Feodo Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (238)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en208
de18
fr6
es2
ar2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us148
cn58
fr10
ru8
ir6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

RedLine Stealer7
Cobalt Strike6
Azorult4
TrickBot3
Mirai3

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined60
Router Operating System18
Content Management System16
Web Server16
Operating System16

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined80
Microsoft26
Oracle12
Cisco8
Linux6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

nginx6
Microsoft Windows6
Linux Kernel6
Microsoft Edge6
Microsoft ChakraCore6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.020160.00CVE-2007-1192
2OpenSSH Authentication Username information disclosure5.34.8$5k-$25k$0-$5kHighOfficial Fix0.107370.39CVE-2016-6210
3Oracle MySQL Server InnoDB access control5.55.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.000980.00CVE-2018-3185
4ISC BIND named resolver.c input validation8.68.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.623160.03CVE-2016-1286
5XiongMai IP Camera/DVR NetSurveillance Web Interface memory corruption8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.003720.04CVE-2017-16725
6ONLYOFFICE Document Server WebSocket API sql injection8.58.5$0-$5k$0-$5kNot DefinedNot Defined0.001740.00CVE-2020-11537
7nginx ngx_http_mp4_module information disclosure5.95.8$0-$5k$0-$5kNot DefinedOfficial Fix0.001980.05CVE-2018-16845
8GitLab cross site scripting4.44.4$0-$5k$0-$5kNot DefinedNot Defined0.000670.00CVE-2020-13345
9Nextcloud Server Access Control download access control5.45.3$0-$5k$0-$5kNot DefinedOfficial Fix0.000940.00CVE-2020-8139
10Microsoft IIS IP/Domain Restriction access control6.55.7$25k-$100k$0-$5kUnprovenOfficial Fix0.008170.35CVE-2014-4078
11Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.005480.04CVE-2017-0055
12Web2py information disclosure6.46.2$0-$5k$0-$5kProof-of-ConceptNot Defined0.006260.01CVE-2016-4806
13TP-LINK TL-WR1043N Authentication tmp cross-site request forgery5.55.2$0-$5k$0-$5kProof-of-ConceptNot Defined0.002620.00CVE-2013-2645
14DD-WRT Web Interface cross-site request forgery7.56.9$0-$5k$0-$5kUnprovenNot Defined0.003120.04CVE-2012-6297
15Dasan GPON Home Router diag_Form command injection8.58.4$0-$5k$0-$5kHighWorkaround0.974230.00CVE-2018-10562
16MikroTik RouterOS confused deputy7.47.2$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.059230.00CVE-2019-3924
17pkexec escape output6.56.5$0-$5k$0-$5kNot DefinedNot Defined0.000420.04CVE-2016-2568
18hcbserver URL path traversal7.07.0$0-$5k$0-$5kNot DefinedNot Defined0.004350.00CVE-2017-16171
19BlueMind Contact Application data processing7.57.3$0-$5k$0-$5kNot DefinedOfficial Fix0.001720.02CVE-2019-9563
20PHP extractTo path traversal7.16.4$5k-$25k$0-$5kUnprovenOfficial Fix0.013370.04CVE-2014-9767

IOC - Indicator of Compromise (4)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
176.164.161.46Feodo04/08/2024verifiedHigh
2XX.XX.XXX.XXXxx-xxxxxxx-xxx.xxxxxXxxxx04/08/2024verifiedHigh
3XXX.XX.XX.XXXxxxx04/08/2024verifiedHigh
4XXX.XX.XX.XXXxxxx04/08/2024verifiedHigh

