Exchange Marauder Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (312)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en246
zh46
ru8
fr4
de2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us174
cn86
ru20
kr6
in2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Exchange Marauder11
FIN72
RedLine Stealer2
Cobalt Strike2
Wirte1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined96
Operating System22
Web Server12
Content Management System12
WordPress Plugin10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined86
Microsoft22
Apache10
Zoho ManageEngine8
Linux6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows10
Apache HTTP Server8
Linux Kernel6
Nagios XI6
Microsoft Exchange Server4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.020160.02CVE-2007-1192
2net2ftp path traversal7.36.4$0-$5k$0-$5kUnprovenOfficial Fix0.035010.00CVE-2008-5275
3Linux Kernel Pipe Dirty Pipe Privilege Escalation6.36.0$5k-$25k$0-$5kHighOfficial Fix0.075840.00CVE-2022-0847
4MWChat Pro Help about.php file inclusion7.37.3$0-$5k$0-$5kNot DefinedNot Defined0.006500.02CVE-2006-5904
5Phicomm k2 command injection6.66.5$0-$5k$0-$5kNot DefinedNot Defined0.000540.03CVE-2023-40796
6Metalinks Metacart2 productsbycategory.asp sql injection7.37.3$0-$5k$0-$5kNot DefinedNot Defined0.001420.04CVE-2005-1363
7Yii Yii2 Gii cross site scripting4.44.4$0-$5k$0-$5kNot DefinedNot Defined0.000560.03CVE-2022-34297
8Microsoft Windows Clipboard User Service Privilege Escalation7.26.5$25k-$100k$5k-$25kUnprovenOfficial Fix0.000430.00CVE-2022-21869
9SourceCodester Online Flight Booking Management System POST Parameter review_search.php sql injection7.57.3$0-$5k$0-$5kProof-of-ConceptNot Defined0.001340.07CVE-2023-0283
10Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial Fix0.008170.20CVE-2014-4078
11FuelPHP code injection7.37.3$0-$5k$0-$5kNot DefinedNot Defined0.031290.00CVE-2014-1999
12phpLDAPadmin LDAP injection ldap injection8.57.7$0-$5k$0-$5kProof-of-ConceptNot Defined0.249320.00CVE-2018-12689
13FreeBSD setrlimit memory corruption6.55.6$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.001260.00CVE-2017-1085
14DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.009430.77CVE-2010-0966
15Zoho ManageEngine ServiceDesk Plus API Endpoint User credentials management5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.004660.00CVE-2018-7248
16WebARX Plugin Stored cross site scripting5.25.2$0-$5k$0-$5kNot DefinedNot Defined0.002130.00CVE-2019-17213
17jforum User input validation5.35.3$0-$5k$0-$5kNot DefinedNot Defined0.002890.04CVE-2019-7550
18ShowDoc access control5.35.3$0-$5k$0-$5kNot DefinedOfficial Fix0.001250.00CVE-2018-19620
19Chevereto CMS Stored cross site scripting5.24.9$0-$5k$0-$5kNot DefinedOfficial Fix0.000890.00CVE-2017-1000058
20Bitrix Upload from Local Disk Feature restore.php unrestricted upload6.36.1$0-$5k$0-$5kNot DefinedNot Defined0.000490.00CVE-2022-29268

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • Exchange Marauder

IOC - Indicator of Compromise (13)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
15.254.43.18Exchange MarauderExchange Marauder05/31/2021verifiedHigh
280.92.205.81vm302679.pq.hostingExchange MarauderExchange Marauder05/31/2021verifiedHigh
3103.77.192.219Exchange MarauderExchange Marauder05/31/2021verifiedHigh
4XXX.XXX.XXX.XXXxxxxxxxxx.xxxxxxxxx.xxxXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedHigh
5XXX.XXX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedHigh
6XXX.XX.XXX.XXxxx.xx.xxx.xx.xxxxx.xxxXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedMedium
7XXX.XX.XX.XXXxxx.xx.xx.xxx.xxxxx.xxxXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedMedium
8XXX.XXX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedHigh
9XXX.XX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedHigh
10XXX.XXX.XXX.XXxxxxxx.xxxxxxxxx.xxXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedHigh
11XXX.XX.XXX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedHigh
12XXX.XXX.XX.XXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedHigh
13XXX.XX.XX.XXXXxxxxxxx XxxxxxxxXxxxxxxx Xxxxxxxx05/31/2021verifiedHigh

TTP - Tactics, Techniques, Procedures (20)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23, CWE-24Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-137CWE-88, CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-104CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-16CWE-XXX, CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-CWE-XXXXxx-xxx Xxxx Xxxxxxx XxxxpredictiveHigh
8TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
9TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-1CWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
11TXXXXCAPEC-108CWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXXCAPEC-CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-38CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
14TXXXX.XXXCAPEC-459CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
15TXXXX.XXXCAPEC-133CWE-XXXXxxxxxxxpredictiveHigh
16TXXXXCAPEC-116CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
17TXXXX.XXXCAPEC-CWE-XXXxxxxxxxxxxxxpredictiveHigh
18TXXXXCAPEC-157CWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
19TXXXX.XXXCAPEC-CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
20TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (123)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File.htaccesspredictiveMedium
2File/cgi-bin/luci/api/authpredictiveHigh
3File/filemanager/upload.phppredictiveHigh
4File/resources//../predictiveHigh
5File/src/Illuminate/Laravel.phppredictiveHigh
6File/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.phppredictiveHigh
7File/usr/local/WowzaStreamingEngine/bin/predictiveHigh
8File/wp-json/oembed/1.0/embed?urlpredictiveHigh
9Fileabout.phppredictiveMedium
10Fileadmin/modules/tools/ip_history_logs.phppredictiveHigh
11Fileadminer.phppredictiveMedium
12Fileadmin_feature.phppredictiveHigh
13Fileapi_poller.phppredictiveHigh
14Fileapplication/controllers/admin/dataentry.phppredictiveHigh
15Filexxx.xxxpredictiveLow
16Filexxxxxx/xxxxxxxx.xxxxpredictiveHigh
17Filexxxxxxx.xxpredictiveMedium
18Filexxx-xxx/xxxxxx.xxxpredictiveHigh
19Filexxxxxxxxxx.xxxpredictiveHigh
20Filexxx.xxx?xxx=xxxxx_xxxxpredictiveHigh
21Filexxx.xxxpredictiveLow
22Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
23Filexxxxxxxx.xxxpredictiveMedium
24Filexxxx_xxxxxxx.xxxpredictiveHigh
25Filexxxxxxxxxxxxx.xxxpredictiveHigh
26Filexxx/xxxxxx/xxxxxx.xpredictiveHigh
27Filexxxxxxx.xxxpredictiveMedium
28Filexxxxxxxxx/xx/xxxxxxxxxxxx.xxxpredictiveHigh
29Filexx_xxxx.xxxpredictiveMedium
30Filexxxxxxxxx.xxxpredictiveHigh
31Filexxx/xxxxxx.xxxpredictiveHigh
32Filexxxxxxxx/xxxx/xxxxx-xxxxx.xxxpredictiveHigh
33Filexxxxx.xxxpredictiveMedium
34Filexxxxxxx/xxxxxxxx.xxxpredictiveHigh
