Dalbit Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (115)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en64
zh50
ja2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

cn88
us22

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Dalbit6
Cobalt Strike5
Mirai2
Purple Fox1
Meterpreter1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined46
Operating System12
Firewall Software6
Anti-Malware Software6
SCADA Software6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined28
Trend Micro10
Microsoft8
ONLYOFFICE6
Fortinet4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

ONLYOFFICE Document Server6
Microsoft Windows6
Trend Micro Apex One4
Trend Micro OfficeScan XG4
Fortinet FortiOS4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.005480.04CVE-2017-0055
2Apache HTTP Server HTTP/2 Request request smuggling6.46.4$5k-$25k$5k-$25kNot DefinedNot Defined0.006060.04CVE-2020-9490
3Trend Micro Apex One privileges management6.56.5$0-$5k$0-$5kHighNot Defined0.000620.00CVE-2020-24557
4Oracle Enterprise Data Quality General unknown vulnerability5.35.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.001620.05CVE-2020-13956
5Bouncy Castle for Java ASN.1 org.bouncycastle.openssl.PEMParser denial of service4.54.4$0-$5k$0-$5kNot DefinedOfficial Fix0.000450.05CVE-2023-33202
6Fortinet FortiOS SSL-VPN out-of-bounds write9.89.6$25k-$100k$25k-$100kHighOfficial Fix0.018420.03CVE-2024-21762
7PolicyKit polkitd polkitbackendinteractiveauthority.c authentication_agent_new null pointer dereference4.03.8$0-$5k$0-$5kNot DefinedOfficial Fix0.000420.03CVE-2015-3218
8Modicon /EcoStruxure Control ExpertUnity Pro/M340/M580 Downstream Component injection8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.002330.04CVE-2020-7475
9Microsoft ASP.NET Security Feature improper authentication7.47.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.004240.06CVE-2018-8171
10Clash Configuration File cfw-setting.yaml permission assignment8.08.0$0-$5k$0-$5kNot DefinedNot Defined0.003890.04CVE-2023-24205
11Apache NiFi deserialization5.65.5$5k-$25k$0-$5kNot DefinedOfficial Fix0.001000.02CVE-2023-34212
12Schneider Electric Modicon M580 Access Control access control8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.013600.00CVE-2018-7847
13Oracle Retail Sales Audit Sales Audit Maintenance denial of service7.57.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.014190.04CVE-2017-12626
14XINJE XD5E-30R-E Modbus denial of service6.86.6$0-$5k$0-$5kProof-of-ConceptNot Defined0.000490.00CVE-2023-5462
15Yongyou UFIDA-NC PrintTemplateFileServlet.java path traversal6.76.5$0-$5k$0-$5kProof-of-ConceptNot Defined0.001130.00CVE-2023-4748
16Schneider Electric EcoStruxure Control Expert Modbus password recovery8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.002010.00CVE-2022-37300
17Schneider Electric Modicon M580 Modbus unusual condition4.84.8$0-$5k$0-$5kNot DefinedNot Defined0.001030.00CVE-2020-7537
18Synology DiskStation Manager synorelayd insertion of sensitive information into sent data6.86.5$0-$5k$0-$5kNot DefinedOfficial Fix0.001910.00CVE-2021-26566
19Intel CPU Gather Date Sampling Downfall information exposure4.54.5$5k-$25k$0-$5kNot DefinedNot Defined0.001500.00CVE-2022-40982
20Netty Incomplete Fix CVE-2021-21290 temp file4.94.8$0-$5k$0-$5kNot DefinedOfficial Fix0.000440.02CVE-2022-24823

