Gootloader Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (143)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en142
fr2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us38
ru6
bg4
au4
de2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Gootloader5
Cobalt Strike4
RecordBreaker3
Raccoon3
RedLine Stealer2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined68
Operating System18
Document Reader Software4
Groupware Software4
Virtualization Software4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined42
Microsoft16
Apple8
Hitachi4
Asus4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows8
Apple macOS6
Microsoft Office4
Cisco Catalyst 2960-L2
Cisco Catalyst CDB-8P2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1SourceCodester Pisay Online E-Learning System controller.php unrestricted upload6.35.7$0-$5k$0-$5kProof-of-ConceptNot Defined0.000450.89CVE-2024-4349
2AXIS 2110 Network Camera getparam.cgi denial of service9.89.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.034610.00CVE-2004-2427
3Red Hat OpenShift cluster-image-registry-operator information disclosure3.53.5$5k-$25k$0-$5kNot DefinedNot Defined0.000430.09CVE-2024-4369
4onnx ONNX_ASSERTM out-of-bounds4.94.8$0-$5k$0-$5kNot DefinedOfficial Fix0.000450.00CVE-2024-27319
5Google Android Codec2BufferUtils.cpp ConvertRGBToPlanarYUV out-of-bounds write5.35.1$5k-$25k$5k-$25kNot DefinedOfficial Fix0.000430.05CVE-2024-0023
67-card Fakabao alipay_notify.php sql injection5.55.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.000640.06CVE-2023-7183
7Scott Paterson Easy PayPal Shopping Cart Plugin cross site scripting5.15.1$0-$5k$0-$5kNot DefinedNot Defined0.000450.00CVE-2023-47239
8AWeber Free Sign Up Form and Landing Page Builder for Lead Generation and Email Newsletter Growth Plugin cross-site request forgery5.85.8$0-$5k$0-$5kNot DefinedNot Defined0.000580.00CVE-2023-47757
9Guillemant David WP Full Auto Tags Manager Plugin cross-site request forgery6.56.5$0-$5k$0-$5kNot DefinedNot Defined0.000580.00CVE-2023-34024
10WPML Multilingual CMS Premium Plugin cross-site request forgery6.26.1$0-$5k$0-$5kNot DefinedNot Defined0.000730.04CVE-2022-45071
11Os Commerce cross site scripting6.56.5$0-$5k$0-$5kNot DefinedNot Defined0.000490.00CVE-2023-43718
12Dolibarr cross site scripting5.05.0$0-$5k$0-$5kNot DefinedOfficial Fix0.000460.04CVE-2023-5323
13WordPress Password Reset wp-login.php mail password recovery6.15.8$5k-$25k$0-$5kProof-of-ConceptNot Defined0.028270.07CVE-2017-8295
14NextGen GalleryView Plugin cross site scripting5.65.5$0-$5k$0-$5kNot DefinedNot Defined0.000460.00CVE-2023-35098
15HPE iLO 5 Local Privilege Escalation7.37.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.000420.04CVE-2022-28634
16HPE iLO 5 Remote Code Execution8.17.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.000580.05CVE-2022-28633
17BTCPay Server POS Add Products cross site scripting3.53.5$0-$5k$0-$5kNot DefinedNot Defined0.000540.02CVE-2021-29250
18Stripe API v1 Access Restriction tokens improper authentication7.47.4$0-$5k$0-$5kNot DefinedNot Defined0.002600.02CVE-2018-19249
19ffjpeg JPEG Image jfif.c jfif_decode heap-based overflow4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.000730.00CVE-2020-23852
20ffjpeg jfif.c memory leak5.45.4$0-$5k$0-$5kNot DefinedNot Defined0.000720.00CVE-2022-35433

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Cobalt Strike

IOC - Indicator of Compromise (8)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
15.8.18.7Gootloader09/14/2023verifiedHigh
235.206.117.6464.117.206.35.bc.googleusercontent.comGootloader05/09/2022verifiedMedium
3XX.XXX.XXX.XXXxxxx.x-xxxxxxxx.xxXxxxxxxxxxXxxxxx Xxxxxx11/09/2023verifiedHigh
4XX.XXX.XXX.XXXxxxxxxxxxXxxxxx Xxxxxx11/09/2023verifiedHigh
5XX.XXX.XXX.XXXXxxxxxxxxxXxxxxx Xxxxxx11/09/2023verifiedHigh
6XXX.XX.XXX.XXxxx.xx.xxx.xx.xxxxxxxxxxxxxxxx.xxxXxxxxxxxxxXxxxxx Xxxxxx11/09/2023verifiedHigh
7XXX.XXX.XXX.XXXxxxxxxxxx01/04/2022verifiedHigh
8XXX.XX.XX.XXXxxxxxxxxxXxxxxx Xxxxxx11/09/2023verifiedHigh

