RagnarLocker Analysis

IOB - Indicator of Behavior (447)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en332
pl34
es16
de16
zh14

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us258
de48
cn28
ru12
es4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

RagnarLocker28
DanaBot2
Qakbot2
FIN72
RedLine1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined124
Content Management System22
Operating System20
Programming Language Software14
Firewall Software10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined102
Microsoft28
Oracle10
Apache10
Apple8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows14
Apache HTTP Server4
Atlassian JIRA Server4
Palo Alto PAN-OS4
phpMyAdmin4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.870.04187CVE-2010-0966
2Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25k$0-$5kHighWorkaround0.040.04187CVE-2007-1192
3Phorum register.php cross site scripting6.36.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.050.01213CVE-2007-0769
4Biometric Shift Employee Management System index.php cross site scripting4.44.4$0-$5k$0-$5kNot DefinedNot Defined0.030.00885CVE-2017-17995
5AlstraSoft AskMe Pro register.php cross site scripting3.53.5$0-$5k$0-$5kNot DefinedNot Defined0.060.00000
6Trend Micro HouseCall for Home Networks Library uncontrolled search path6.36.3$5k-$25k$5k-$25kNot DefinedNot Defined0.030.00890CVE-2021-32466
7SSReader Ultra Star Reader ActiveX Control pdg2.dll Register memory corruption10.09.4$0-$5k$0-$5kProof-of-ConceptNot Defined0.010.06523CVE-2007-5892
8Moreover.com Cached Feed.cgi Script cached_feed.cgi path traversal5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.000.04187CVE-2000-0906
9cpCommerce register.php cross site scripting4.34.2$0-$5k$0-$5kHighUnavailable0.010.01319CVE-2007-2968
10The Address Book register.php privileges management7.36.4$0-$5k$0-$5kUnprovenUnavailable0.050.01213CVE-2006-4580
11PsychoStats register.php cross site scripting3.53.5$0-$5k$0-$5kNot DefinedNot Defined0.030.00000
12Phorum register.php sql injection7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.010.01055CVE-2004-2110
13SmartDataSoft SmartBlog archive.php sql injection7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.020.01055CVE-2021-37538
14Tiki TikiWiki tiki-editpage.php input validation7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.270.01319CVE-2004-1386
15Woltlab Burning Board register.php cross site scripting4.34.1$0-$5k$0-$5kProof-of-ConceptNot Defined0.020.01319CVE-2007-1443
16JContentSubscription register.php Local Privilege Escalation5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.010.00000
17Bitweaver register.php cross site scripting4.34.1$0-$5k$0-$5kProof-of-ConceptNot Defined0.030.04894CVE-2007-6374
