxxxxx10/17/2022verifiedHigh
20XXX.XX.XXX.XXXXxxxxx06/22/2021verifiedHigh
21XXX.XXX.XX.XXXxxxxxx.xxx.xx.xxx.xxx.xxxxxxx.xxxx-xxxxxx.xxXxxxxx11/22/2023verifiedHigh
22XXX.XXX.XXX.XXXxxxxx11/07/2023verifiedHigh
23XXX.XX.XXX.XXxxx.xx.xxx.xx.xxxxxxxxxxxxxxxx.xxxXxxxxx01/02/2024verifiedHigh
24XXX.XXX.XXX.XXXxxxxx12/10/2023verifiedHigh
25XXX.XXX.XX.XXXXxxxxx10/19/2023verifiedHigh
26XXX.XX.XX.XXXXxxxxx01/09/2024verifiedHigh
27XXX.XX.XXX.XXXxxxxx02/20/2024verifiedHigh
28XXX.XXX.XXX.XXXXxxxxx01/25/2024verifiedHigh
29XXX.XXX.XX.XXxxxxxxxxxx.xxxxxxxxxxxxx.xxxXxxxxx12/15/2023verifiedHigh
30XXX.XX.XXX.XXxxx-xxx-xx-xxx-xx.xxxxxxx-x.xxxxxxxxx.xxxXxxxxx11/09/2023verifiedMedium
31XXX.XXX.XX.XXXxxxxx01/26/2024verifiedHigh
32XXX.XXX.XXX.XXXxxxxx10/17/2023verifiedHigh
33XXX.XXX.XX.XXXxxxxx06/22/2021verifiedHigh
34XXX.XXX.XXX.XXXXxxxxx10/09/2023verifiedHigh
35XXX.XXX.XX.XXXxxx-xxx-xx-xxx.xx.xxxxxxxxxxxxxxxxx.xxxXxxxxx10/20/2023verifiedHigh
36XXX.XXX.XXX.XXXxxxxXxxxxx05/31/2021verifiedHigh