TTP - Tactics, Techniques, Procedures (19)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22Path TraversalpredictiveHigh
2T1040CAPEC-102CWE-294Authentication Bypass by Capture-replaypredictiveHigh
3T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
4T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
5TXXXX.XXXCAPEC-209CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-150CWE-XXXXxxx Xxx Xxxxxxxxx Xxxxxxxxxxx XxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
9TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
10TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
11TXXXXCAPEC-1CWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
12TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
13TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
14TXXXXCAPEC-102CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-38CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
16TXXXX.XXXCAPEC-459CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
17TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
18TXXXXCAPEC-157CWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
19TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (63)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/etc/postfix/sender_loginpredictiveHigh
2File/forms/web_importTFTPpredictiveHigh
3File/goform/openSchedWifipredictiveHigh
4File/lesson/controller.phppredictiveHigh
5File/src/jfif.cpredictiveMedium
6File/usr/local/www/pkg.phppredictiveHigh
7File/v1/tokenspredictiveMedium
8Filexxxxx.xxxpredictiveMedium
9Filexxxxx/xxxxxxxx.xxxpredictiveHigh
10Filexxxxx/xxxxx.xxxpredictiveHigh
11FilexxxxpredictiveLow
12Filexxx/xxxxxx/xxxxxxxxxxxxx/xxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
13Filexxxx/xxxxxx.xpredictiveHigh
14Filexxxxxxxxxxxxxxxxx.xxxpredictiveHigh
15Filexxxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
16Filexxxxxxxxx.xxxpredictiveHigh
17Filexxxxxxx/xxx/xxxxxxxxxx/xxxxx.xpredictiveHigh
18Filexxxxxxx/xxx/xxxx/xxxxxx.xpredictiveHigh
19Filexxxxxxx.xxxpredictiveMedium
20Filexxxxxx/xxx/xxxx.xpredictiveHigh
21Filexxx/xxxx_xxxx.xpredictiveHigh
22Filexxx/xxxxxxxxxx.xpredictiveHigh
23Filexxxx/xxxxxx.xpredictiveHigh
24Filexxxxx.xxxpredictiveMedium
25FilexxxxxxxpredictiveLow
26Filexxxxxxxx.xxxpredictiveMedium
27Filexxxxxxxxxxxx.xxxpredictiveHigh
28Filexxxxx/xxxxxxxx.xxx.xxxpredictiveHigh
29Filexxxxxxxxxx.xpredictiveMedium
30Filexxxxxx/xxxxx/xxxxxxx/xxxxxxxxxx.xxxpredictiveHigh
31Filexxxxxxx.xxxxpredictiveMedium
32Filexxxxxxx.xxpredictiveMedium
33Filexxxx/xxxxxx_xxxxxx.xxxpredictiveHigh
34Filexxxxxxxxxxxx.xxxpredictiveHigh
35Filexxxxx/xxxxx.xxx?xxxxxxxxxxx_xx=xxxxpredictiveHigh
36Filexx-xxxxx.xxxpredictiveMedium
37Library/xxx/xxx_xx-xxxxx-xxx/xxxx.xx.xpredictiveHigh
38Argument$_xxxxxxx['xxx_xxxxxx']predictiveHigh
39ArgumentxxxxxxpredictiveLow
40ArgumentxxxpredictiveLow
41ArgumentxxxxxxxxxxpredictiveMedium
42ArgumentxxxxpredictiveLow
43ArgumentxxxxxxxxpredictiveMedium
44ArgumentxxxxxxxxpredictiveMedium
45ArgumentxxxxpredictiveLow
46ArgumentxxpredictiveLow
47Argumentxxx[xxxx_xx]predictiveMedium
48ArgumentxxxxxxpredictiveLow
49Argumentxxxxxxx_xxxxxx_xxxxx[x]predictiveHigh
50ArgumentxxxxxxpredictiveLow
51Argumentxxxxx_xxxxx[xxxxxxxxx_xxxx_xxx]/xxxxx_xxxxx[xxxxxxxxx_xxxxxx_xxx]/xxxxx_xxxxx[xxxxxxxxx_xxxx]/xxxxx_xxxxx[xxxx_xxxxxx]predictiveHigh
52Argumentxxx_xxxxx_xxpredictiveMedium
53ArgumentxxxxxxpredictiveLow
54Argumentxxxxxxxxxxxxxx/xxxxxxxxxxxxpredictiveHigh
55ArgumentxxxxxxxxpredictiveMedium
56ArgumentxxxxxxxpredictiveLow
57ArgumentxxxxxpredictiveLow
58Input Value/../predictiveLow
59Input ValuexxxxxxxxxxpredictiveMedium
60Input Valuex+xxxx (xxxxx xxxxxx xxxxxxx) xxx x+xxxx (xxxxx-xx-xxxx xxxxxxx)predictiveHigh
61Input Value\xxx../../../../xxx/xxxxxxpredictiveHigh
62Input Value\xxx\xxxpredictiveMedium
63Network Portxxx/xxxxpredictiveMedium

References (5)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!