Astro Locker Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (45)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en36
ru10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us20
ru16
cn2
ir2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

IcedID3
Astro Locker2
Cobalt Strike2
Bumblebee1
PhotoLoader1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined20
Operating System6
Groupware Software6
SCADA Software2
Router Operating System2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Microsoft8
Not Defined8
Omron4
Linux4
zoujingli2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Exchange Server6
Linux Kernel4
Omron NJ2
Omron NX72
Omron NX12

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Microsoft Windows Win32k Local Privilege Escalation7.87.1$25k-$50k$5k-$10kUnprovenOfficial Fix0.000480.03CVE-2023-36743
2zoujingli ThinkAdmin Update.php deserialization8.08.0$2k-$5k$0-$1kNot DefinedNot Defined0.010880.02CVE-2020-23653
3Apache HTTP Server ETag information disclosure5.35.1$10k-$25k$0-$1kNot DefinedOfficial Fix0.001680.09CVE-2003-1418
4Huawei Flybox B660 indexdefault.asp improper authentication7.36.7$10k-$25k$0-$1kProof-of-ConceptWorkaround0.000000.05
5OpenKM Community Edition XMLReader Parser XMLTextExtractor.java xml external entity reference8.28.1$1k-$2k$0-$1kNot DefinedNot Defined0.002010.00CVE-2022-2131
6OpenKM FileUtils.java getFileExtension temp file3.63.5$0-$1k$0-$1kNot DefinedOfficial Fix0.000450.03CVE-2022-3969
7Linux Kernel smb2ops.c smb2_dump_detail out-of-bounds6.26.0$2k-$5k$0-$1kProof-of-ConceptNot Defined0.000420.00CVE-2023-6610
8Microsoft Windows Local Security Authority Subsystem Service information disclosure5.14.7$25k-$50k$5k-$10kUnprovenOfficial Fix0.000480.06CVE-2023-36428
9Linux Kernel io_uring Subsystem toctou7.57.4$5k-$10k$1k-$2kNot DefinedOfficial Fix0.000420.06CVE-2023-1295
10Microsoft Exchange Server Privilege Escalation8.37.6$25k-$50k$5k-$10kUnprovenOfficial Fix0.000800.03CVE-2023-36745
11Microsoft Windows TPM Device Driver Local Privilege Escalation7.87.4$25k-$50k$5k-$10kHighOfficial Fix0.004090.06CVE-2023-29360
12Wazuh Dashboard authorization7.57.4$1k-$2k$0-$1kNot DefinedOfficial Fix0.000600.03CVE-2023-42455
13Microsoft Exchange Server ProxyShell unknown vulnerability9.48.6$25k-$50k$5k-$10kHighOfficial Fix0.757550.00CVE-2021-34523
14Microsoft Exchange Server ProxyShell Remote Code Execution9.58.7$25k-$50k$5k-$10kHighOfficial Fix0.973190.05CVE-2021-34473
15Microsoft Exchange Server Privilege Escalation8.07.3$10k-$25k$5k-$10kUnprovenOfficial Fix0.001110.04CVE-2023-28310
16Linux Kernel use after free7.47.2$5k-$10k$2k-$5kNot DefinedOfficial Fix0.000420.03CVE-2023-0461
17Red Hat DataGrid/Infinispan REST Endpoint improper authentication6.36.3$5k-$10k$5k-$10kNot DefinedNot Defined0.002740.00CVE-2021-31917
18libssh pki_verify_data_signature access control5.55.5$1k-$2k$0-$1kNot DefinedNot Defined0.001390.02CVE-2023-2283
19Microsoft Windows HTTP Protocol Stack Remote Code Execution9.88.9$50k-$100k$10k-$25kUnprovenOfficial Fix0.010930.04CVE-2023-23392
20OpenBSD OpenSSH compat.c double free7.77.6$10k-$25k$5k-$10kNot DefinedOfficial Fix0.010990.04CVE-2023-25136

IOC - Indicator of Compromise (4)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
145.134.21.8Astro Locker05/31/2021verifiedHigh
2XX.XX.XXX.XXXxxx.xxx.xx.xx.xxxxxx.xxxxxxxx.xxxXxxxx Xxxxxx05/31/2021verifiedHigh
3XXX.XX.XXX.XXXxxxx Xxxxxx05/31/2021verifiedHigh
4XXX.XX.XXX.XXXxxxx Xxxxxx05/31/2021verifiedHigh

TTP - Tactics, Techniques, Procedures (9)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1068CAPEC-19CWE-284Execution with Unnecessary PrivilegespredictiveHigh
2T1078.001CWE-259Use of Hard-coded PasswordpredictiveHigh
3TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
4TXXXXCAPEC-108CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
5TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
6TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
7TXXXXCAPEC-CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh

IOA - Indicator of Attack (20)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/htmlcode/html/indexdefault.asppredictiveHigh
2Fileajax_admin_apis.phppredictiveHigh
3Fileajax_php_pecl.phppredictiveHigh
4Filexxx/xxxxx/xxxxxxxxxx/xxx/xxxxxx.xxxpredictiveHigh
5Filexxxxx.xxxpredictiveMedium
6Filexxxxxxxx.xxxpredictiveMedium
7Filexxxxxx.xpredictiveMedium
8Filexx/xxx/xxxxxx/xxxxxxx.xpredictiveHigh
9Filexxx/xxxx/xxxx/xxx/xxxxxx/xxxx/xxxxxxxxx.xxxxpredictiveHigh
10Filexxxxxxxxxxxxxxxx.xxxxpredictiveHigh
11ArgumentxxxxxxpredictiveLow
12ArgumentxxxpredictiveLow
13Argumentxxxxxxxx_xxpredictiveMedium
14ArgumentxxxxpredictiveLow
15Argumentxxxxxxx.xxx_xxxxxxxxxxpredictiveHigh
16ArgumentxxxxxxxxxxpredictiveMedium
17ArgumentxxpredictiveLow
18Input Valuexxxx:xxxxxxxxpredictiveHigh
19Input ValuexxxxxxxxpredictiveMedium
20Network Portxxx/xxxxpredictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!