{ "type": "Domain", "indicator": "adbefnts.dev", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/adbefnts.dev", "alexa": "http://www.alexa.com/siteinfo/adbefnts.dev", "indicator": "adbefnts.dev", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3883383732, "indicator": "adbefnts.dev", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "671138665921649e98001ab7", "name": "Ukrainian and Polish entities targeted with RomCom malware variants", "description": "A Russian-speaking threat group, UAT-5647, has been conducting attacks against Ukrainian government entities and Polish targets since late 2023. The group has evolved its toolset to include four distinct malware families: RustClaw and MeltingClaw downloaders, DustyHammock backdoor, and ShadyHammock backdoor. The attacks involve spear-phishing campaigns delivering these malware components, which ultimately lead to the deployment of an updated version of the RomCom malware called SingleCamper. UAT-5647's activities suggest a focus on establishing long-term access for data exfiltration, with potential for future ransomware deployment. The group's tactics include network reconnaissance, lateral movement, and attempts to compromise edge devices for evasion purposes.", "modified": "2024-11-16T16:03:43.771000", "created": "2024-10-17T16:16:38.100000", "tags": [ "romcom", "singlecamper", "dustyhammock", "russia", "shadyhammock", "ukraine", "rustclaw", "poland", "rustyclaw", "meltingclaw" ], "references": [ "https://blog.talosintelligence.com/uat-5647-romcom/" ], "public": 1, "adversary": "RomCom", "targeted_countries": [ "Poland", "Ukraine" ], "malware_families": [ { "id": "RomCom", "display_name": "RomCom", "target": null }, { "id": "SingleCamper", "display_name": "SingleCamper", "target": null }, { "id": "RustyClaw", "display_name": "RustyClaw", "target": null }, { "id": "MeltingClaw", "display_name": "MeltingClaw", "target": null }, { "id": "DustyHammock", "display_name": "DustyHammock", "target": null }, { "id": "ShadyHammock", "display_name": "ShadyHammock", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 32, "URL": 5, "domain": 12 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 386539, "modified_text": "560 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67202a91c03af52a3e00393f", "name": "InQuest - 28-10-2024", "description": "", "modified": "2024-11-28T00:00:50.629000", "created": "2024-10-29T00:21:37.073000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 91, "domain": 29, "FileHash-SHA256": 474, "hostname": 14, "FileHash-SHA1": 12, "FileHash-MD5": 4 }, "indicator_count": 624, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "549 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671ed771a90d9d4e03a539f5", "name": "InQuest - 27-10-2024", "description": "", "modified": "2024-11-27T00:00:42.578000", "created": "2024-10-28T00:14:41.049000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 484, "domain": 129, "URL": 222, "hostname": 31, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "550 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671d76cf232aeae365a12017", "name": "InQuest - 26-10-2024", "description": "", "modified": "2024-11-25T23:01:43.774000", "created": "2024-10-26T23:10:07.417000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 476, "hostname": 26, "URL": 195, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671c25558d3e76dba6bba70a", "name": "InQuest - 25-10-2024", "description": "", "modified": "2024-11-24T23:05:48.476000", "created": "2024-10-25T23:10:13.189000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 476, "hostname": 26, "URL": 195, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671ad410a33578e60aadd9a2", "name": "InQuest - 24-10-2024", "description": "", "modified": "2024-11-23T23:00:05.926000", "created": "2024-10-24T23:11:12.579000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 476, "hostname": 26, "URL": 195, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6719819c9a836408316b5d00", "name": "InQuest - 23-10-2024", "description": "", "modified": "2024-11-22T23:03:11.999000", "created": "2024-10-23T23:07:08.442000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 92, "hostname": 25, "URL": 193, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 534, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67131ff0724db0fa3bdae09d", "name": "UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants", "description": "A new wave of cyber-attacks is targeting Ukrainian government entities and Polish entities, according to Cisco Talos intelligence and security services, and the threat actor is aggressively expanding its tooling and infrastructure.", "modified": "2024-11-18T02:01:39.360000", "created": "2024-10-19T02:56:48.830000", "tags": [ "russia", "landing page top story", "malware", "ukraine", "apt", "top story", "shadyhammock", "singlecamper", "uat5647", "dustyhammock", "meltingclaw", "cisco secure", "port", "rustyclaw", "ipaddress", "system", "rust", "open", "polish", "plink", "umbrella", "romcom" ], "references": [ "https://blog.talosintelligence.com/uat-5647-romcom/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RustyClaw", "display_name": "RustyClaw", "target": null }, { "id": "DustyHammock", "display_name": "DustyHammock", "target": null }, { "id": "ShadyHammock", "display_name": "ShadyHammock", "target": null }, { "id": "RomCom", "display_name": "RomCom", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "demogreatvotes", "id": "297245", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 25, "FileHash-SHA256": 33, "URL": 5, "domain": 12 }, "indicator_count": 100, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "559 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6711ef4e3e5187750af79ac9", "name": "Russian RomCom Targeting Ukrainian Government with New SingleCamper RAT Variant", "description": "", "modified": "2024-11-17T05:01:31.027000", "created": "2024-10-18T05:17:02.908000", "tags": [ "hashes", "sha256", "cyber", "threat", "october", "time", "crypto cyber", "defence", "domains", "ipv4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 33, "domain": 12 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "560 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blog.talosintelligence.com/uat-5647-romcom/", "https://labs.inquest.net/iocdb" ], "related": { "alienvault": { "adversary": [ "RomCom" ], "malware_families": [ "Singlecamper", "Meltingclaw", "Romcom", "Dustyhammock", "Rustyclaw", "Shadyhammock" ], "industries": [ "Government" ] }, "other": { "adversary": [], "malware_families": [ "Shadyhammock", "Romcom", "Dustyhammock", "Rustyclaw" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "671138665921649e98001ab7", "name": "Ukrainian and Polish entities targeted with RomCom malware variants", "description": "A Russian-speaking threat group, UAT-5647, has been conducting attacks against Ukrainian government entities and Polish targets since late 2023. The group has evolved its toolset to include four distinct malware families: RustClaw and MeltingClaw downloaders, DustyHammock backdoor, and ShadyHammock backdoor. The attacks involve spear-phishing campaigns delivering these malware components, which ultimately lead to the deployment of an updated version of the RomCom malware called SingleCamper. UAT-5647's activities suggest a focus on establishing long-term access for data exfiltration, with potential for future ransomware deployment. The group's tactics include network reconnaissance, lateral movement, and attempts to compromise edge devices for evasion purposes.", "modified": "2024-11-16T16:03:43.771000", "created": "2024-10-17T16:16:38.100000", "tags": [ "romcom", "singlecamper", "dustyhammock", "russia", "shadyhammock", "ukraine", "rustclaw", "poland", "rustyclaw", "meltingclaw" ], "references": [ "https://blog.talosintelligence.com/uat-5647-romcom/" ], "public": 1, "adversary": "RomCom", "targeted_countries": [ "Poland", "Ukraine" ], "malware_families": [ { "id": "RomCom", "display_name": "RomCom", "target": null }, { "id": "SingleCamper", "display_name": "SingleCamper", "target": null }, { "id": "RustyClaw", "display_name": "RustyClaw", "target": null }, { "id": "MeltingClaw", "display_name": "MeltingClaw", "target": null }, { "id": "DustyHammock", "display_name": "DustyHammock", "target": null }, { "id": "ShadyHammock", "display_name": "ShadyHammock", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 32, "URL": 5, "domain": 12 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 386539, "modified_text": "560 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67202a91c03af52a3e00393f", "name": "InQuest - 28-10-2024", "description": "", "modified": "2024-11-28T00:00:50.629000", "created": "2024-10-29T00:21:37.073000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 91, "domain": 29, "FileHash-SHA256": 474, "hostname": 14, "FileHash-SHA1": 12, "FileHash-MD5": 4 }, "indicator_count": 624, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "549 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671ed771a90d9d4e03a539f5", "name": "InQuest - 27-10-2024", "description": "", "modified": "2024-11-27T00:00:42.578000", "created": "2024-10-28T00:14:41.049000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 484, "domain": 129, "URL": 222, "hostname": 31, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "550 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671d76cf232aeae365a12017", "name": "InQuest - 26-10-2024", "description": "", "modified": "2024-11-25T23:01:43.774000", "created": "2024-10-26T23:10:07.417000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 476, "hostname": 26, "URL": 195, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671c25558d3e76dba6bba70a", "name": "InQuest - 25-10-2024", "description": "", "modified": "2024-11-24T23:05:48.476000", "created": "2024-10-25T23:10:13.189000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 476, "hostname": 26, "URL": 195, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671ad410a33578e60aadd9a2", "name": "InQuest - 24-10-2024", "description": "", "modified": "2024-11-23T23:00:05.926000", "created": "2024-10-24T23:11:12.579000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 476, "hostname": 26, "URL": 195, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6719819c9a836408316b5d00", "name": "InQuest - 23-10-2024", "description": "", "modified": "2024-11-22T23:03:11.999000", "created": "2024-10-23T23:07:08.442000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 92, "hostname": 25, "URL": 193, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 534, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67131ff0724db0fa3bdae09d", "name": "UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants", "description": "A new wave of cyber-attacks is targeting Ukrainian government entities and Polish entities, according to Cisco Talos intelligence and security services, and the threat actor is aggressively expanding its tooling and infrastructure.", "modified": "2024-11-18T02:01:39.360000", "created": "2024-10-19T02:56:48.830000", "tags": [ "russia", "landing page top story", "malware", "ukraine", "apt", "top story", "shadyhammock", "singlecamper", "uat5647", "dustyhammock", "meltingclaw", "cisco secure", "port", "rustyclaw", "ipaddress", "system", "rust", "open", "polish", "plink", "umbrella", "romcom" ], "references": [ "https://blog.talosintelligence.com/uat-5647-romcom/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RustyClaw", "display_name": "RustyClaw", "target": null }, { "id": "DustyHammock", "display_name": "DustyHammock", "target": null }, { "id": "ShadyHammock", "display_name": "ShadyHammock", "target": null }, { "id": "RomCom", "display_name": "RomCom", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "demogreatvotes", "id": "297245", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 25, "FileHash-SHA256": 33, "URL": 5, "domain": 12 }, "indicator_count": 100, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "559 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6711ef4e3e5187750af79ac9", "name": "Russian RomCom Targeting Ukrainian Government with New SingleCamper RAT Variant", "description": "", "modified": "2024-11-17T05:01:31.027000", "created": "2024-10-18T05:17:02.908000", "tags": [ "hashes", "sha256", "cyber", "threat", "october", "time", "crypto cyber", "defence", "domains", "ipv4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 33, "domain": 12 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "560 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "adbefnts.dev", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "adbefnts.dev", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780235394.2048957 }