TTP - Tactics, Techniques, Procedures (17)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-16CWE-XXX, CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
11TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXXCAPEC-50CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
13TXXXX.XXXCAPEC-133CWE-XXXXxxxxxxxpredictiveHigh
14TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
15TXXXXCAPEC-CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
16TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh
17TXXXXCAPEC-CWE-XXXXxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (89)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/.envpredictiveLow
2File/category.phppredictiveHigh
3File/cgi-bin/delete_CApredictiveHigh
4File/Config/SaveUploadedHotspotLogoFilepredictiveHigh
5File/downloadpredictiveMedium
6File/get_getnetworkconf.cgipredictiveHigh
7File/GponForm/device_Form?script/predictiveHigh
8File/includes/rrdtool.inc.phppredictiveHigh
9File/Main_AdmStatus_Content.asppredictiveHigh
10File/NAGErrorspredictiveMedium
11File/xxxx/xxxxxxxxxxxpredictiveHigh
12File/xxxpredictiveLow
13File/xxx/xxxxx/xpredictiveMedium
14File/xxxxxxx/predictiveMedium
15File/xxxxxx/xxxxxx.xxxpredictiveHigh
16File/xxx/xxx/xxxxxpredictiveHigh
17File/xx/xxxxx.xxxpredictiveHigh
18Filexxxxx/xxxxxxx.xxxpredictiveHigh
19Filexxxxx/xxxx.xxxxxxx.xxxpredictiveHigh
20Filexxxxx/xxxx.xxxx.xxxpredictiveHigh
21Filexxxxx\xxxxxxxxxx\xxxxxxxxxx.xxxpredictiveHigh
22Filexxxxxxx/xxxxxxx/xxxxxxx.xxxx?xxxxpredictiveHigh
23Filexxx_xxxxxxxx.xxxpredictiveHigh
24Filexxxxxx.xxxpredictiveMedium
25Filexxxxxxxxxxx.xpredictiveHigh
26Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
27Filexx.x/xxxxxxxx.xpredictiveHigh
28Filexxxxxxxxxxxxxxxx.xxxpredictiveHigh
29Filexxxxx.xxxpredictiveMedium
30Filexxxxxxx.xxxxpredictiveMedium
31Filexxxxxxxx/xxxx_xxxxpredictiveHigh
32Filexxxx_xxxx.xpredictiveMedium
33Filexxxxxxxxx/xxxxxx.xxx.xxxpredictiveHigh
34Filexxxxxxxx.xxxpredictiveMedium
35Filexxxxxxx.xxxpredictiveMedium
36Filexxx_xxxxxxxxx.xpredictiveHigh
37Filexxxxxxx/xxxxxxxxxxxxxxxx/xxxxxxxxx/xxxxxxxx.xxxxpredictiveHigh
38Filexxxxxxxx.xxpredictiveMedium
39Filexxxxx.xpredictiveLow
40Filexxxxxxx.xxpredictiveMedium
41Filexxxxxxxx.xxxpredictiveMedium
42Filexxxxxx_xxxxxxx.xxxpredictiveHigh
43Filexxxxxxxxxxxxxxxxxxxxxxxxxx.xx/xxxxxxxxxx.xx/xxxxxxxxxxx.xxpredictiveHigh
44Filexxxxxxxxxxx.xpredictiveHigh
45Filexxx/xx_xxx.xpredictiveMedium
46Filexx.xxxpredictiveLow
47Filexxxxxxx.xxxpredictiveMedium
48Filexxxxxxx.xxxpredictiveMedium
49Filexxx_xxxxx.xxx?xxxx=xxxxxxxxpredictiveHigh
50Filexxxxxxx.xxxpredictiveMedium
51Filexx-xxxxxxxx/xxxx-xxx/xxxxxxxxx/xxxxx-xx-xxxx-xxxxx-xxxxxxxxxx.xxxpredictiveHigh
52Filexx-xxxxx.xxxpredictiveMedium
53Library/_xxx_xxx/xxxxx.xxxpredictiveHigh
54LibraryxxxxxxxxxpredictiveMedium
55Argument--xxxxxx/--xxxxxxxxpredictiveHigh
56Argumentxxxxxxxxxx xxx xxxxxxxpredictiveHigh
57ArgumentxxxpredictiveLow
58ArgumentxxxxxxxxpredictiveMedium
59Argumentxxxx_xxxxxx=xxxxpredictiveHigh
60ArgumentxxxxxpredictiveLow
61ArgumentxxxxxxxxpredictiveMedium
62ArgumentxxpredictiveLow
63ArgumentxxxxpredictiveLow
64Argumentxxxx_xxxxxxxpredictiveMedium
65ArgumentxxpredictiveLow
66ArgumentxxxxxxxxxxpredictiveMedium
67ArgumentxxxxpredictiveLow
68ArgumentxxxxxpredictiveLow
69ArgumentxxxxxxxxpredictiveMedium
70Argumentxxxxxxx/xxxxpredictiveMedium
71ArgumentxxxxxxxxpredictiveMedium
72ArgumentxxxxxxxxpredictiveMedium
73ArgumentxxxxpredictiveLow
74ArgumentxxxxxxxpredictiveLow
75ArgumentxxxxxxxxxxxpredictiveMedium
76Argumentxxxxxx_xxxxpredictiveMedium
77ArgumentxxxpredictiveLow
78ArgumentxxxpredictiveLow
79Argumentx_xxpredictiveLow
80ArgumentxxxxpredictiveLow
81Argumentxxxxxxxx/xxxxxxxxpredictiveHigh
82Argumentx-xxxxxxxxx-xxxpredictiveHigh
83Input Value%xxxxxx+-x+x+xx.x.xx.xxx%xx%xxpredictiveHigh
84Input Value-x+xxxxx+xxxxxx+x,x,xxxxxxx()predictiveHigh
85Input Value../predictiveLow
86Input Value/..predictiveLow
87Pattern|xx|xx|xx|predictiveMedium
88Network Portxxx/xxxxpredictiveMedium
89Network Portxxx/xxxx (xx-xxx)predictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!