18LushiWarPlaner register.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.010.01139CVE-2007-0864
19Exo ExoPHPdesk register.php cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.050.01319CVE-2007-5990
20Snitz Forums 2000 register.asp cross site scripting4.34.1$0-$5k$0-$5kHighOfficial Fix0.000.04894CVE-2004-2720

IOC - Indicator of Compromise (32)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsTypeConfidence
15.45.65.52RagnarLockerverifiedHigh
223.106.122.192RagnarLockerverifiedHigh
323.227.202.7223-227-202-72.static.hvvc.usRagnarLockerverifiedHigh
437.120.238.107RagnarLockerverifiedHigh
545.63.89.25045.63.89.250.vultr.comRagnarLockerverifiedMedium
645.90.59.131unallocated.layer6.netRagnarLockerverifiedHigh
745.91.93.75mnbbim4.uniteq.xyzRagnarLockerverifiedHigh
8XX.XXX.XX.Xxxxxxxxx.xx.xxxxxxxXxxxxxxxxxxxverifiedHigh
9XX.XXX.XXX.XXXXxxxxxxxxxxxverifiedHigh
10XX.XX.XX.XXxxx-xxx-xxx-xxx.xxx.xxxxxxxx.xxxXxxxxxxxxxxxverifiedHigh
11XX.XX.XXX.XXXxxxxxx.xxx.xxx.xx.xx.xxxxxxx.xxxx-xxxxxx.xxXxxxxxxxxxxxverifiedHigh
12XX.XXX.XXX.XXxx-xxx-xxx-xx-xxxxxx.xxx.xxxxxxxxxxxxxxx.xxxXxxxxxxxxxxxverifiedHigh
13XX.XXX.XXX.XXxxx.xxxxxxx.xx.xxXxxxxxxxxxxxverifiedHigh
14XX.XX.XX.XXXxxxxxxxxxxxverifiedHigh
15XX.XXX.XXX.XXXxxxxxx.xxx.xxx.xxx.xx.xxxxxxx.xxxx-xxxxxx.xxXxxxxxxxxxxxverifiedHigh
16XXX.XX.XXX.XXXxxxx-xxx-xx-xxx-xxx.xxxxxx.xxxx.xxxxxxx.xxxXxxxxxxxxxxxverifiedHigh
17XXX.XX.XXX.XXXxxxx-xxx-xx-xxx-xxx.xxxxxx.xxxx.xxxxxxx.xxxXxxxxxxxxxxxverifiedHigh
18XXX.XXX.XXX.XXxxxxxx.xx.xxx.xxx.xxx.xxxxxxx.xxxx-xxxxxx.xxXxxxxxxxxxxxverifiedHigh
19XXX.XX.XXX.XXxxxx.xx-xxx-xx-xxx.xxxXxxxxxxxxxxxverifiedHigh
20XXX.XX.XXX.XXXxxx.xx.xxx.xxx.xxxxx.xxxXxxxxxxxxxxxverifiedMedium
21XXX.XX.XXX.Xxxxxx.xxxxxxxxxxx.xxx.xxXxxxxxxxxxxxverifiedHigh
22XXX.XX.XX.XXxxxxxx.xx.xx.xx.xxx.xxxxxxx.xxxx-xxxxxx.xxXxxxxxxxxxxxverifiedHigh
23XXX.XX.XXX.XXxxx.xxx.xxxxx.xxxXxxxxxxxxxxxverifiedHigh
24XXX.XXX.XXX.XXxxxxxx.xxxXxxxxxxxxxxxverifiedHigh
25XXX.XXX.XXX.XXXxxxxxxxxx.xxxxxxxxx.xxxxXxxxxxxxxxxxverifiedHigh
26XXX.XXX.XXX.XXXXxxxxxxxxxxxverifiedHigh
27XXX.XX.XX.XXxxxxxxxx.xxxxxxxxxxxxxxx.xxxXxxxxxxxxxxxverifiedHigh
28XXX.XX.XX.XXxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxx.xxxXxxxxxxxxxxxverifiedHigh
29XXX.XXX.XXX.XXxxx.xxx.xxx.xx.xxxxxxxxx-xxxXxxxxxxxxxxxverifiedHigh
30XXX.XX.XX.XXxxx-xx-xx-xx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxxverifiedHigh
31XXX.XX.XXX.XXXxxx-xx-xxx-xxx-xxxx.xxxxxxxxxxxx.xxxXxxxxxxxxxxxverifiedHigh
32XXX.XX.XX.XXXxxxxxx-xxxxxxx.xxxxx.xxXxxxxxxxxxxxverifiedHigh

TTP - Tactics, Techniques, Procedures (20)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1006CWE-21, CWE-22Pathname TraversalpredictiveHigh
2T1040CWE-319Authentication Bypass by Capture-replaypredictiveHigh
3T1055CWE-74InjectionpredictiveHigh