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • South Korea

IOC - Indicator of Compromise (9)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
145.93.28.103DalbitSouth Korea03/02/2023verifiedHigh
245.93.31.75DalbitSouth Korea03/02/2023verifiedHigh
3XX.XX.XX.XXXXxxxxxXxxxx Xxxxx03/02/2023verifiedHigh
4XX.XXX.XXX.XXxx.xxx.xxx.xx.xxxxxx.xxxx.xxxXxxxxxXxxxx Xxxxx03/02/2023verifiedHigh
5XX.XXX.XXX.XXXxx.xxx.xxx.xxx.xxxxxx.xxxx.xxxXxxxxxXxxxx Xxxxx03/02/2023verifiedHigh
6XX.XXX.XXX.XXXXxxxxxXxxxx Xxxxx03/02/2023verifiedHigh
7XXX.XX.XXX.XXXxxxxxXxxxx Xxxxx03/02/2023verifiedHigh
8XXX.XXX.XX.XXXxxx.xxx.xx.xxx.xxxxxx.xxxxxx.xxxXxxxxxXxxxx Xxxxx03/02/2023verifiedHigh
9XXX.XXX.XXX.XXXxxxxxXxxxx Xxxxx03/02/2023verifiedHigh

TTP - Tactics, Techniques, Procedures (15)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-137CWE-88Argument InjectionpredictiveHigh
4TXXXX.XXXCAPEC-209CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-104CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
7TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
8TXXXXCAPEC-CWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
9TXXXXCAPEC-108CWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
10TXXXXCAPEC-102CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
11TXXXXCAPEC-37CWE-XXXXxxxxxxxx Xxxxxxx Xx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
12TXXXXCAPEC-116CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
14TXXXX.XXXCAPEC-CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
15TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (38)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/baseOpLog.dopredictiveHigh
2File/cgi-bin/luci/api/authpredictiveHigh
3File/debug/pprofpredictiveMedium
4File/uncpath/predictiveMedium
5File/uploadpredictiveLow
6File/xx-xxxxx/xxxxx-xxxx.xxxpredictiveHigh
7Filexxxxx.xxx?xxxxxx=xxxxxx_xxxxxxxpredictiveHigh
8Filexxxxx.xxx?x=xxxxx&x=xxxx&x=xxxxpredictiveHigh
9Filexxxx_xx.xxpredictiveMedium
10Filexxx-xxxxxxx.xxxxpredictiveHigh
11Filexxxxxxx.xxxpredictiveMedium
12Filexxxxxxxxxxxxxx-xxxxxxxxxxxxx/xxx/xxxx/xxxx/xxx/xxxxxxxxxxxx/xxxxxxxxx/xxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
13Filexxxxx.xxxpredictiveMedium
14Filexxxx.xpredictiveLow
15Filexxxxxx.xx.x.xpredictiveHigh
16Filexxxxxxxxx/xxxxxxx/xxxxxx/xxxxxxxxxx.xxxpredictiveHigh
17Filexxx_xxxxxx.xpredictiveMedium
18Filexxx/xxxx/xxx_xxxxx.xpredictiveHigh
19Filexxxxxxxxxxx_xxxxxxxxxxxx.xxpredictiveHigh
20Filexxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xpredictiveHigh
21Filexxxxxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
22Filexxxxxxxxxx_xxxxxxx.xxxpredictiveHigh
23Filexxxxx-xxxxxxpredictiveMedium
24Filexxxxxx.xxxpredictiveMedium
25Libraryxxxxxxxxxx.xxxpredictiveHigh
26Libraryxxxxxx.xx.xpredictiveMedium
27Argument$_xxxxxx[xxxx_xxxx]predictiveHigh
28ArgumentxxxxxxxxxpredictiveMedium
29ArgumentxxxxxxxxxxxxxpredictiveHigh
30ArgumentxxxxxpredictiveLow
31ArgumentxxxxxxpredictiveLow
32ArgumentxxxxxxxxpredictiveMedium
33ArgumentxxpredictiveLow
34Argumentxxxxxxxxxxx/xxxxxxxxxpredictiveHigh
35Argumentxxxxxx.xxxxpredictiveMedium
36ArgumentxxxxxxxxpredictiveMedium
37ArgumentxxxxxxpredictiveLow
38Argumentxxxxx_xxpredictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!