PupyRAT Analysisinfo

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (48)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Language

en30
zh18

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

CN: China36
US: USA10
GB: Great Britain2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

PupyRAT3
Cobalt Strike2
FunnySwitch1
Nanocore1
HyperBro1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined14
Router Operating System4
Operating System4
Application Server Software4
WordPress Plugin2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined22
Cisco6
Microsoft4
Google4
Raspberry2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Cisco IOS XE4
Microsoft Windows4
Raspberry Pi OS2
Cisco IOS2
WP Statistics Plugin2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

These are the vulnerabilities that we have identified as researched, approached, or attacked.

#VulnerabilityBaseTemp0dayTodayExpCouKEVEPSSCTICVE
1Genivia gSOAP XML Document soap_get integer overflow6.86.5$0-$5k$0-$5kNot definedOfficial fixpossible0.407640.00CVE-2017-9765
2Google Android PAC File scanner.cc NewCapacity out-of-bounds write7.57.2$25k-$100k$5k-$25kNot definedOfficial fix 0.006820.00CVE-2021-0393
3Zope Module path traversal5.04.8$0-$5kCalculatingNot definedOfficial fix 0.005240.00CVE-2021-32633
4RabbitMQ rabbitmq_federation_management Plugin cross site scripting2.01.9$0-$5k$0-$5kNot definedOfficial fix 0.000780.00CVE-2021-32719
5Fortinet FortiWeb HTTP Request stack-based overflow9.89.8$0-$5k$0-$5kNot definedNot definedexpected0.821650.00CVE-2021-42756
6jsonwebtoken risky encryption5.55.5$0-$5k$0-$5kNot definedOfficial fix 0.000890.02CVE-2022-23539
7Oracle Application Server sql injection9.88.8$5k-$25kCalculatingProof-of-ConceptOfficial fix 0.040900.00CVE-2006-3710
8RoundCube E-Mail Message cross site scripting3.53.4$0-$5k$0-$5kNot definedOfficial fix 0.009400.03CVE-2021-46144
9Microsoft Windows TCP/IP Remote Code Execution9.88.9$25k-$100k$5k-$25kUnprovenOfficial fixexpected0.843060.03CVE-2022-34718
10Xampp Installation default permission6.36.1$0-$5k$0-$5kNot definedNot defined 0.000930.06CVE-2022-29376
11Jersey File.createTempFile temp file4.44.2$0-$5k$0-$5kNot definedOfficial fix 0.001530.00CVE-2021-28168
12Esri ArcGIS Server sql injection8.18.0$0-$5k$0-$5kNot definedOfficial fix 0.004270.00CVE-2021-29114
13Minio Console Operator Console missing authentication8.68.5$0-$5kCalculatingNot definedOfficial fixpossible0.777460.04CVE-2021-41266
14Progress Telerik UI for ASP.NET AJAX Telerik.Web.UI.WebResource.axd command injection8.08.0$0-$5k$0-$5kNot definedNot defined 0.010410.00CVE-2021-28141
15Pydio pydio-core proxy.php unrestricted upload8.58.5$0-$5k$0-$5kNot definedNot defined 0.020150.02CVE-2019-9642
16Kentico CMS Blog Module sql injection8.07.6$0-$5k$0-$5kProof-of-ConceptNot defined 0.004160.05CVE-2021-27581
17Google Chrome Installer privilege escalation5.55.3$25k-$100k$0-$5kNot definedOfficial fix 0.005130.00CVE-2022-0799
18nginx request smuggling6.96.9$0-$5k$0-$5kNot definedNot defined 0.000000.62CVE-2020-12440
19LiquidFiles sent cross site scripting4.84.6$0-$5k$0-$5kNot definedOfficial fix 0.002430.02CVE-2020-29072
20Raspberry Pi OS hard-coded password8.88.1$0-$5k$0-$5kProof-of-ConceptWorkaroundpossible0.445530.04CVE-2021-38759

Campaigns (2)

These are the campaigns that can be associated with the actor:

IOC - Indicator of Compromise (6)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
145.32.8.14345.32.8.143.vultrusercontent.comPupyRAT04/18/2024verifiedHigh
245.32.16.24845.32.16.248.vultrusercontent.comPupyRAT04/18/2024verifiedHigh
3XX.XX.XXX.XXxx.xx.xxx.xx.xxxxx.xxxXxxxx XxxxxXxxxxxx12/17/2020verifiedVery Low
4XX.XXX.XX.XXXxxxx XxxxxXxxxxxx12/17/2020verifiedLow
5XXX.XX.XX.XXXxxxxxxXxx-x-xxx08/16/2024verifiedVery High
6XXX.XX.XX.XXXXxxxx XxxxxXxxxxxx12/17/2020verifiedLow

TTP - Tactics, Techniques, Procedures (10)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1059.007CAPEC-209CWE-79, CWE-80Basic Cross Site ScriptingpredictiveHigh
3TXXXXCAPEC-XXXCWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
4TXXXX.XXXCWE-XXXXxx Xx Xxxx-xxxxx XxxxxxxxpredictiveHigh
5TXXXX.XXXCWE-XXXXxx-xxx Xxxx Xxxxxxx XxxxpredictiveHigh
6TXXXXCAPEC-XXXCWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
7TXXXXCAPEC-XCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
8TXXXXCAPEC-XXXCWE-XXXxx XxxxxxxxxpredictiveHigh
9TXXXXCAPEC-XXCWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
10TXXXX.XXXCAPEC-XCWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (23)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1Fileburl.cpredictiveLow
2Filef_accessory.cpredictiveHigh
3Filelib/curl_sasl.cpredictiveHigh
4Filexxxxxxxxxxx.xxpredictiveHigh
5Filexxxxxxxx/xxxx?xxxxxx=xxpredictiveHigh
6Filexxx/xxxxxxx/xxxxxxx/xxxxxxx.xxxxpredictiveHigh
7Filexxxxx.xxxpredictiveMedium
8Filexxxxx-xxxx/xxxxx-xxxxx-xxxx.xxxpredictiveHigh
9Filexxxx.xpredictiveLow
10Filexxxxxxx.xxpredictiveMedium
11Filexxxxxxx.xxx.xx.xxxxxxxxxxx.xxxpredictiveHigh
12Filexxx-xxxpredictiveLow
13Filexx-xxxxxxxx.xxxpredictiveHigh
14Filexx_xxxxxxx.xpredictiveMedium
15ArgumentxxxpredictiveLow
16ArgumentxxxxpredictiveLow
17ArgumentxxxxxxxxpredictiveMedium
18ArgumentxxxxxxxpredictiveLow
19Argumentxxxx_xxxxxpredictiveMedium
20Argument_xxx_xxxxxxxxxxx_predictiveHigh
21Input Value../../../../../xxx/xxx/xxxxx/xxxx/xxxxxxxx/xxxxx/xxx.xxxpredictiveHigh
22Input Value/%xxpredictiveLow
23Network Portxxx/xxxxpredictiveMedium

References (4)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

This view requires CTI permissions

Just purchase a CTI license today!