4T1059CWE-94Cross Site ScriptingpredictiveHigh
5TXXXX.XXXCWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXX.XXXCWE-XXXXxxxxxxx Xxxxxxxxxxx Xx Xxxxxxxxx Xxxxxxxxxxxxxx XxxxxxxxpredictiveHigh
8TXXXXCWE-XX, CWE-XXXxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
11TXXXXCWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
12TXXXXCWE-XXXXxxxxxxx Xx Xxxx Xxxxxxx Xxxxxxxxx XxxxxpredictiveHigh
13TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
14TXXXX.XXXCWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
15TXXXXCWE-XXX, CWE-XXX, CWE-XXXXxx.xxx Xxxxxxxxxxxxxxxx: Xxxxxxxx Xx Xxxxxxxxxxxxx XxxxpredictiveHigh
16TXXXXCWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
17TXXXX.XXXCWE-XXXXxxxxxxx Xx Xxx Xxxxxxx Xx X Xxxxxxxx XxxxxxxxpredictiveHigh
18TXXXXCWE-XXX, CWE-XXXXxxxxxxxxxxxxpredictiveHigh
19TXXXXCWE-XXXX2xx Xxxxxxxxxxxxxxxx: Xxxx Xxxxxxxxxxxx Xxxxxxx XxxxxxxxxxpredictiveHigh
20TXXXX.XXXCWE-XXXXxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (187)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/+CSCOE+/logon.htmlpredictiveHigh
2File/adminlogin.asppredictiveHigh
3File/category_view.phppredictiveHigh
4File/forum/away.phppredictiveHigh
5File/goform/delAdpredictiveHigh
6File/HNAP1predictiveLow
7File/mc-admin/post.php?state=delete&deletepredictiveHigh
8File/mkshop/Men/profile.phppredictiveHigh
9File/public/login.htmpredictiveHigh
10File/student/bookdetails.phppredictiveHigh
11File/usr/ucb/mailpredictiveHigh
12File/wp-content/plugins/updraftplus/admin.phppredictiveHigh
13Fileadclick.phppredictiveMedium
14Fileaddmember.phppredictiveHigh
15Fileaddtocart.asppredictiveHigh
16Fileaddtomylist.asppredictiveHigh
17Fileadmin.x-shop.phppredictiveHigh
18Fileadmin/auth.phppredictiveHigh
19Fileadmin/import/class-import-settings.phppredictiveHigh
20Fileadmin/sqlpatch.phppredictiveHigh
21Fileadmincp/auth/checklogin.phppredictiveHigh
22Fileadminlogin.asppredictiveHigh
23Fileadmin_feature.phppredictiveHigh
24Filexx.xxxxpredictiveLow
25Filexxxx/xxxxxxxxxxxxxx.xxxpredictiveHigh
26Filexxx_xxx.xxxpredictiveMedium
27Filexxxxxxxxxxx/xxxxx/xxxxxxxxxx/xxxxxxx.xxxpredictiveHigh
28Filexxxxxxxx.xxxpredictiveMedium
29Filexxxx/xxxxxxxxxx/xxxxxx.xxxpredictiveHigh
30Filexxxxxxx.xxpredictiveMedium
31Filex:\xxxxxxx\xxxxxxxx\xxxxxx\xxxpredictiveHigh
32Filexxxxxx_xxxx.xxxpredictiveHigh
33Filexxx.xxxpredictiveLow
34Filexxxxxxxx.xxxpredictiveMedium
35Filexxx-xxx/xxxxxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
36Filexxx-xxx/xxxxxxxxxxxx.xxxpredictiveHigh
37Filexxx-xxx/xxxxxx/xxxxx.xxpredictiveHigh
38Filexxxxxxxxxxx/xxxxx/xxxxxxx.xxxpredictiveHigh
39Filexxxx/xxxx/xxx.xxxxxxx.xxxxxxx/xxxxxx_xxxxx/xxx.xxxpredictiveHigh
40Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
41Filexxx.xxxpredictiveLow
