Alfonso Stealer Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (258)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en166
ru72
zh12
sv4
pl2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

ru124
us86
cn24
gb22
cf2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

TrickBot12
RedLine Stealer7
Conti4
DCRat4
Alfonso Stealer2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined90
Content Management System16
JavaScript Library10
Programming Language Software8
Bug Tracking Software8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined92
Microsoft12
Cisco6
Atlassian6
VMware6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Atlassian Data Center6
Microsoft Windows6
WordPress4
Atlassian JIRA Server4
PBSite4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
2Bitrix Site Manager Vote Module Remote Code Execution7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.006680.04CVE-2022-27228
3DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.009430.74CVE-2010-0966
4Tiki Admin Password tiki-login.php improper authentication8.07.7$0-$5k$0-$5kNot DefinedOfficial Fix0.009361.97CVE-2020-15906
5jQuery html cross site scripting5.85.1$0-$5k$0-$5kNot DefinedOfficial Fix0.019000.00CVE-2020-11023
6ILIAS Cloze Test Text gap Persistent cross site scripting5.25.1$0-$5k$0-$5kNot DefinedOfficial Fix0.001930.06CVE-2019-1010237
7Harbor improper authentication6.96.8$0-$5k$0-$5kNot DefinedNot Defined0.020740.05CVE-2022-46463
8Jitsi Meet hard-coded credentials8.57.9$0-$5k$0-$5kNot DefinedNot Defined0.001960.03CVE-2020-11878
9nginx request smuggling6.96.9$0-$5k$0-$5kNot DefinedNot Defined0.002411.82CVE-2020-12440
10WordPress Pingback server-side request forgery5.75.7$5k-$25k$5k-$25kNot DefinedNot Defined0.001200.00CVE-2022-3590
11Crestron AM-100/AM-101 HTTP Endpoint file_transfer.cgi command injection9.89.7$0-$5k$0-$5kHighWorkaround0.973090.04CVE-2019-3929
12Bitrix24 server-side request forgery8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.005210.02CVE-2020-13484
13Fortinet FortiOS/FortiProxy Administrative Interface authentication bypass9.89.7$25k-$100k$5k-$25kHighOfficial Fix0.971640.05CVE-2022-40684
14Apache Tomcat HTTP Digest Authentication Implementation improper authentication8.27.1$5k-$25k$0-$5kUnprovenOfficial Fix0.003420.02CVE-2012-5887
15PBSite register.php Local Privilege Escalation5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.000000.00
16TEM FLEX-1080/FLEX-1085 Log log.cgi information disclosure5.34.7$0-$5k$0-$5kProof-of-ConceptWorkaround0.001500.09CVE-2022-1077
17F5 BIG-IP iControl REST Authentication bash missing authentication9.89.6$5k-$25k$0-$5kHighOfficial Fix0.974790.05CVE-2022-1388
18Vmware Workspace ONE Access/Identity Manager Template injection9.89.4$5k-$25k$0-$5kHighOfficial Fix0.974490.00CVE-2022-22954
19Apache Groovy MethodClosure.java MethodClosure injection8.58.5$5k-$25k$5k-$25kNot DefinedNot Defined0.022890.00CVE-2015-3253
20LightCMS External Image NEditorController.php Privilege Escalation8.08.0$0-$5k$0-$5kNot DefinedNot Defined0.006750.00CVE-2021-27112

IOC - Indicator of Compromise (4)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
189.23.101.20Alfonso Stealer06/19/2023verifiedHigh
2XX.XXX.XX.XXxxxxxxx.xxxxxx-xx-xxxxxx.xxXxxxxxx Xxxxxxx11/03/2021verifiedHigh
3XXX.XXX.XX.XXXxxxxxxxxx-xxx.xxxx.xxxxxxxXxxxxxx Xxxxxxx06/19/2023verifiedHigh
4XXX.XX.XXX.XXXxxx.xxxxx.xxxXxxxxxx Xxxxxxx04/05/2023verifiedHigh

