Corebot Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (36)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en36

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us12
gb12
tr4
cn4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Corebot3
Cobalt Strike1
BianLian1
DanaBot1
Meterpreter1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined16
Programming Language Software2
Mail Server Software2
Network Management Software2
Operating System2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined10
Paessler2
star7th2
Linux2
Thomas R. Pasawicz2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

PHP2
Exim2
Paessler PRTG Network Monitor2
opendreambox2
star7th showdoc2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Apache HTTP Server HTTP Digest Authentication Challenge improper authentication8.58.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.018150.08CVE-2018-1312
2Telmat AccessLog Administration Panel code injection9.89.8$25k-$100k$25k-$100kNot DefinedNot Defined0.016260.00CVE-2020-16148
3Apache HTTP Server mod_session input validation5.85.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.001760.00CVE-2018-1283
4Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
5Huawei HG532e/HG532n/HG532s path traversal6.55.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.116760.02CVE-2015-7254
6ONLYOFFICE Community Server UploadProgress.ashx unrestricted upload8.07.9$0-$5k$0-$5kNot DefinedOfficial Fix0.006330.04CVE-2023-34939
7star7th showdoc unrestricted upload6.96.8$0-$5k$0-$5kNot DefinedOfficial Fix0.000980.00CVE-2022-1034
8Citrix ADC/Gateway resource control9.89.6$5k-$25k$0-$5kHighOfficial Fix0.242080.04CVE-2022-27518
9Internet Key Exchange cryptographic issues5.75.7$0-$5k$0-$5kNot DefinedNot Defined0.002070.02CVE-2018-5389
10PHP phpinfo cross site scripting4.33.9$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.019600.05CVE-2007-1287
11Macromedia ColdFusion Fusebox Error Page index.cfm cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.002680.03CVE-2005-2480
12Exim File Creation Privilege Escalation5.55.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000440.00CVE-2020-28014
13Exim unknown vulnerability5.45.2$0-$5k$0-$5kNot DefinedOfficial Fix0.000420.00CVE-2021-27216
14Asus RT-AC5300 Main_Analysis_Content.asp os command injection8.58.4$0-$5k$0-$5kNot DefinedOfficial Fix0.009400.03CVE-2018-9285
15IBM Lotus Notes nlnotes.dll code injection10.09.5$5k-$25k$0-$5kNot DefinedOfficial Fix0.077230.00CVE-2007-6706
16PRTG Network Monitor Map Property cross site scripting4.44.4$0-$5k$0-$5kNot DefinedNot Defined0.006780.00CVE-2020-14073
17Paessler PRTG Network Monitor Screenshot input validation8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.011220.04CVE-2020-10374
18Cellopoint Cellos URL path traversal6.46.4$0-$5k$0-$5kNot DefinedNot Defined0.002440.00CVE-2020-17385
19SDcms themecontroller.php check_bad code injection7.57.5$0-$5k$0-$5kNot DefinedNot Defined0.002610.02CVE-2018-19520
20Linux Kernel ie.c mwifiex_uap_parse_tail_ies memory corruption7.77.7$5k-$25k$5k-$25kNot DefinedNot Defined0.017080.02CVE-2019-10126

IOC - Indicator of Compromise (12)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
137.220.31.41olk95.linksynergy.comCorebot04/08/2024verifiedHigh
247.90.201.20Corebot04/08/2024verifiedHigh
347.90.202.68Corebot04/08/2024verifiedHigh
4XX.XXX.XX.XXXxxxxxx04/08/2024verifiedHigh
5XX.XX.XXX.XXXxxxxxx04/08/2024verifiedHigh
6XX.XXX.XX.XXXXxxxxxx04/08/2024verifiedHigh
7XXX.XXX.XXX.XXXxxxxxxxxxxxxxx.xxxxxxx.xxxxXxxxxxx04/08/2024verifiedHigh
8XXX.XX.XXX.XXxxxxxx04/08/2024verifiedHigh
9XXX.XXX.XXX.XXxxxxxxxx.xx-xxx-xxx-xxx.xxXxxxxxx04/08/2024verifiedHigh
10XXX.XXX.XXX.XXXxxxxxxx.xxxxxx.xxXxxxxxx04/08/2024verifiedHigh
11XXX.XX.XXX.XXXxxxxxx04/08/2024verifiedHigh
12XXX.XX.XXX.XXXxxxxxx04/08/2024verifiedHigh

TTP - Tactics, Techniques, Procedures (9)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
3TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
4TXXXXCAPEC-CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
5TXXXXCAPEC-108CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
7TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCAPEC-CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (18)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1Fileadmin/predictiveLow
2Fileapp/admin/controller/themecontroller.phppredictiveHigh
3Filedata/gbconfiguration.datpredictiveHigh
4Filexxxxxxx/xxx/xxxxxxxx/xxxxxxx/xxxxxxx/xx.xpredictiveHigh
5Filexxxxxxx-xxxxxxx/xxxx/xxxxxx/xxxxxxxx/xxx/xxxxxxxxx/xxxxxx.xxpredictiveHigh
6Filexxxx/predictiveLow
7Filexxxxx.xxxpredictiveMedium
8Filexxxx_xxxxxxxx_xxxxxxx.xxxpredictiveHigh
9Filexxxxxxxxxxxxxx.xxxxpredictiveHigh
10Libraryxxxxxxx.xxxpredictiveMedium
11ArgumentxxxxxxxpredictiveLow
12ArgumentxxxxxxxxxxpredictiveMedium
13Argumentxxxx_xxxxxxxpredictiveMedium
14Argumentxx_xxxxxpredictiveMedium
15ArgumentxxxxxxxxpredictiveMedium
16ArgumentxxxxxxxxxpredictiveMedium
17Input Value..predictiveLow
18Patternxxxx_xxxxxx_xxxxxxxxx.xxx_xxxxxx_xxxxx_xxxxxxxxpredictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!