42Filexxxxxx.xxxpredictiveMedium
43Filexxxxxxxx.xxxpredictiveMedium
44Filexxxx-xxxxxxx.xxxpredictiveHigh
45Filexxxxx.xxxpredictiveMedium
46Filexxxxxxx/xxxxxxx.xxxpredictiveHigh
47Filexxxx.xpredictiveLow
48Filexxxxx.xxxpredictiveMedium
49Filexxxx.xxxpredictiveMedium
50Filexxxxxxxxx.xxxpredictiveHigh
51Filexxxxxxxx.xxxpredictiveMedium
52Filexxxxxxxxx.xxxpredictiveHigh
53Filexxx/xxxxxx.xxxpredictiveHigh
54Filexxx/xxxxxxx/xxxxxxxxxxxxx/xxxxx.xxxpredictiveHigh
55Filexxxxxxx/xxxxxxx/xxxxxxxx.xxx.xxxpredictiveHigh
56Filexxxxxxx/xxxxxxx/xxxxxxxx_xxxxxxxx.xxx.xxxpredictiveHigh
57Filexxxxxxx/xxxxxx/xxxxxxx/xxxxxx/xxx.xxxpredictiveHigh
58Filexxxxxxxx/xxxx.xxxpredictiveHigh
59Filexxxxx.xxxpredictiveMedium
60Filexxxxxxx.xxx.xxxpredictiveHigh
61Filexx.xxxpredictiveLow
62Filexxxx.xxxpredictiveMedium
63Filexxxxx/xxxxx.xxxpredictiveHigh
64Filexxxx/x/xxxxxx.xpredictiveHigh
65Filexxxxx.xxxpredictiveMedium
66Filexxxxxxx.xxxpredictiveMedium
67Filexx_xxxx.xpredictiveMedium
68Filexxxxxxxxx.xxpredictiveMedium
69FilexxxpredictiveLow
70Filexxx.xpredictiveLow
71Filexxxxx/xxxxxxx.xpredictiveHigh
72Filexxxxx-xxxxx.xpredictiveHigh
73Filexxxxxxx.xxxpredictiveMedium
74Filexxxx.xxxpredictiveMedium
75Filexxxxx.xxxpredictiveMedium
76Filexxxxxxxxxx.xxxpredictiveHigh
77Filexxxxxxxx.xxxpredictiveMedium
78Filexxxxxxxx.xxxpredictiveMedium
79Filexxxxxxxx.xxpredictiveMedium
80Filexxxxxx.xxxpredictiveMedium
81Filexxxxxx.xxxpredictiveMedium
82Filexxxxxx_xxxx.xxxpredictiveHigh
83Filexxxxxx/xxxxxxxx.xxxpredictiveHigh
84Filexxxxxx_xxx_xxxxxx.xxxpredictiveHigh
85Filexxxx.xxxpredictiveMedium
86Filexxxx/xxxx.xxxpredictiveHigh
87Filexxxxxxxxxxx.xxxpredictiveHigh
88Filexxxxxx/predictiveLow
89Filexxxx-xxxxxxxx.xxxpredictiveHigh
90Filexxxx-xxxx_xxxx_xxxxxxx.xxxpredictiveHigh
91Filexxxx.xxxpredictiveMedium
92Filexxxxxxxx-x.xpredictiveMedium
93Filexxxxxx.xxxpredictiveMedium
94Filexxxxxx.xxxpredictiveMedium
95Filexxx.xxxpredictiveLow
96Filexxxxx/xxxxxxxx.xxxpredictiveHigh
97Filexxxx/xxxxxx.xxxxpredictiveHigh
98Filexxxxxxxxx.xpredictiveMedium
99Filexxxx.xxxpredictiveMedium
100Filexxxx/xxxxxxxx.xxxpredictiveHigh
101Filexxxx_xxx.xxxpredictiveMedium
102Filexxxxxxx.xxxpredictiveMedium
103Filexx-xxxxxxxx-xxxx.xxxpredictiveHigh
104Filexx-xxxxxx.xxxpredictiveHigh
105Filexx-xxxxxxxx/xxxxxxxx/xxxxxxx/xxxxxxxxxxxxxxxx.xxxpredictiveHigh
106Filexx-xxxxxxxx.xxxpredictiveHigh
107Filexxx/xxxx/xx/xxxxxxx.xxxpredictiveHigh
108FilexxxxxxxpredictiveLow
109File~/xxx/xxxxxxxxx/xxxx/xxxx/xxxxxx.xxxpredictiveHigh
110File~/xxxxxxxx/xxxxx-xx-xxxxxxxxxx-xxxx.xxxpredictiveHigh
111Libraryxxxxx/xxxxxxxxx/xxxxx.xxxxxxxxx.xxxpredictiveHigh
112Libraryxxxxxxxxxxx.xxxpredictiveHigh
113Libraryxxxxxxxx.xxxpredictiveMedium
114Libraryxxxx.xxxpredictiveMedium
115Libraryxxxxx_xxx.xxxpredictiveHigh
