Attackers exploiting a patched FortiClient EMS vulnerability in the wild
Tags
Common Information
Type | Value |
---|---|
UUID | bf3cb20f-b0db-468b-b730-15f1568e01cc |
Fingerprint | 34b899d5c937b5c5 |
Analysis status | DONE |
Considered CTI value | 2 |
Text language | |
Published | Dec. 19, 2024, 12:05 p.m. |
Added to db | Dec. 21, 2024, 4:37 a.m. |
Last updated | Dec. 23, 2024, 10:04 p.m. |
Headline | Attackers exploiting a patched FortiClient EMS vulnerability in the wild |
Title | Attackers exploiting a patched FortiClient EMS vulnerability in the wild |
Detected Hints/Tags/Attributes | 104/3/112 |
Source URLs
URL Provider
RSS Feed
Details | Id | Enabled | Feed title | Url | Added to db |
---|---|---|---|---|---|
Details | 158 | ✔ | Malware Analysis, News and Indicators - Latest topics | https://malware.news/latest.rss | 2024-08-30 22:08 |
Attributes
Details | Type | #Events | CTI | Value |
---|---|---|---|---|
Details | CVE | 45 | cve-2023-48788 |
|
Details | Domain | 6 | screenconnect.com |
|
Details | Domain | 5 | infinity.screenconnect.com |
|
Details | Domain | 60 | webhook.site |
|
Details | Domain | 3 | 135.xxx |
|
Details | Domain | 5 | kle.screenconnect.com |
|
Details | Domain | 5 | trembly.screenconnect.com |
|
Details | Domain | 5 | corsmich.screenconnect.com |
|
Details | Domain | 5 | sipaco2.screenconnect.com |
|
Details | Domain | 5 | myleka.screenconnect.com |
|
Details | Domain | 5 | petit.screenconnect.com |
|
Details | Domain | 5 | lindeman.screenconnect.com |
|
Details | Domain | 5 | sorina.screenconnect.com |
|
Details | Domain | 4 | solarnyx2410150445.screenconnect.com |
|
Details | Domain | 5 | allwebemails1.screenconnect.com |
|
Details | Domain | 5 | web-r6hl0n.screenconnect.com |
|
Details | Domain | 4 | qvmlaztyjogwgkikmknv2ch3t5yhb6vw4.oast.fun |
|
Details | Domain | 5 | www.lidahtoto2.com |
|
Details | Domain | 463 | securelist.com |
|
Details | File | 3 | wqgltykm.tmp |
|
Details | File | 107 | c:\windows\system32\svchost.exe |
|
Details | File | 3 | ems.log |
|
Details | File | 3 | sql_trace.log |
|
Details | File | 129 | sqlservr.exe |
|
Details | File | 2335 | cmd.exe |
|
Details | File | 1356 | powershell.exe |
|
Details | File | 1 | c:\u%7 0date.exe |
|
Details | File | 4 | c:\update.exe |
|
Details | File | 6 | clientsetup.exe |
|
Details | File | 201 | update.exe |
|
Details | File | 50 | netscan.exe |
|
Details | File | 3 | dat.txt |
|
Details | File | 3 | libsmb2.dll |
|
Details | File | 3 | libsmi2.dll |
|
Details | File | 3 | netscanold.xml |
|
Details | File | 3 | unins000.dat |
|
Details | File | 11 | unins000.exe |
|
Details | File | 14 | webbrowserpassview.exe |
|
Details | File | 9 | netpass64.exe |
|
Details | File | 93 | mimikatz.exe |
|
Details | File | 9 | hrsword.exe |
|
Details | File | 437 | c:\windows\system32\cmd.exe |
|
Details | File | 3 | br.exe |
|
Details | File | 3 | donpapi.exe |
|
Details | File | 27 | setup.msi |
|
Details | File | 4 | oo.bat |
|
Details | File | 4 | sos.txt |
|
Details | File | 4 | 72.bat |
|
Details | File | 4 | %temp%\gflqpbnlyyyh.exe |
|
Details | File | 4 | %temp%\falnkaqgoe.exe |
|
Details | File | 4 | %temp%\qgcnsjrb.exe |
|
Details | File | 5 | im.ps1 |
|
Details | File | 4 | %temp%\edgourkwzlsk.exe |
|
Details | sha1 | 5 | 8cfd968741a7c8ec2dcbe0f5333674025e6be1dc |
|
Details | sha1 | 5 | 441a52f0112da187244eeec5b24a79f40cc17d47 |
|
Details | sha1 | 5 | 746710470586076bb0757e0b3875de9c90202be2 |
|
Details | sha1 | 5 | bc29888042d03fe0ffb57fc116585e992a4fdb9b |
|
Details | sha1 | 4 | 73f8e5c17b49b9f2703fed59cc2be77239e904f7 |
|
Details | sha1 | 5 | 841fff3a36d82c14b044da26967eb2a8f61175a8 |
|
