CrimsonRAT Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (35)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en30
fr2
de2
it2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us30

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

CrimsonRAT1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined12
Smartphone Operating System2
Programming Language Software2
Joomla Component2
Content Management System2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined6
Edgewall Software2
Google2
Shenzhen2
Myupb2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Edgewall Software Trac2
Google Android2
Shenzhen Tenda2
Wheatblog2
Myupb UPB2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
2DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.009430.49CVE-2010-0966
3Apple Mac OS X Server Wiki Server cross site scripting4.34.3$5k-$25k$0-$5kNot DefinedNot Defined0.002630.05CVE-2009-2814
4Myupb UPB cross site scripting4.34.3$0-$5k$0-$5kHighUnavailable0.002970.00CVE-2008-6727
5Pligg cloud.php sql injection6.36.3$0-$5k$0-$5kNot DefinedNot Defined0.000000.52
6Coppermine Photo Gallery init.inc.php file inclusion7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.083070.05CVE-2004-1988
7Promosi-web ardguest ardguest.php cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.001340.00CVE-2009-3668
8Edgewall Software Trac quickjump input validation6.55.9$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.002510.04CVE-2008-2951
9Ipswitch MOVEit DMZ Send Attachment Feature information disclosure6.56.3$0-$5k$0-$5kNot DefinedOfficial Fix0.001210.02CVE-2015-7675
10Joomla CMS com_easyblog sql injection6.36.1$5k-$25k$5k-$25kNot DefinedNot Defined0.000000.21
11PHPGurukul Employee Record Management System POST Parameter forgetpassword.php sql injection8.07.7$0-$5k$0-$5kProof-of-ConceptNot Defined0.007980.00CVE-2021-43451
12PHP Link Directory Administration Page index.html cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.003740.10CVE-2007-0529
13DT Register Extension sql injection8.57.7$0-$5k$0-$5kProof-of-ConceptNot Defined0.002820.00CVE-2018-6584
14Genetechsolutions Pie-Register wp-login.php cross site scripting4.34.1$0-$5k$0-$5kNot DefinedOfficial Fix0.009040.00CVE-2013-4954
15Akamai Technologies Download Manager ActiveX Control downloadmanagerv2.ocx getprivateprofilesectionw stack-based overflow10.09.0$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.349050.00CVE-2007-1891
16Symantec Security Check Virus Detection Profiles rufsi.dll GetPrivateProfileString memory corruption5.35.0$5k-$25k$0-$5kProof-of-ConceptNot Defined0.015360.00CVE-2004-1910
17Google Android Permission Check DevicePolicyManagerService.java GetPermittedAccessibilityServicesForUser access control6.56.3$25k-$100k$0-$5kNot DefinedOfficial Fix0.000420.00CVE-2019-2091
18Wheatblog add_comment.php cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.001540.00CVE-2006-7002
19Oracle Transportation Management Install unrestricted upload8.18.0$5k-$25k$0-$5kHighOfficial Fix0.975010.05CVE-2017-12617
20Shenzhen Tenda usbeject system command injection7.57.5$0-$5k$0-$5kNot DefinedNot Defined0.001000.03CVE-2017-16923

IOC - Indicator of Compromise (2)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
1192.3.99.68192-3-99-68-host.colocrossing.comCrimsonRAT03/23/2023verifiedHigh
2XXX.XX.XXX.XXXxxxxxxxxx.xxxxxxx.xxxXxxxxxxxxx03/23/2023verifiedHigh

TTP - Tactics, Techniques, Procedures (7)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
2T1059.007CAPEC-209CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
3TXXXXCAPEC-CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
4TXXXXCAPEC-136CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (22)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/forgetpassword.phppredictiveHigh
2Fileadd_comment.phppredictiveHigh
3Fileardguest.phppredictiveMedium
4Filexxx-xxx/xxxx/xxxxxxxxpredictiveHigh
5Filexxxxx.xxxpredictiveMedium
6Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
7Filexxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
8Filexxxxxxxxxxxxxxxxx.xxxpredictiveHigh
9Filexxx/xxxxxx.xxxpredictiveHigh
10Filexxxxx.xxxxpredictiveMedium
11Filexxxx.xxx.xxxpredictiveMedium
12Filexx-xxxxx.xxxpredictiveMedium
13Libraryxxxxx.xxxpredictiveMedium
14ArgumentxxxxxxxxpredictiveMedium
15ArgumentxxxxxxxxxxpredictiveMedium
16Argumentxxx_x_xxxpredictiveMedium
17ArgumentxxxxxpredictiveLow
18ArgumentxxpredictiveLow
19ArgumentxxxxxpredictiveLow
20ArgumentxxxxpredictiveLow
21ArgumentxxxxxpredictiveLow
22Argumentxxxxxxxxxxxxx/xxxxxpredictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!