116Libraryxxxxxxx.xxxpredictiveMedium
117ArgumentxxxxxxpredictiveLow
118ArgumentxxxxxxxxpredictiveMedium
119Argumentxxxx_xxxpredictiveMedium
120Argumentxxxxxxxxx xx xxxxxxxpredictiveHigh
121ArgumentxxxpredictiveLow
122Argumentxxxxxxxx/xxxxxxpredictiveHigh
123Argumentxxxxxxxx_xxpredictiveMedium
124ArgumentxxxxxxxxxxpredictiveMedium
125ArgumentxxxxxxxpredictiveLow
126ArgumentxxxxxxpredictiveLow
127ArgumentxxxxxxpredictiveLow
128ArgumentxxxxxxxpredictiveLow
129Argumentxxxxxxx_xxxx_xxxxpredictiveHigh
130Argumentxxxxxx_xxxxx_xxxxpredictiveHigh
131ArgumentxxxxpredictiveLow
132ArgumentxxxpredictiveLow
133ArgumentxxxxxpredictiveLow
134ArgumentxxxxxxxxxxxpredictiveMedium
135Argumentxxxxx_xxxx_xxxxpredictiveHigh
136ArgumentxxxxxpredictiveLow
137Argumentxxxxx_xxxxxxxxxxxpredictiveHigh
138ArgumentxxxxxxpredictiveLow
139Argumentxxxx_xxxxxpredictiveMedium
140Argumentxxxx_xxxxxxxpredictiveMedium
141ArgumentxxpredictiveLow
142ArgumentxxpredictiveLow
143ArgumentxxpredictiveLow
144ArgumentxxxxxxxxxxxxxxxxpredictiveHigh
145Argumentxxxxxxx_xxxxpredictiveMedium
146ArgumentxxxxxxxxxpredictiveMedium
147ArgumentxxxxpredictiveLow
148ArgumentxxxxpredictiveLow
149Argumentxxxx_xxxxpredictiveMedium
150ArgumentxxxxpredictiveLow
151ArgumentxxxxxxxxxxxxxxpredictiveHigh
152ArgumentxxxxxxxxxxxxxpredictiveHigh
153ArgumentxxxxxxxxpredictiveMedium
154ArgumentxxxxpredictiveLow
155Argumentxxxxxxxxx_xxxxxxxx_xxxxpredictiveHigh
156ArgumentxxxxpredictiveLow
157ArgumentxxxxpredictiveLow
158Argumentxx_xxxxxxxxxxxpredictiveHigh
159Argumentxxxx_xxxxpredictiveMedium
160Argumentxxxxx_xxxx_xxxxpredictiveHigh
161ArgumentxxxxxxxpredictiveLow
162Argumentxxxxx_xxxxxxpredictiveMedium
163Argumentxxxxxxxxxxxx_xxxxxxxxxpredictiveHigh
164ArgumentxxxxxxxxxxxpredictiveMedium
165ArgumentxxxxxxxxxxxxpredictiveMedium
166ArgumentxxxxxxxxxxpredictiveMedium
167Argumentxxxx_xxxxpredictiveMedium
168Argumentxxxxxxxxxx_xxxxpredictiveHigh
169ArgumentxxxxxxxxxxpredictiveMedium
170ArgumentxxxpredictiveLow
171ArgumentxxxpredictiveLow
172ArgumentxxxxpredictiveLow
173Argumentxxxx_xx[]predictiveMedium
174ArgumentxxxpredictiveLow
175Argumentxxxx-xxxxxpredictiveMedium
176ArgumentxxxxxxxxpredictiveMedium
177Argumentxxxxxxxx/xxxxxxxxpredictiveHigh
178Argumentxxxx_xxxxxpredictiveMedium
179Argumentxxxx_xxxxxpredictiveMedium
180Argumentxxxxx_xxxpredictiveMedium
181ArgumentxxxxpredictiveLow
182Argument_xxx_xxxxxxx_xxxxx_xxxx_xxx_xxxxxxx_xxxxxxxxxxxxxxxx_xxxxxpredictiveHigh
183Argument__xxxxxxxxxpredictiveMedium
184Input Value'xx''='predictiveLow
185Input Valuexxxxxxxxxxxxxxxxxxxxxxxxxxxx+xxxxx+xxxxxx+x,x,xxxx,xxx,x,x+xxxx+xxx_xxxxx+xxxxx+xx=x--+predictiveHigh
186Input Value<xxxxxx>xxxxx(/xxx/)</xxxxxx>predictiveHigh
187Pattern() {predictiveLow

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!