TTP - Tactics, Techniques, Procedures (19)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXXCAPEC-150CWE-XXXXxxx Xxx Xxxxxxxxx Xxxxxxxxxxx XxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-16CWE-XXX, CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
11TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
14TXXXXCAPEC-37CWE-XXXXxxxxxxxx Xxxxxxx Xx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-38CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
16TXXXX.XXXCAPEC-459CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
17TXXXXCAPEC-116CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
18TXXXXCAPEC-CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
19TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (129)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/+CSCOE+/logon.htmlpredictiveHigh
2File/admin/login.phppredictiveHigh
3File/api/file_uploader.phppredictiveHigh
4File/app/Http/Controllers/Admin/NEditorController.phppredictiveHigh
5File/blogpredictiveLow
6File/Duty/AjaxHandle/UploadFloodPlanFileUpdate.ashxpredictiveHigh
7File/mgmt/tm/util/bashpredictiveHigh
8File/mifs/c/i/reg/reg.htmlpredictiveHigh
9File/secure/admin/ViewInstrumentation.jspapredictiveHigh
10File/secure/ViewCollectorspredictiveHigh
11File/SessionpredictiveMedium
12File/user/settingspredictiveHigh
13File/usr/bin/pkexecpredictiveHigh
14File/xAdmin/html/cm_doclist_view_uc.jsppredictiveHigh
15Fileadclick.phppredictiveMedium
16Filexxx_xxxxxxx.xxxpredictiveHigh
17Filexxxxx/xxxxxxx.xxxpredictiveHigh
18Filexxxxx.xxxpredictiveMedium
19Filexxxxx.xxxpredictiveMedium
20Filexxx-xxx/xxxxxxx.xxpredictiveHigh
21Filexxxxxxxx.xxxpredictiveMedium
22Filexxxxxx.xxxpredictiveMedium
23Filexxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxpredictiveHigh
24Filex_xxxxxxpredictiveMedium
25Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
26Filexxxxxxx_xxxxx.xxxpredictiveHigh
27Filexxxxx.xxxpredictiveMedium
28Filexxxx_xxxxxxxx.xxxpredictiveHigh
29Filexxxxxxxxxxxxxxxxx.xxxpredictiveHigh
30Filexxxxxxxxx/xxxxx/xxxxxxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
31Filexxxxxxxxxxx.xpredictiveHigh
32Filexxxx.xxxpredictiveMedium
33Filexxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
34Filexxxxxxxxx.xxxpredictiveHigh
35Filexxxxxxxxx.xxpredictiveMedium
36Filexxx/xxxxxx.xxxpredictiveHigh
37Filexxxxx.xxxxpredictiveMedium
38Filexxxxx.xxxpredictiveMedium
39Filexxxxx.xxx/xxxxxxx/xxxxxpredictiveHigh
40Filexxxxx.xxpredictiveMedium
41Filexxxxxxx.xxxpredictiveMedium
42Filexxxx.xxxpredictiveMedium
43Filexxxxxxxxx/xxxxxx.xxx.xxxpredictiveHigh
44Filexxx.xxxpredictiveLow
45Filexxxxx-xxxx-xxxx.xxxpredictiveHigh
46Filexxx_xxxxx_xxxx.xpredictiveHigh
47Filexxxxxxx.xxxpredictiveMedium
48Filexxxxxxx_xxxxxxx_xxxx.xxxpredictiveHigh
49Filexxx_xxxxxx.xxxxpredictiveHigh
50Filexxxxx.xxxpredictiveMedium
51Filexxxxxxxx.xxxpredictiveMedium
52Filexxxxxxxx.xxxpredictiveMedium
