RATLoader Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (154)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en116
fr30
de2
es2
pl2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us136
ch4
fr4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

NjRAT1
RATLoader1
Purple Fox1
AsyncRAT1
BitRAT1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined46
Content Management System10
Operating System4
Web Browser4
E-Commerce Management Software4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined26
Microsoft6
baigo4
Itechscripts4
Adobe4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Ilohamail4
Microsoft Windows4
baigo CMS4
WebsiteBaker2
USP Secure Entry Server2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Gempar Script Toko Online shop_display_products.php sql injection7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.001000.02CVE-2009-0296
2FiberHome HG2201T telnet.cgi input validation8.08.0$0-$5k$0-$5kNot DefinedNot Defined0.006090.00CVE-2019-17186
3Google Chrome Utility Process race condition9.89.4$25k-$100k$0-$5kNot DefinedOfficial Fix0.008010.07CVE-2011-3961
4DataLynx suGuard privileges management5.95.6$0-$5k$0-$5kProof-of-ConceptNot Defined0.000420.00CVE-1999-0388
5Ecommerce Online Store Kit shop.php sql injection9.89.4$0-$5k$0-$5kNot DefinedOfficial Fix0.037630.08CVE-2004-0300
6Dcscripts Dcshop HTTP GET Request auth_user_file.txt Password information disclosure5.35.2$0-$5k$0-$5kNot DefinedWorkaround0.007550.04CVE-2001-0821
7Linksys WVC11B main.cgi cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.015690.00CVE-2004-2508
8Asternic Flash Operator Panel User Control Panel command injection7.57.5$0-$5k$0-$5kNot DefinedNot Defined0.002140.04CVE-2018-5694
9Contenido Contendio allow_url_fopen file inclusion7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.005750.00CVE-2005-4132
10MidiCart PHP Shopping Cart item_show.php sql injection6.36.0$0-$5k$0-$5kProof-of-ConceptNot Defined0.000000.05
11Microsoft Windows Remote Desktop/Terminal Services Web Connection improper authentication6.36.2$25k-$100k$0-$5kNot DefinedWorkaround0.000000.02
12Ilohamail cross site scripting4.34.1$0-$5k$0-$5kNot DefinedOfficial Fix0.000000.04
13Microsoft IIS Error Message cross site scripting6.36.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.001690.00CVE-2000-1104
14Microsoft IIS Error Message cross site scripting4.24.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.039110.03CVE-2003-0223
15Adobe ColdFusion cross site scripting4.33.9$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.014790.00CVE-2007-0817
16SourceCodester Garage Management System createUser.php access control6.35.7$0-$5k$0-$5kProof-of-ConceptNot Defined0.003070.14CVE-2022-2578
17D-Link IP Cameras rtpd.cgi insecure inherited permissions9.88.8$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.901140.00CVE-2013-1599
18Microsoft IIS viewcode.asp privileges management5.35.1$25k-$100k$0-$5kHighOfficial Fix0.946320.07CVE-1999-0737
19UnrealIRCd input validation7.37.3$0-$5k$0-$5kHighNot Defined0.649510.04CVE-2010-2075
20Stoverud PHPhotoalbum File Upload upload.php unrestricted upload7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.028730.00CVE-2009-4819

IOC - Indicator of Compromise (5)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
1185.81.157.59RATLoader04/06/2023verifiedHigh
2XXX.XX.XXX.XXXXxxxxxxxx04/06/2023verifiedHigh
3XXX.XX.XXX.XXXXxxxxxxxx04/06/2023verifiedHigh
4XXX.XX.XXX.XXXXxxxxxxxx04/06/2023verifiedHigh
5XXX.XX.XXX.XXXXxxxxxxxx06/28/2023verifiedHigh

