Attackers exploiting a FortiClient EMS vulnerability in the wild
Common Information
Type Value
UUID 758d8ff1-7868-42ed-84b5-a784a4ef54fb
Fingerprint 349899d5c937b5c5
Analysis status DONE
Considered CTI value 2
Text language
Published Dec. 19, 2024, noon
Added to db Dec. 21, 2024, 4:54 a.m.
Last updated Dec. 23, 2024, 10:04 p.m.
Headline Attackers exploiting a patched FortiClient EMS vulnerability in the wild
Title Attackers exploiting a FortiClient EMS vulnerability in the wild
Detected Hints/Tags/Attributes 104/3/108
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 223 Securelist https://securelist.com/feed/ 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details CVE 45
cve-2023-48788
Details Domain 5
infinity.screenconnect.com
Details Domain 60
webhook.site
Details Domain 3
135.xxx
Details Domain 5
kle.screenconnect.com
Details Domain 5
trembly.screenconnect.com
Details Domain 5
corsmich.screenconnect.com
Details Domain 5
sipaco2.screenconnect.com
Details Domain 5
myleka.screenconnect.com
Details Domain 5
petit.screenconnect.com
Details Domain 5
lindeman.screenconnect.com
Details Domain 5
sorina.screenconnect.com
Details Domain 4
solarnyx2410150445.screenconnect.com
Details Domain 5
allwebemails1.screenconnect.com
Details Domain 5
web-r6hl0n.screenconnect.com
Details Domain 4
qvmlaztyjogwgkikmknv2ch3t5yhb6vw4.oast.fun
Details Domain 5
www.lidahtoto2.com
Details File 3
wqgltykm.tmp
Details File 107
c:\windows\system32\svchost.exe
Details File 3
ems.log
Details File 3
sql_trace.log
Details File 129
sqlservr.exe
Details File 2335
cmd.exe
Details File 1356
powershell.exe
Details File 4
c:\update.exe
Details File 6
clientsetup.exe
Details File 201
update.exe
Details File 50
netscan.exe
Details File 3
dat.txt
Details File 3
libsmb2.dll
Details File 3
libsmi2.dll
Details File 3
netscanold.xml
Details File 3
unins000.dat
Details File 11
unins000.exe
Details File 14
webbrowserpassview.exe
Details File 9
netpass64.exe
Details File 93
mimikatz.exe
Details File 9
hrsword.exe
Details File 437
c:\windows\system32\cmd.exe
Details File 3
br.exe
Details File 3
donpapi.exe
Details File 27
setup.msi
Details File 4
oo.bat
Details File 4
sos.txt
Details File 4
72.bat
Details File 4
%temp%\gflqpbnlyyyh.exe
Details File 4
%temp%\falnkaqgoe.exe
Details File 4
%temp%\qgcnsjrb.exe
Details File 5
im.ps1
Details File 4
%temp%\edgourkwzlsk.exe
Details sha1 5
8cfd968741a7c8ec2dcbe0f5333674025e6be1dc
Details sha1 5
441a52f0112da187244eeec5b24a79f40cc17d47
Details sha1 5
746710470586076bb0757e0b3875de9c90202be2
Details sha1 5
bc29888042d03fe0ffb57fc116585e992a4fdb9b
Details sha1 4
73f8e5c17b49b9f2703fed59cc2be77239e904f7
Details sha1 5
841fff3a36d82c14b044da26967eb2a8f61175a8
Details sha1 5
34162aaf41c08f0de2f888728b7f4dc2a43b50ec
Details sha1 5
cf1ca6c7f818e72454c923fea7824a8f6930cb08
Details sha1 6
e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69
Details sha1 5
59e1322440b4601d614277fe9092902b6ca471c2
Details sha1 5
75ebd5bab5e2707d4533579a34d983b65af5ec7f
Details sha1 5
83cff3719c7799a3e27a567042e861106f33bb19
Details sha1 5
44b83dd83d189f19e54700a288035be8aa7c8672
Details sha1 5
8834f7ab3d4aa5fb14d851c7790e1a6812ea4ca8
Details IPv4 5
45.141.84.45
Details IPv4 5
185.216.70.170
Details IPv4 5
185.196.9.31
Details IPv4 4
148.251.53.222
Details IPv4 5
206.206.77.33
Details IPv4 5
5.61.59.201
Details IPv4 5
87.120.125.55
Details MITRE ATT&CK Techniques 592
T1190
Details MITRE ATT&CK Techniques 80
T1078.002
Details MITRE ATT&CK Techniques 328
T1562.001
Details MITRE ATT&CK Techniques 510
T1059.001
Details MITRE ATT&CK Techniques 179
T1021
Details MITRE ATT&CK Techniques 524
T1105
Details MITRE ATT&CK Techniques 129
T1570
Details MITRE ATT&CK Techniques 188
T1555
Details Url 2
https://infinity.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access
Details Url 3
https://webhook.site/278fxxxx-ca3b-
Details Url 5
https://sipaco2.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest
Details Url 5
https://trembly.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest
Details Url 5
https://corsmich.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest
Details Url 5
https://myleka.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest
Details Url 5
https://petit.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest
Details Url 5
https://lindeman.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest
Details Url 5
https://sorina.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest
Details Url 5
https://kle.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest
Details Url 5
https://infinity.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest
Details Url 5
https://solarnyx2410150445.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest
Details Url 5
https://allwebemails1.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest
Details Url 5
https://web-r6hl0n.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest
Details Url 5
http://185.196.9.31:8080/bd7ozy3umql-yabi8fherw
Details Url 5
https://webhook.site/7ece827e-d440-46fd-9b22-cc9a01db03c8
Details Url 5
https://webhook.site/d0f4440c-927c-460a-a543-50d4fc87c8a4
Details Url 5
http://185.216.70.170
Details Url 5
http://185.216.70.170/oo.bat
Details Url 5
http://185.216.70.170/hello
Details Url 5
http://185.216.70.170/sos.txt
Details Url 5
http://185.216.70.170/72.bat
Details Url 5
http://206.206.77.33:8080/xey_j7tyzjajqyj4mbtb0w
Details Url 5
http://5.61.59.201:8080/flnofgpkol4qc_gyuweeyq
Details Url 5
http://5.61.59.201:8080/7k9xbvjahnqk09absc8spa
Details Url 5
https://www.lidahtoto2.com/assets/im.ps1
Details Url 5
http://87.120.125.55:8080/bw_qy1ofzrv7iniy_notfq
Details Windows Registry Key 27
HKLM\SAM
Details Windows Registry Key 17
HKLM\SECURITY