{ "type": "SHA256", "indicator": "07594ba29d456e140a171cba12d8d9a2db8405755b81da063a425b1a8b50d073", "general": { "sections": [ "general", "analysis" ], "type": "sha256", "type_title": "FileHash-SHA256", "indicator": "07594ba29d456e140a171cba12d8d9a2db8405755b81da063a425b1a8b50d073", "validation": [], "base_indicator": { "id": 3911322985, "indicator": "07594ba29d456e140a171cba12d8d9a2db8405755b81da063a425b1a8b50d073", "type": "FileHash-SHA256", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "66953c49237688e18327a6ac", "name": "A Social Engineering Tactic to Deploy Malware", "description": "McAfee Labs uncovered a sophisticated social engineering technique, dubbed 'ClickFix,' for deploying malware such as DarkGate and Lumma Stealer. Victims are lured to compromised websites displaying error messages with instructions to paste scripts in PowerShell, facilitating malware downloads and execution. This deceptive tactic exploits users' trust by masquerading as legitimate error prompts, tricking them into unknowingly executing malicious code that compromises their systems.", "modified": "2024-07-15T15:13:09.215000", "created": "2024-07-15T15:12:08.753000", "tags": [ "DarkGate", "Lumma Stealer", "ClickFix" ], "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-social-engineering-tactic-to-deploy-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1223", "name": "Compiled HTML File", "display_name": "T1223 - Compiled HTML File" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 343, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 386445, "modified_text": "684 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "667e748f956c243bf611e3d3", "name": "Malicious Object (IP / Hash / URL)", "description": "Malicious Object (IP / Hash)\nLast Update : 27/12/2024 (Add Hash & BL IP)", "modified": "2025-01-26T00:03:47.506000", "created": "2024-06-28T08:30:07.764000", "tags": [ "Malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Indonesia" ], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [ { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1595.001", "name": "Scanning IP Blocks", "display_name": "T1595.001 - Scanning IP Blocks" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1110.004", "name": "Credential Stuffing", "display_name": "T1110.004 - Credential Stuffing" }, { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1590.004", "name": "Network Topology", "display_name": "T1590.004 - Network Topology" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1133, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IndoOpenThreatXchange", "id": "286483", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_286483/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1839, "FileHash-SHA256": 48, "FileHash-MD5": 23, "FileHash-SHA1": 48, "URL": 3, "domain": 22, "hostname": 3, "CIDR": 1 }, "indicator_count": 1987, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "489 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6695abd8da05c504990e0255", "name": "Weekly OSINT Highlights, 15 July 2024", "description": "", "modified": "2024-08-14T23:00:18.722000", "created": "2024-07-15T23:08:08.904000", "tags": [ "OSINT" ], "references": [ "https://community.riskiq.com/article/fdcb22e4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "FileHash-SHA256": 140, "FileHash-MD5": 10, "hostname": 3, "domain": 20 }, "indicator_count": 178, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "653 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "669e2741dcd4f9596558c537", "name": "\u201cClickFix\u201d Malware Delivery Method", "description": "", "modified": "2024-07-22T09:32:49.017000", "created": "2024-07-22T09:32:49.017000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 9, "domain": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "677 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6696722ef047e3eef77e772b", "name": "\u201cClickFix\u201d Malware Delivery Method", "description": "", "modified": "2024-07-16T13:14:22.390000", "created": "2024-07-16T13:14:22.390000", "tags": [ "hashes", "sha256", "domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 9, "domain": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "683 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-social-engineering-tactic-to-deploy-malware/", "https://community.riskiq.com/article/fdcb22e4" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Lumma stealer", "Darkgate" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "66953c49237688e18327a6ac", "name": "A Social Engineering Tactic to Deploy Malware", "description": "McAfee Labs uncovered a sophisticated social engineering technique, dubbed 'ClickFix,' for deploying malware such as DarkGate and Lumma Stealer. Victims are lured to compromised websites displaying error messages with instructions to paste scripts in PowerShell, facilitating malware downloads and execution. This deceptive tactic exploits users' trust by masquerading as legitimate error prompts, tricking them into unknowingly executing malicious code that compromises their systems.", "modified": "2024-07-15T15:13:09.215000", "created": "2024-07-15T15:12:08.753000", "tags": [ "DarkGate", "Lumma Stealer", "ClickFix" ], "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-social-engineering-tactic-to-deploy-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1223", "name": "Compiled HTML File", "display_name": "T1223 - Compiled HTML File" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 343, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 386445, "modified_text": "684 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "667e748f956c243bf611e3d3", "name": "Malicious Object (IP / Hash / URL)", "description": "Malicious Object (IP / Hash)\nLast Update : 27/12/2024 (Add Hash & BL IP)", "modified": "2025-01-26T00:03:47.506000", "created": "2024-06-28T08:30:07.764000", "tags": [ "Malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Indonesia" ], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [ { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1595.001", "name": "Scanning IP Blocks", "display_name": "T1595.001 - Scanning IP Blocks" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1110.004", "name": "Credential Stuffing", "display_name": "T1110.004 - Credential Stuffing" }, { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1590.004", "name": "Network Topology", "display_name": "T1590.004 - Network Topology" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1133, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IndoOpenThreatXchange", "id": "286483", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_286483/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1839, "FileHash-SHA256": 48, "FileHash-MD5": 23, "FileHash-SHA1": 48, "URL": 3, "domain": 22, "hostname": 3, "CIDR": 1 }, "indicator_count": 1987, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "489 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6695abd8da05c504990e0255", "name": "Weekly OSINT Highlights, 15 July 2024", "description": "", "modified": "2024-08-14T23:00:18.722000", "created": "2024-07-15T23:08:08.904000", "tags": [ "OSINT" ], "references": [ "https://community.riskiq.com/article/fdcb22e4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "FileHash-SHA256": 140, "FileHash-MD5": 10, "hostname": 3, "domain": 20 }, "indicator_count": 178, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "653 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "669e2741dcd4f9596558c537", "name": "\u201cClickFix\u201d Malware Delivery Method", "description": "", "modified": "2024-07-22T09:32:49.017000", "created": "2024-07-22T09:32:49.017000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 9, "domain": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "677 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6696722ef047e3eef77e772b", "name": "\u201cClickFix\u201d Malware Delivery Method", "description": "", "modified": "2024-07-16T13:14:22.390000", "created": "2024-07-16T13:14:22.390000", "tags": [ "hashes", "sha256", "domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 9, "domain": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "683 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "07594ba29d456e140a171cba12d8d9a2db8405755b81da063a425b1a8b50d073", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "07594ba29d456e140a171cba12d8d9a2db8405755b81da063a425b1a8b50d073", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780170330.3002894 }