TTP - Tactics, Techniques, Procedures (17)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IOA - Indicator of Attack (114)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/config/uploadicon.phppredictiveHigh
2File/admin/del_feedback.phppredictiveHigh
3File/cms/category/listpredictiveHigh
4File/inquiries/view_inquiry.phppredictiveHigh
5File/LoginpredictiveLow
6File/product/savenewproduct.php?flag=1predictiveHigh
7File/searchpredictiveLow
8File/start_apply.htmpredictiveHigh
9File/sysmanage/updatelib.phppredictiveHigh
10File/thruk/#cgi-bin/extinfo.cgi?type=2predictiveHigh
11File/var/log/nginxpredictiveHigh
12Filebooking.phppredictiveMedium
13Filebrowse-category.phppredictiveHigh
14FileBSW_cxttongr.htmpredictiveHigh
15Filecat.asppredictiveLow
16Filexxxxxxxx.xxxpredictiveMedium
17Filexxxxxxxxxx/xxxxxxx.xxxxpredictiveHigh
18Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
19Filexxxxxxxx.xxxpredictiveMedium
20Filexxxxxxxxxxx.xxxpredictiveHigh
21Filexxxxxxxx.xxxpredictiveMedium
22Filexxxxx.xxxpredictiveMedium
23Filexxxxxxxxxxxx.xxxpredictiveHigh
24Filexxxx.xxxpredictiveMedium
25Filexxx_xxxxxxxxxxx.xxxpredictiveHigh
26Filexxxx.xxxpredictiveMedium
27Filexxx/xxxxxx.xxxpredictiveHigh
28Filexxx/xxxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
29Filexxxxx.xxxpredictiveMedium
30Filexxxxx.xxxpredictiveMedium
31Filexxxxx.xxx?xx=xxxxxxxxxx&xxxxpredictiveHigh
32Filexxxxxxx.xpredictiveMedium
33Filexxxxxxxxxxx-xxxxxxx-xxxx.xxxx.xxxpredictiveHigh
34Filexxxxxxxx/xxxxxxxx_xxxxxxx_xxxxxx/xxxxx.xxxpredictiveHigh
35Filexxxx.xxxpredictiveMedium
36Filexxxxx.xxxpredictiveMedium
37Filexxxxxxx.xxxpredictiveMedium
38Filexxx_xxxx_xxx_xxxxxxxxxx.xpredictiveHigh
39Filexxx_xxxx.xxxpredictiveMedium
40Filexxxx_xxxxxxx.xxxpredictiveHigh
41Filexxxxx_xxx.xxxpredictiveHigh
42Filexxxxx.xxxpredictiveMedium
43Filexxxxx.xxxpredictiveMedium
44Filexxxxxxxxxx.xxxpredictiveHigh
45Filexxxxxxxx.xxxxpredictiveHigh
46Filexxxxxxxx.xxxpredictiveMedium
47Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictiveHigh
48Filexxxxxxxx_xxxxxx.xxxpredictiveHigh
49Filexxxxxxx/xxxxxxxxxx.xxxpredictiveHigh
50Filexxxxxx.xxpredictiveMedium
51Filexxxxxxx/xxxxxxxx.xxxpredictiveHigh
52Filexxxxx.xxxpredictiveMedium
53Filexxxxxx.xxxpredictiveMedium
54Filexxxxxx-xxxxxx.xxxpredictiveHigh
55Filexxxx-xxxxxxxx.xxxpredictiveHigh
56Filexxxxx_xxxxxx.xxxpredictiveHigh
57Filexxxxxx.xxxpredictiveMedium
58Filexx-xxxxx/xxxxx-xxx.xxx?xxxxxxx-xxxxxxxxpredictiveHigh
59Filexxxx.xxpredictiveLow
60File~/xxx/xxxx-xxxxxxxxx.xxxpredictiveHigh
61File~/xxx-xxx-xxxx.xxxpredictiveHigh
62Libraryxxxxxxxx.xxxpredictiveMedium
63Libraryxxxxxx.xxxxx.xxxxxxxpredictiveHigh
64Argumentxx_xxxx_xxxxpredictiveMedium
65ArgumentxxxxxxxpredictiveLow
66ArgumentxxxxxxxxxpredictiveMedium
67ArgumentxxxxxxpredictiveLow
68ArgumentxxxxxxxxpredictiveMedium
69ArgumentxxxpredictiveLow
70ArgumentxxxpredictiveLow
71Argumentxxx/xxxxx_xxxx/xxxxxx_xxxx/xxxxxxx_x/xxxxxxxpredictiveHigh
72Argumentxxxxxxx_xxxxxpredictiveHigh
73Argumentxxxxxxx/xxxx/xxxxx_xxxxx_xxpredictiveHigh
74Argumentx[xxxxx]predictiveMedium
75ArgumentxxxxxxxpredictiveLow
76ArgumentxxxxxxxxpredictiveMedium
77Argumentxxxxxxx=xxxxxxxxpredictiveHigh
78Argumentxx_xxxxxpredictiveMedium
79ArgumentxxxxpredictiveLow
80ArgumentxxxxxxxxpredictiveMedium
81Argumentxxxx_xxxxxxpredictiveMedium
82ArgumentxxxxxxxxxxpredictiveMedium
83Argumentxxxx/xxxxxxx/xxxxxxxpredictiveHigh
84Argumentxxxx_xxpredictiveLow
85ArgumentxxxxpredictiveLow
86ArgumentxxpredictiveLow
87Argumentxx_xxxxxpredictiveMedium
88ArgumentxxxxxpredictiveLow
89ArgumentxxxxxxxxpredictiveMedium
90ArgumentxxxxxpredictiveLow
91ArgumentxxxxxxxxxxxpredictiveMedium
92Argumentxxxx-xxx-xxxxxxxxxpredictiveHigh
93Argumentxxxxx_xxpredictiveMedium
94ArgumentxxxxpredictiveLow
95Argumentxxxx_xxxxxpredictiveMedium
96Argumentxxxxxxx_xxxpredictiveMedium
97ArgumentxxxxxxxxpredictiveMedium
98Argumentxx_xxxxpredictiveLow
99Argumentxxxxxxx_xxxxpredictiveMedium
100ArgumentxxxxxxpredictiveLow
101ArgumentxxxpredictiveLow
102ArgumentxxxpredictiveLow
103ArgumentxxxxxxxxpredictiveMedium
104Argumentxxxxx/xxxpredictiveMedium
105ArgumentxxxxxxpredictiveLow
106ArgumentxxxxxxxpredictiveLow
107ArgumentxxxxxpredictiveLow
108ArgumentxxxxxpredictiveLow
109ArgumentxxxxxxpredictiveLow
110ArgumentxxxpredictiveLow
111ArgumentxxxpredictiveLow
112ArgumentxxxxxxxxpredictiveMedium
113ArgumentxxxpredictiveLow
114Pattern|xx|predictiveLow

References (30)

The following list contains external sources which discuss the actor and the associated activities:

Interested in the pricing of exploits?

See the underground prices here!