{ "type": "Domain", "indicator": "ado.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ado.net", "alexa": "http://www.alexa.com/siteinfo/ado.net", "indicator": "ado.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3090086863, "indicator": "ado.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69bbcf2b4322ace833e94c2f", "name": "CAPE Sandbox - 'vzDownloadManagerUI.exe'", "description": "T1129 - Shared Modules\ndropper\nT1059 - Command and Scripting Interpreter\ncmdline_terminate\nT1542.003 - Bootkit\nsuspicious_iocontrol_codes\nT1547 - Boot or Logon Autostart Execution\npersistence_autorun\nT1547.001 - Registry Run Keys / Startup Folder\npersistence_autorun\nT1542.003 - Bootkit\nsuspicious_iocontrol_codes\nT1564 - Hide Artifacts\npersistence_ads\nT1202 - Indirect Command Execution\nuses_windows_utilities\nT1036 - Masquerading\naccesses_public_folder\nT1055 - Process Injection\nresumethread_remote_process\ncreates_suspended_process\nT1112 - Modify Registry\npersistence_autorun\nT1548 - Abuse Elevation Control Mechanism\naccesses_public_folder\nT1497 - Virtualization/Sandbox Evasion\nmouse_movement_detect\nT1564.004 - NTFS File Attributes\npersistence_ads\nT1547 - Boot or Logon Autostart Execution\npersistence_autorun\nsee references for the rest", "modified": "2026-04-18T11:12:42.071000", "created": "2026-03-19T10:25:47.272000", "tags": [], "references": [ "" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 767, "FileHash-SHA1": 271, "FileHash-SHA256": 249, "URL": 46, "domain": 10, "hostname": 106 }, "indicator_count": 1449, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ab50eb37dbe71a1a2f22bd", "name": "Infected Hosts - MagicSword Analytics - Alerts Merged 03.06.26", "description": "Analytics from 2 infected hosts from MagicSword\nHosts are both psuedo clones (?) of a production device that connects to AHS/Covenant Health, UAlberta, Government of Alberta daily. FFSS\n\n******https://tria.ge/260306-2134tsfs3n <- Analytic Files & a few problem Files & 'secret files' only found in Triage VM. Did not include in pulse -> 9/10 *****************", "modified": "2026-04-05T21:06:49.776000", "created": "2026-03-06T22:10:51.168000", "tags": [ "protection\"\",\"\"internal_name\"\":\"\"mpsigstub.exe\"\",\"\"file_descript", "fileexplorer", "system32", "sha256", "block rules", "unknown", "filehash", "filename", "filepath", "policy block", "rules", "valid", "false", "service", "terminal", "core", "stub", "powershell", "updater", "win32", "compiler", "stack", "format", "model", "fast", "connector", "shell", "installer", "lsass", "bits", "rest", "explorer", "brain", "dcom", "android", "play", "energy", "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "sandbox", "static analyzer", "analyzer", "true", "mcafee", "protect", "powerful", "death", "bsod", "UAlberta", "AHS", "Covenant Health", "Microsoft", "Google", "ID Theft", "Credential Theft", "Dell", "Lenovo", "ASUS", "Insite", "AlbertaNDP", "AlbertaUCP", "University", "Alberta", "NathanIP", "Telus", "Botnet", "Spreader", "Malcerts", "Certificates", "Treaty8", "TreatySix", "Edmonton", "YEG", "Eduroam" ], "references": [ "https://www.filescan.io/uploads/69ab467397feb4afd670f9d7/reports/1a4169f3-4b2d-4442-9d52-914c643954bc/overview", "https://app.threat.zone/submission/ceae3b93-a33f-401b-8a54-a951b524adf4/overview", "https://www.filescan.io/uploads/69ab48ab9eaae8465944a7a7/reports/0b631689-e054-441a-8302-0c1c9c9d4783/overview", "https://app.threat.zone/submission/f5353cb5-7f63-4462-a4c5-96fc9e9de8fe/overview", "https://www.filescan.io/uploads/69ab4a18cd25bfe1dfe2ef6f/reports/59c49be5-98f1-4055-a49b-e5a9ce532f15/overview", "https://app.threat.zone/submission/1a95a88b-069d-4ca0-94be-46798f0156cf/overview", "https://www.filescan.io/uploads/69ab4c8697feb4afd671070f/reports/1c10bb12-152b-47b0-9d50-0d37fd946a77/overview", "http://hybrid-analysis.com/file-collection/69ab53ada78313258c0cd3b1", "Polyswarm", "******https://tria.ge/260306-2134tsfs3n <- Analytic Files & a few problem Files & 'secret files' only found in Triage VM. Did not include in pulse -> 9/10" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Protection\"\",\"\"internal_name\"\":\"\"MpSigStub.exe\"\",\"\"file_description\"\":\"\"Microsoft", "display_name": "Protection\"\",\"\"internal_name\"\":\"\"MpSigStub.exe\"\",\"\"file_description\"\":\"\"Microsoft", "target": null }, { "id": "FileExplorer", "display_name": "FileExplorer", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Thimeda", "display_name": "Thimeda", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" } ], "industries": [ "Healthcare", "Education", "Government", "Finance", "Hospitality", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 52, "FileHash-SHA256": 728, "URL": 24, "email": 1, "hostname": 6, "domain": 2 }, "indicator_count": 815, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f9e9d6b588cefe36e3e88", "name": "SideWinder APT\u2019s post - exploitation framework analysis | Securelist", "description": "The Kaspersky security firm has identified the SideWinder APT group as one of the world\u2019s most prolific and prolific cyber-espionage groups. the group has launched a series of attacks over the past five years.", "modified": "2024-10-16T11:08:13.264000", "created": "2024-10-16T11:08:13.264000", "tags": [ "apt", "backdoor", "malware", "malware descriptions", "malware technologies", "sidewinder", "targeted attacks", "trojan", "orchestrator", "backdoor loader", "function", "windows", "library", "payloadfilename", "javascript", "temp", "c2 server", "stealer", "download", "cve201711882", "path", "shellcode", "infect", "rats", "null", "install", "capture", "keylogger", "grabber", "defender", "kill", "facebook", "copy", "installer", "uacbypass", "confuserex", "downloader", "ghostnet", "indonesia", "app.dll", "moduleinstaller", "rdp credential", "file" ], "references": [ "https://securelist.com/sidewinder-apt/114089/" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Pakistan", "Sri Lanka", "China", "Nepal", "Bangladesh", "Djibouti", "Jordan", "Malaysia", "Maldives", "Myanmar", "Saudi Arabia", "T\u00fcrkiye", "United Arab Emirates", "Afghanistan", "France", "India", "Indonesia", "Morocco", "Colombia", "Ecuador", "Chile", "Panama" ], "malware_families": [ { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "App.dll", "display_name": "App.dll", "target": null }, { "id": "ModuleInstaller", "display_name": "ModuleInstaller", "target": null }, { "id": "RDP Credential", "display_name": "RDP Credential", "target": null }, { "id": "File", "display_name": "File", "target": null } ], "attack_ids": [ { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Military", "Government", "Logistics", "Telecommunications", "Financial", "Oil", "Diplomatic" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 63, "FileHash-SHA1": 20, "FileHash-SHA256": 20, "URL": 23, "domain": 111, "hostname": 16 }, "indicator_count": 254, "is_author": false, "is_subscribing": null, "subscriber_count": 849, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://www.filescan.io/uploads/69ab48ab9eaae8465944a7a7/reports/0b631689-e054-441a-8302-0c1c9c9d4783/overview", "******https://tria.ge/260306-2134tsfs3n <- Analytic Files & a few problem Files & 'secret files' only found in Triage VM. Did not include in pulse -> 9/10", "https://www.filescan.io/uploads/69ab467397feb4afd670f9d7/reports/1a4169f3-4b2d-4442-9d52-914c643954bc/overview", "https://app.threat.zone/submission/f5353cb5-7f63-4462-a4c5-96fc9e9de8fe/overview", "https://app.threat.zone/submission/1a95a88b-069d-4ca0-94be-46798f0156cf/overview", "https://www.filescan.io/uploads/69ab4c8697feb4afd671070f/reports/1c10bb12-152b-47b0-9d50-0d37fd946a77/overview", "https://securelist.com/sidewinder-apt/114089/", "https://www.filescan.io/uploads/69ab4a18cd25bfe1dfe2ef6f/reports/59c49be5-98f1-4055-a49b-e5a9ce532f15/overview", "http://hybrid-analysis.com/file-collection/69ab53ada78313258c0cd3b1", "https://app.threat.zone/submission/ceae3b93-a33f-401b-8a54-a951b524adf4/overview", "Polyswarm" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "SideWinder" ], "malware_families": [ "Rdp credential", "Trojan", "File", "Fileexplorer", "Javascript", "Moduleinstaller", "Thimeda", "App.dll", "Protection\"\",\"\"internal_name\"\":\"\"mpsigstub.exe\"\",\"\"file_description\"\":\"\"microsoft", "Ransomware" ], "industries": [ "Technology", "Telecommunications", "Government", "Education", "Logistics", "Financial", "Finance", "Military", "Oil", "Healthcare", "Diplomatic", "Hospitality" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69bbcf2b4322ace833e94c2f", "name": "CAPE Sandbox - 'vzDownloadManagerUI.exe'", "description": "T1129 - Shared Modules\ndropper\nT1059 - Command and Scripting Interpreter\ncmdline_terminate\nT1542.003 - Bootkit\nsuspicious_iocontrol_codes\nT1547 - Boot or Logon Autostart Execution\npersistence_autorun\nT1547.001 - Registry Run Keys / Startup Folder\npersistence_autorun\nT1542.003 - Bootkit\nsuspicious_iocontrol_codes\nT1564 - Hide Artifacts\npersistence_ads\nT1202 - Indirect Command Execution\nuses_windows_utilities\nT1036 - Masquerading\naccesses_public_folder\nT1055 - Process Injection\nresumethread_remote_process\ncreates_suspended_process\nT1112 - Modify Registry\npersistence_autorun\nT1548 - Abuse Elevation Control Mechanism\naccesses_public_folder\nT1497 - Virtualization/Sandbox Evasion\nmouse_movement_detect\nT1564.004 - NTFS File Attributes\npersistence_ads\nT1547 - Boot or Logon Autostart Execution\npersistence_autorun\nsee references for the rest", "modified": "2026-04-18T11:12:42.071000", "created": "2026-03-19T10:25:47.272000", "tags": [], "references": [ "" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 767, "FileHash-SHA1": 271, "FileHash-SHA256": 249, "URL": 46, "domain": 10, "hostname": 106 }, "indicator_count": 1449, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ab50eb37dbe71a1a2f22bd", "name": "Infected Hosts - MagicSword Analytics - Alerts Merged 03.06.26", "description": "Analytics from 2 infected hosts from MagicSword\nHosts are both psuedo clones (?) of a production device that connects to AHS/Covenant Health, UAlberta, Government of Alberta daily. FFSS\n\n******https://tria.ge/260306-2134tsfs3n <- Analytic Files & a few problem Files & 'secret files' only found in Triage VM. Did not include in pulse -> 9/10 *****************", "modified": "2026-04-05T21:06:49.776000", "created": "2026-03-06T22:10:51.168000", "tags": [ "protection\"\",\"\"internal_name\"\":\"\"mpsigstub.exe\"\",\"\"file_descript", "fileexplorer", "system32", "sha256", "block rules", "unknown", "filehash", "filename", "filepath", "policy block", "rules", "valid", "false", "service", "terminal", "core", "stub", "powershell", "updater", "win32", "compiler", "stack", "format", "model", "fast", "connector", "shell", "installer", "lsass", "bits", "rest", "explorer", "brain", "dcom", "android", "play", "energy", "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "sandbox", "static analyzer", "analyzer", "true", "mcafee", "protect", "powerful", "death", "bsod", "UAlberta", "AHS", "Covenant Health", "Microsoft", "Google", "ID Theft", "Credential Theft", "Dell", "Lenovo", "ASUS", "Insite", "AlbertaNDP", "AlbertaUCP", "University", "Alberta", "NathanIP", "Telus", "Botnet", "Spreader", "Malcerts", "Certificates", "Treaty8", "TreatySix", "Edmonton", "YEG", "Eduroam" ], "references": [ "https://www.filescan.io/uploads/69ab467397feb4afd670f9d7/reports/1a4169f3-4b2d-4442-9d52-914c643954bc/overview", "https://app.threat.zone/submission/ceae3b93-a33f-401b-8a54-a951b524adf4/overview", "https://www.filescan.io/uploads/69ab48ab9eaae8465944a7a7/reports/0b631689-e054-441a-8302-0c1c9c9d4783/overview", "https://app.threat.zone/submission/f5353cb5-7f63-4462-a4c5-96fc9e9de8fe/overview", "https://www.filescan.io/uploads/69ab4a18cd25bfe1dfe2ef6f/reports/59c49be5-98f1-4055-a49b-e5a9ce532f15/overview", "https://app.threat.zone/submission/1a95a88b-069d-4ca0-94be-46798f0156cf/overview", "https://www.filescan.io/uploads/69ab4c8697feb4afd671070f/reports/1c10bb12-152b-47b0-9d50-0d37fd946a77/overview", "http://hybrid-analysis.com/file-collection/69ab53ada78313258c0cd3b1", "Polyswarm", "******https://tria.ge/260306-2134tsfs3n <- Analytic Files & a few problem Files & 'secret files' only found in Triage VM. Did not include in pulse -> 9/10" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [ { "id": "Protection\"\",\"\"internal_name\"\":\"\"MpSigStub.exe\"\",\"\"file_description\"\":\"\"Microsoft", "display_name": "Protection\"\",\"\"internal_name\"\":\"\"MpSigStub.exe\"\",\"\"file_description\"\":\"\"Microsoft", "target": null }, { "id": "FileExplorer", "display_name": "FileExplorer", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Trojan", "display_name": "Trojan", "target": null }, { "id": "Thimeda", "display_name": "Thimeda", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" } ], "industries": [ "Healthcare", "Education", "Government", "Finance", "Hospitality", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 52, "FileHash-SHA256": 728, "URL": 24, "email": 1, "hostname": 6, "domain": 2 }, "indicator_count": 815, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f9e9d6b588cefe36e3e88", "name": "SideWinder APT\u2019s post - exploitation framework analysis | Securelist", "description": "The Kaspersky security firm has identified the SideWinder APT group as one of the world\u2019s most prolific and prolific cyber-espionage groups. the group has launched a series of attacks over the past five years.", "modified": "2024-10-16T11:08:13.264000", "created": "2024-10-16T11:08:13.264000", "tags": [ "apt", "backdoor", "malware", "malware descriptions", "malware technologies", "sidewinder", "targeted attacks", "trojan", "orchestrator", "backdoor loader", "function", "windows", "library", "payloadfilename", "javascript", "temp", "c2 server", "stealer", "download", "cve201711882", "path", "shellcode", "infect", "rats", "null", "install", "capture", "keylogger", "grabber", "defender", "kill", "facebook", "copy", "installer", "uacbypass", "confuserex", "downloader", "ghostnet", "indonesia", "app.dll", "moduleinstaller", "rdp credential", "file" ], "references": [ "https://securelist.com/sidewinder-apt/114089/" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "Pakistan", "Sri Lanka", "China", "Nepal", "Bangladesh", "Djibouti", "Jordan", "Malaysia", "Maldives", "Myanmar", "Saudi Arabia", "T\u00fcrkiye", "United Arab Emirates", "Afghanistan", "France", "India", "Indonesia", "Morocco", "Colombia", "Ecuador", "Chile", "Panama" ], "malware_families": [ { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "App.dll", "display_name": "App.dll", "target": null }, { "id": "ModuleInstaller", "display_name": "ModuleInstaller", "target": null }, { "id": "RDP Credential", "display_name": "RDP Credential", "target": null }, { "id": "File", "display_name": "File", "target": null } ], "attack_ids": [ { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Military", "Government", "Logistics", "Telecommunications", "Financial", "Oil", "Diplomatic" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 63, "FileHash-SHA1": 20, "FileHash-SHA256": 20, "URL": 23, "domain": 111, "hostname": 16 }, "indicator_count": 254, "is_author": false, "is_subscribing": null, "subscriber_count": 849, "modified_text": "553 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ado.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ado.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776930231.0145013 }