Details | sha1 | 5 | 34162aaf41c08f0de2f888728b7f4dc2a43b50ec |
|
Details | sha1 | 5 | cf1ca6c7f818e72454c923fea7824a8f6930cb08 |
|
Details | sha1 | 6 | e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69 |
|
Details | sha1 | 5 | 59e1322440b4601d614277fe9092902b6ca471c2 |
|
Details | sha1 | 5 | 75ebd5bab5e2707d4533579a34d983b65af5ec7f |
|
Details | sha1 | 5 | 83cff3719c7799a3e27a567042e861106f33bb19 |
|
Details | sha1 | 5 | 44b83dd83d189f19e54700a288035be8aa7c8672 |
|
Details | sha1 | 5 | 8834f7ab3d4aa5fb14d851c7790e1a6812ea4ca8 |
|
Details | IPv4 | 5 | 45.141.84.45 |
|
Details | IPv4 | 5 | 185.216.70.170 |
|
Details | IPv4 | 5 | 185.196.9.31 |
|
Details | IPv4 | 4 | 148.251.53.222 |
|
Details | IPv4 | 5 | 206.206.77.33 |
|
Details | IPv4 | 5 | 5.61.59.201 |
|
Details | IPv4 | 5 | 87.120.125.55 |
|
Details | MITRE ATT&CK Techniques | 592 | T1190 |
|
Details | MITRE ATT&CK Techniques | 80 | T1078.002 |
|
Details | MITRE ATT&CK Techniques | 328 | T1562.001 |
|
Details | MITRE ATT&CK Techniques | 510 | T1059.001 |
|
Details | MITRE ATT&CK Techniques | 179 | T1021 |
|
Details | MITRE ATT&CK Techniques | 524 | T1105 |
|
Details | MITRE ATT&CK Techniques | 129 | T1570 |
|
Details | MITRE ATT&CK Techniques | 188 | T1555 |
|
Details | Url | 2 | https://infinity.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access |
|
Details | Url | 3 | https://webhook.site/278fxxxx-ca3b- |
|
Details | Url | 5 | https://sipaco2.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest |
|
Details | Url | 5 | https://trembly.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest |
|
Details | Url | 5 | https://corsmich.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest |
|
Details | Url | 5 | https://myleka.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest |
|
Details | Url | 5 | https://petit.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest |
|
Details | Url | 5 | https://lindeman.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest |
|
Details | Url | 5 | https://sorina.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest |
|
Details | Url | 5 | https://kle.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest |
|
Details | Url | 5 | https://infinity.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest |
|
Details | Url | 5 | https://solarnyx2410150445.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest |
|
Details | Url | 5 | https://allwebemails1.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest |
|
Details | Url | 5 | https://web-r6hl0n.screenconnect.com/bin/screenconnect.clientsetup.exe?e=access&y=guest |
|
Details | Url | 5 | http://185.196.9.31:8080/bd7ozy3umql-yabi8fherw |
|
Details | Url | 5 | https://webhook.site/7ece827e-d440-46fd-9b22-cc9a01db03c8 |
|
Details | Url | 5 | https://webhook.site/d0f4440c-927c-460a-a543-50d4fc87c8a4 |
|
Details | Url | 5 | http://185.216.70.170 |
|
Details | Url | 5 | http://185.216.70.170/oo.bat |
|
Details | Url | 5 | http://185.216.70.170/hello |
|
Details | Url | 5 | http://185.216.70.170/sos.txt |
|
Details | Url | 5 | http://185.216.70.170/72.bat |
|
Details | Url | 5 | http://206.206.77.33:8080/xey_j7tyzjajqyj4mbtb0w |
|
Details | Url | 5 | http://5.61.59.201:8080/flnofgpkol4qc_gyuweeyq |
|
Details | Url | 5 | http://5.61.59.201:8080/7k9xbvjahnqk09absc8spa |
|
Details | Url | 5 | https://www.lidahtoto2.com/assets/im.ps1 |
|
Details | Url | 5 | http://87.120.125.55:8080/bw_qy1ofzrv7iniy_notfq |
|
Details | Url | 2 | https://securelist.com/patched-forticlient-ems-vulnerability-exploited-in-the-wild/115046 |
|
Details | Windows Registry Key | 27 | HKLM\SAM |
|
Details | Windows Registry Key | 17 | HKLM\SECURITY |