53Filexxxxxxx.xxxpredictiveMedium
54Filexxxxxxx/xxxxxxxxxxxxx.xxxxpredictiveHigh
55Filexxxxxxxxxxxxxxx.xxxpredictiveHigh
56Filexxxxxx.xxpredictiveMedium
57Filexxxxxx_xxxxxxx.xxxpredictiveHigh
58Filexxxxxxxx/xxxx/xxxx.xxx?xxxxxx=xxxxxxxxxxxxxxxxpredictiveHigh
59Filexxxx.xxxpredictiveMedium
60Filexxxx.xxpredictiveLow
61Filexxxxxxxx_xxxx.xxxpredictiveHigh
62Filexxxx_xxxxxxx_xxxxxxxx.xxxpredictiveHigh
63Filexxxxx.xxxpredictiveMedium
64Filexxxxxxxx.xxxxx.xxxpredictiveHigh
65Filexxxx-xxxxx.xxxpredictiveHigh
66Filexxxxx.xpredictiveLow
67Filexxxxxxx.xxxpredictiveMedium
68Filexxx-xxx/predictiveMedium
69Filexxxxxxx/xxx/xxxxxxxpredictiveHigh
70Filexx-xxxx.xxxpredictiveMedium
71Filexx-xxxxxxxxx.xxxpredictiveHigh
72Libraryxxxxxx.xxxxx.xxxxxxxpredictiveHigh
73Argument*xxxxpredictiveLow
74ArgumentxxxxxxpredictiveLow
75ArgumentxxpredictiveLow
76ArgumentxxxxxxxxxxxxpredictiveMedium
77ArgumentxxxxxxpredictiveLow
78ArgumentxxxxxxpredictiveLow
79ArgumentxxxxxxxxpredictiveMedium
80ArgumentxxxxxxxxpredictiveMedium
81ArgumentxxxxxxpredictiveLow
82ArgumentxxxxxxxxpredictiveMedium
83Argumentxxx_xxpredictiveLow
84ArgumentxxxpredictiveLow
85Argumentxxxxxx_xxpredictiveMedium
86ArgumentxxxxxxpredictiveLow
87Argumentxxxxxxxx_xxxxxx/xxxxxxxx_xxxx/xxxxxxxx_xxxxxxxx/xxxxxxxx_xxxxpredictiveHigh
88ArgumentxxxxpredictiveLow
89ArgumentxxxpredictiveLow
90ArgumentxxxxxxxxxxpredictiveMedium
91ArgumentxxxxxxxpredictiveLow
92Argumentxx_xxxx/xxxxx/xxxpredictiveHigh
93Argumentxxxxxxxxx->xxxxxxxxxpredictiveHigh
94ArgumentxxxxpredictiveLow
95ArgumentxxxxxxxxpredictiveMedium
96ArgumentxxxxxxxxpredictiveMedium
97Argumentxxxx_xxxxpredictiveMedium
98Argumentxxxx_xxxxxxpredictiveMedium
99Argumentxxxxxx_xxxxx_xxxpredictiveHigh
100Argumentxxxxxxxxx/xxxxxxxx/xxxxxxx/xxxx/xxxxxpredictiveHigh
101ArgumentxxxxpredictiveLow
102Argumentxxxx_xxxxxpredictiveMedium
103ArgumentxxpredictiveLow
104ArgumentxxxxxxpredictiveLow
105ArgumentxxxxxxxpredictiveLow
106ArgumentxxpredictiveLow
107Argumentxxxxxxx/xxxxxxxxxpredictiveHigh
108ArgumentxxxxpredictiveLow
109ArgumentxxxxxxxxxxxxxxxxxxxpredictiveHigh
110ArgumentxxxxxxxxxpredictiveMedium
111Argumentxxxxxxxx_xxpredictiveMedium
112Argumentxxxxxxx xxxxxpredictiveHigh
113ArgumentxxxxxxxxxxxxxxxxpredictiveHigh
114ArgumentxxxxxxpredictiveLow
115ArgumentxxxxxxpredictiveLow
116Argumentxxxxxx_xxxpredictiveMedium
117ArgumentxxxxxxpredictiveLow
118Argumentxx_xxpredictiveLow
119Argumentxxxxxxxxxxx/xxxxxxxxxxxpredictiveHigh
120ArgumentxxxxxpredictiveLow
121ArgumentxxpredictiveLow
122ArgumentxxxxxxpredictiveLow
123Argument_xxxxxx[xxxxxxxx_xxxx]predictiveHigh
124Input Value/xxxxxx/..%xxpredictiveHigh
125Input Valuexxxxx"][xxxxxx]xxxxx('xxx')[/xxxxxx]predictiveHigh
126Input Value<!-- xxxx -->predictiveHigh
127Pattern__xxxxxxxxx=predictiveMedium
128Network PortxxxxpredictiveLow
129Network Portxxx xxxxxx xxxxpredictiveHigh

References (4)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!