TTP - Tactics, Techniques, Procedures (10)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
3TXXXX.XXXCAPEC-209CWE-XX, CWE-XXXxxxx Xxxx XxxxxxxxxpredictiveHigh
4TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
5TXXXXCAPEC-136CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
7TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
8TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
9TXXXXCAPEC-CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
10TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (86)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/catalog/admin/categories.php?cPath=&action=new_productpredictiveHigh
2File/inc/HTTPClient.phppredictiveHigh
3File/php_action/createUser.phppredictiveHigh
4File/var/WEB-GUI/cgi-bin/telnet.cgipredictiveHigh
5Fileadmin.phppredictiveMedium
6Fileadmin/admin.shtmlpredictiveHigh
7FileAdmin/ADM_Pagina.phppredictiveHigh
8Fileadmin/editcatalogue.phppredictiveHigh
9Fileadmin/menus/edit.phppredictiveHigh
10Fileapage.cgipredictiveMedium
11Filexx_xxxxxxx/xxxxx.xxx?x=xxx&x=xxxxxxxpredictiveHigh
12Filexxxxxxxxxx.xxxpredictiveHigh
13Filexxxxxxxx.xxxpredictiveMedium
14Filexxxxxxxx_xxxx.xxxpredictiveHigh
15Filexxx_xxxx.xpredictiveMedium
16Filexxxxxxxxx.xxxpredictiveHigh
17Filexxxxxx-xxxxxpredictiveMedium
18Filexxxxxx.xxxpredictiveMedium
19Filexxxxxx.xxxpredictiveMedium
20Filexxxxx_xxx_xxxxx.xxxpredictiveHigh
21Filexxxxxxxxxx-xx-xxxxxx/xxxx/xxxx.xxxpredictiveHigh
22Filexxxxxxxxxx/xxxxxxxxxx/xxxxxxxxx.xxxpredictiveHigh
23Filexxxxxxx/xxxx_xxxxxxxx.xxxxx.xxxpredictiveHigh
24Filexxxxx.xxxpredictiveMedium
25Filexxxxxxx.xxxpredictiveMedium
26Filexxxxxxxxxx.xxxpredictiveHigh
27Filexxxx_xxxx.xxxpredictiveHigh
28Filexxxxx_xx.xxxxpredictiveHigh
29Filexxxxxxxxxx/xxxxxxx.xpredictiveHigh
30Filexxxx.xxxpredictiveMedium
31Filexxxxxxxx.xxxpredictiveMedium
32Filexxxxxxxx.xxxpredictiveMedium
33Filexxx_xxxx.xxx.xxxpredictiveHigh
34Filexxxxxx.xxx/xxxx_xxxx_xxxx.xxxpredictiveHigh
35Filexxxxxxxxxx.xxxpredictiveHigh
36Filexxxx/xxxxxxx/xxxxxxxxxxxxx_xxx.xxxpredictiveHigh
37Filexxxxxxxx.xxxpredictiveMedium
38Filexxxx.xxxpredictiveMedium
39Filexxxxxxxxxxxxx.xxxpredictiveHigh
40Filexxxxxxxxx.xxxpredictiveHigh
41Filexxxxxxxxxxxxxxxx.xxxpredictiveHigh
42Filexxxx_xxxxxxx_xxxxxxxx.xxxpredictiveHigh
43Filexxxxx_xxxxx.xxxpredictiveHigh
44Filexxxxxx/xxxxx/xxxx_xxxxxxx.xxxpredictiveHigh
45Filexxxxxx.xxxpredictiveMedium
46Filexxxx_xxxxx.xxxpredictiveHigh
47Filexxx/xxx/xxx-xxx/xxxx.xxxpredictiveHigh
48Filexxxx.xxxpredictiveMedium
49Filexxxxxxxx.xxxpredictiveMedium
50Filexxxxxxx.xxxpredictiveMedium
51Libraryxxxxxx[xxxxxx_xxxxpredictiveHigh
52Libraryxxxxxx.xxxpredictiveMedium
53Libraryxxx/xx_xxx.xpredictiveMedium
54Argument(xxxxxx)predictiveMedium
55Argumentxxx_xxpredictiveLow
56Argumentxx_xxxx_xxxxpredictiveMedium
57ArgumentxxxpredictiveLow
58ArgumentxxxxxpredictiveLow
59Argumentxxx_xxpredictiveLow
60ArgumentxxxpredictiveLow
61Argumentxxxx_xxpredictiveLow
62ArgumentxxxxxxxpredictiveLow
63Argumentxxxxxx[xxxxxx_xxxx]predictiveHigh
64Argumentxxxxxxxx_xxxxxx/xxxxxxxx_xxxx/xxxxxxxx_xxxxxxxx/xxxxxxxx_xxxxpredictiveHigh
65Argumentxxxxxx_xxxxpredictiveMedium
66ArgumentxxxxxxxxpredictiveMedium
67ArgumentxxpredictiveLow
68ArgumentxxpredictiveLow
69Argumentxxxx_xxpredictiveLow
70Argumentxxxxx_xxxxpredictiveMedium
71ArgumentxxxxxxpredictiveLow
72Argumentxxxx_xxxxpredictiveMedium
73Argumentxxx[xxxx][xx_xxxx_xxxx]predictiveHigh
74Argumentxxxx_xxpredictiveLow
75ArgumentxxxxpredictiveLow
76Argumentxxxxxx_xxxxpredictiveMedium
77ArgumentxxxxxxxxpredictiveMedium
78Argumentxxxxxx_xxxx[]predictiveHigh
79ArgumentxxxxxxpredictiveLow
80ArgumentxxxxxpredictiveLow
81ArgumentxxxxpredictiveLow
82ArgumentxxxxxxxxpredictiveMedium
83Argumentx-xxxx-xxxxxpredictiveMedium
84Input Value%xxxxxx+-x+x+xx.x.xx.xxx%xx%xxpredictiveHigh
85Input Value//xxx.xxxxxxx.xxxpredictiveHigh
86Pattern|xx xx xx|predictiveMedium

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!