DarkHotel Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (50)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en32
ja14
de4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

gb28
jp14
us8

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

DarkHotel2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined20
Operating System8
Forum Software4
Network Utility Software2
Firewall Software2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Linux8
Not Defined8
Jelsoft2
Qualcomm2
Duware2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Linux Kernel8
Jelsoft vBulletin2
Qualcomm 4 Gen 1 Mobile Platform2
Qualcomm 4 Gen 2 Mobile Platform2
Qualcomm 7c+ Gen 3 Compute2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.009430.73CVE-2010-0966
2Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
3Qualcomm 4 Gen 1 Mobile Platform Multi-Mode Call Processor memory corruption9.89.6$5k-$25k$0-$5kNot DefinedOfficial Fix0.000770.04CVE-2023-22388
4libevent evdns.c name_parse out-of-bounds8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.006460.00CVE-2016-10195
5Fortinet FortiOS FortiManager Protocol Service denial of service3.73.6$0-$5k$0-$5kNot DefinedOfficial Fix0.076260.03CVE-2014-2216
6Qualcomm 429 Mobile Platform Audio Effect Processing memory corruption7.17.0$0-$5k$0-$5kNot DefinedOfficial Fix0.000430.00CVE-2023-28570
7Qualcomm 4 Gen 1 Mobile Platform IOE Firmware information disclosure5.04.9$0-$5k$0-$5kNot DefinedOfficial Fix0.000430.00CVE-2023-28563
8OpenSSL Non-prime Moduli BN_mod_sqrt infinite loop6.46.3$5k-$25k$0-$5kNot DefinedOfficial Fix0.013420.03CVE-2022-0778
9Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.005480.08CVE-2017-0055
10Linux Kernel audit.c aa_label_parse use after free8.58.5$5k-$25k$5k-$25kNot DefinedNot Defined0.005660.04CVE-2019-18814
11Linux Kernel AMD KVM Guest nested.c nested_svm_vmrun use after free4.64.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.002770.00CVE-2021-29657
12cURL RTSP/RTP memory corruption8.28.0$0-$5k$0-$5kNot DefinedOfficial Fix0.005070.00CVE-2018-1000122
13Linux Kernel sysctl_net_ipv4.c tcp_ack_update_rtt integer overflow8.58.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.007010.04CVE-2019-18805
14Linux Kernel Beacon Head nl80211.c validate_beacon_head buffer overflow8.58.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.008550.05CVE-2019-16746
15Linux Kernel wmi.c ath6kl_wmi_cac_event_rx out-of-bounds8.28.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.018870.02CVE-2019-15926
16OpenSSH GSS2 auth-gss2.c Username information disclosure5.35.2$5k-$25k$5k-$25kNot DefinedWorkaround0.002570.04CVE-2018-15919
17ZyXEL NAS weblogin.cgi os command injection8.58.4$0-$5k$0-$5kHighOfficial Fix0.969010.00CVE-2020-9054
18Acme Mini HTTPd Terminal input validation5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.003030.04CVE-2009-4490
19Samba call_trans2open EchoWrecker memory corruption7.37.0$25k-$100k$0-$5kHighOfficial Fix0.970400.00CVE-2003-0201
20IBM Lotus Domino Web Server Web Container cross site scripting4.33.9$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.002460.00CVE-2008-2410

IOC - Indicator of Compromise (5)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
123.111.184.119zeus.hosterbox.comDarkHotel03/21/2022verifiedHigh
2XX.XXX.X.XXxxxxxxxxxxxx.xxxXxxxxxxxx03/29/2022verifiedHigh
3XX.XXX.XX.XXXxxxxxxxx03/27/2022verifiedHigh
4XXX.XXX.XXX.XXXxxxxxxxx03/27/2022verifiedHigh
5XXX.XXX.XXX.XXXxxx.xxxxx-xxxx.xxxXxxxxxxxx03/27/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (7)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
2T1059.007CAPEC-209CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
3TXXXXCAPEC-19CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
4TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
5TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (32)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/uncpath/predictiveMedium
2Fileaccount.asppredictiveMedium
3Fileadv_remotelog.asppredictiveHigh
4Filearch/x86/kvm/svm/nested.cpredictiveHigh
5Filexxxx-xxxx.xpredictiveMedium
6Filexxxxx.xxxpredictiveMedium
7Filexxxxxxx_xxx.xxxpredictiveHigh
8Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
9Filexxxxxxx/xxx/xxxxxxxx/xxx/xxxxxx/xxx.xpredictiveHigh
10Filexxxxx.xpredictiveLow
11Filexxx/xxxxxx.xxxpredictiveHigh
12Filexxx/xxxx/xxxxxx_xxx_xxxx.xpredictiveHigh
13Filexxx/xxxxxxxx/xxxxxxx.xpredictiveHigh
14Filexxxxxxxxxxxxx.xxxpredictiveHigh
15Filexxxxxxxx.xxxpredictiveMedium
16Filexxxxxxxx/xxxxxxxx/xxxxx.xpredictiveHigh
17Filexxxxxxx.xxxpredictiveMedium
18Filexxxxxxxx.xxxpredictiveMedium
19ArgumentxxxxxxxxpredictiveMedium
20ArgumentxxxxxxpredictiveLow
21ArgumentxxxxxxxpredictiveLow
22Argumentxxxxxxxxx-xxxxxxx/xxxxxxxxx/xxxxxxxxxxpredictiveHigh
23Argumentxxxxx_xxxpredictiveMedium
24Argumentxx_xxxxxxxxpredictiveMedium
25Argumentxxx_xxxxpredictiveMedium
26Argumentxxxxxx_xxxxpredictiveMedium
27ArgumentxxxxpredictiveLow
28ArgumentxxxxxxxxxxxxxxxxpredictiveHigh
29ArgumentxxxxxxxxpredictiveMedium
30Input Value%xxxxxx+-x+x+xx.x.xx.xxx%xx%xxpredictiveHigh
31Pattern|xx|predictiveLow
32Network Portxxx/xxxxpredictiveMedium

References (4)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!