35Filexxxxxx/xxx/xxxxxxxx.xpredictiveHigh
36Filexx_xxxxxx.xxxpredictiveHigh
37Filexxxxxxx.xxxpredictiveMedium
38Filexxxxxxxxx/xxxx_xxxxxxx.xxx.xxxpredictiveHigh
39Filexxxx/xxxxxxxxxx.xxxpredictiveHigh
40Filexxx.xxxpredictiveLow
41Filexxxxxx.xxpredictiveMedium
42Filexxxxxxx/xx?xxxxxxxx=predictiveHigh
43Filexxxxxxxxxxx-xxxx.xxpredictiveHigh
44Filexxx/xxxxxxx/xxx.xxxpredictiveHigh
45Filexxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
46Filexxxxxxx_xxxx.xxxpredictiveHigh
47Filexxxxxxx/xxxxx/xxxxxxxxxxx/xxxxx.xxxpredictiveHigh
48Filexxxxxxxx.xxxpredictiveMedium
49Filexxxx.xxxpredictiveMedium
50Filexxxxx-xxxxxxpredictiveMedium
51Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictiveHigh
52Filexxxxxxx.xxxpredictiveMedium
53Filexxxxxx_xxxxxx.xxxpredictiveHigh
54Filexxxxxx/xxx/xx/xxx.xxpredictiveHigh
55Filexxxxxxxxxx.xxxxpredictiveHigh
56Filexxxxxx_xxx_xxxxxx.xxxpredictiveHigh
57Filexxxxxx_xxxxx.xxx/xxxxx_xxxxxxx_xxxxxxxxxx.xxpredictiveHigh
58Filexxxxxx.xpredictiveMedium
59Filexxxxxxx/xxxx/xxxxxxx_xxxxxxxx_xxxx.xxxpredictiveHigh
60Filexxxx/xxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
61Filexx/xx_xxxxxx.xxxpredictiveHigh
62Filexx\xxxxxxx.xxxxpredictiveHigh
63Filexxxx-xxxxxxx-xxxxxx.xxxpredictiveHigh
64File\xxxxxxx\xxxxxxxxxxxx.xxxxpredictiveHigh
65Library/xxx/xxx/xxxx.xxxpredictiveHigh
66Libraryxxxxxx[xxxxxx_xxxxpredictiveHigh
67Libraryxxxx.xxx.xxxpredictiveMedium
68Libraryxxxxxx.xxxpredictiveMedium
69Libraryxx-xxxxxxx/xxxxxxx/xx-xxxx-xxxxxxx/xxx/xxxxx/predictiveHigh
70Argument%xpredictiveLow
71ArgumentxxxxxxxpredictiveLow
72ArgumentxxxpredictiveLow
73Argumentxxxxxx_xxxxpredictiveMedium
74ArgumentxxxxxxxxpredictiveMedium
75ArgumentxxxxpredictiveLow
76ArgumentxxxpredictiveLow
77ArgumentxxxxxpredictiveLow
78ArgumentxxxxxxxpredictiveLow
79ArgumentxxxpredictiveLow
80ArgumentxxxxxxxxpredictiveMedium
81ArgumentxxxxxxxxxpredictiveMedium
82Argumentxxxxxx[xxxxxx_xxxx]predictiveHigh
83Argumentxxxxxx_xxxxx_xxxxxxxxxxxxxpredictiveHigh
84ArgumentxxpredictiveLow
85ArgumentxxxxxxxxxxxpredictiveMedium
86ArgumentxxxxpredictiveLow
87ArgumentxxxxxpredictiveLow
88Argumentxx-xxxxpredictiveLow
89ArgumentxxxxxxxxpredictiveMedium
90ArgumentxxpredictiveLow
91Argumentxx_xxxxpredictiveLow
92ArgumentxxxxxxxxxpredictiveMedium
93Argumentxxxx/xxx_xxxxpredictiveHigh
94ArgumentxxxxxxxpredictiveLow
95ArgumentxxxpredictiveLow
96Argumentxxxxxxx/xxxxxxx/xxxxxxpredictiveHigh
97ArgumentxxxxpredictiveLow
98Argumentxxxxx_xxpredictiveMedium
99Argumentxxxx_xxpredictiveLow
100ArgumentxxxxxxxxxxxxxpredictiveHigh
101Argumentxxxx_xxpredictiveLow
102Argumentxxxxx_xxxxxxpredictiveMedium
103Argumentxxxxxx xxxxpredictiveMedium
104ArgumentxxxxxxxpredictiveLow
105Argumentxxxxxxx xxxxpredictiveMedium
106ArgumentxxxxxxpredictiveLow
107Argumentxxxxxx_xxpredictiveMedium
108ArgumentxxxxpredictiveLow
109Argumentxxxx_xxxxxx/xxxxxx/xxxxxxpredictiveHigh
110Argumentxxxxxxxx_xxxxxpredictiveHigh
111ArgumentxxxpredictiveLow
112Argumentxxxxxxxxxx/xxxxxxxxxxxxxxxpredictiveHigh
113ArgumentxxxxxxxxxpredictiveMedium
114ArgumentxxxpredictiveLow
115ArgumentxxxpredictiveLow
116ArgumentxxxxxxxxxpredictiveMedium
117ArgumentxxxxxxpredictiveLow
118Argumentxxxx_xxpredictiveLow
119ArgumentxxxpredictiveLow
120Argumentx-xxxxxxxxx-xxxpredictiveHigh
121Argumentxx_xxxx_xxxxxpredictiveHigh
122Argument_xxxpredictiveLow
123Input Valuexxxx%xxxxxpredictiveMedium

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!