{ "type": "Domain", "indicator": "aim-time.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/aim-time.com", "alexa": "http://www.alexa.com/siteinfo/aim-time.com", "indicator": "aim-time.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3641761471, "indicator": "aim-time.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "6654198962e43dc463f692c2", "name": "DOH IP & URL IOC", "description": "The following is the full text of the report on the findings of this year's World Cup in Brazil, which was held at the same time as the 2016 Olympics in Rio de Janeiro, Brazil.", "modified": "2024-09-25T04:01:33.267000", "created": "2024-05-27T05:26:33.698000", "tags": [ "iocs https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fueledbycoffeeDXB", "id": "272228", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 270, "CIDR": 1, "domain": 116, "hostname": 33, "FileHash-MD5": 1 }, "indicator_count": 421, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "616 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6513eca597c209f832387d68", "name": "\u4eca\u5e74\u5e74\u521d\uff0cEmotet\u94f6\u884c\u6728\u9a6c\u518d\u6b21\u51fa\u73b0", "description": "Emotet\uff08\u4e5f\u88ab\u79f0\u4e3aGeodo\u548cHeodo\uff09\u4e0d\u4ec5\u662f\u4e00\u79cd\u8457\u540d\u7684\u94f6\u884c\u6728\u9a6c\uff0c\u540c\u65f6\u4e5f\u53ef\u4ee5\u4f5c\u4e3a\u5176\u4ed6\u6076\u610f\u8f6f\u4ef6\u7684downloader\u6216dropper\u3002\u81ea2014\u5e74\u9996\u6b21\u51fa\u73b0\u4ee5\u6765\uff0c\u4e00\u76f4\u662f\u4e00\u79cd\u5177\u6709\u5371\u9669\u6027\u548c\u6301\u4e45\u6027\u7684\u6076\u610f\u8f6f\u4ef6\u3002\u5c3d\u7ba1\u57282021\u5e74\u521d\u6267\u6cd5\u673a\u6784\u8bd5\u56fe\u5c06\u5176\u5173\u95ed\uff0c\u4f46Emotet\u8868\u73b0\u51fa\u6781\u5f3a\u7684\u751f\u5b58\u529b\uff0c\u751a\u81f3\u5728\u6b27\u6d32\u5211\u8b66\u7ec4\u7ec7\u8fdb\u884c\u4e86\u91cd\u5927\u6253\u51fb\u884c\u52a8\u540e\u4ecd\u7136\u5b58\u6d3b\u3002\u4eca\u5e74\uff0c\u5b83\u4ee5epoch4\u548cepoch5\u7248\u672c\u56de\u5f52\uff0c\u5e76\u5229\u7528Microsoft Word\u548cMicrosoft OneNote\u4e2d\u7684\u5b8f\u548c\u5d4c\u5165\u5f0f\u811a\u672c\u8fdb\u884c\u611f\u67d3\u548c\u4f20\u64ad\u3002", "modified": "2023-10-27T08:05:43.362000", "created": "2023-09-27T08:49:41.129000", "tags": [ "Emotet", "downloader", "HotSpot" ], "references": [ "https://www.trellix.com/en-us/about/newsroom/stories/research/icymi-emotet-reappeared-early-this-year-unfortunately.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jintianxingqiji", "id": "243725", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243725/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "domain": 38, "hostname": 9 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "949 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64186efb728d1ea3633c3dc6", "name": "Emotet Sending Malicious Emails After Three-Month Hiatus", "description": "New Emotet malicious email activity suggest the Emotet Group has restarted activities after taking a few months long hiatus. The detected email activity shows it inserting itself into existing email chains with a malicious unprotected zip attachment, with a financial invoice theme to lure victims. Inside the zip file, there is an Office Word document with macros. Office requests the user to enable content, to which, if accepted, macros run in the background to download and execute the Emotet DLL. It is not known how long this round of email activity will take but from previous rounds, it can be expected to last a few weeks and then disappear for months. Trellix ENS detection: W97M/Downloader.dwu trojan For the current Emotet campaign, Trellix has added a policy rule for the zip attachments that can be enabled on the Email appliances.", "modified": "2023-04-19T14:04:39.791000", "created": "2023-03-20T14:34:35.037000", "tags": [ "https", "http", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "twitter", "emotet", "figure", "tuesday", "march", "office", "emotet botnet", "emotet email", "office document", "enable content", "november" ], "references": [ "https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/", "https://twitter.com/Cryptolaemus1/status/1633099154623803394?s=20" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1009", "name": "Binary Padding", "display_name": "T1009 - Binary Padding" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1117", "name": "Regsvr32", "display_name": "T1117 - Regsvr32" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 40, "URL": 108, "hostname": 10, "FileHash-MD5": 325, "FileHash-SHA1": 277, "FileHash-SHA256": 279 }, "indicator_count": 1039, "is_author": false, "is_subscribing": null, "subscriber_count": 242, "modified_text": "1140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640e6c120984f885fb32fb26", "name": "InQuest - 12-03-2023", "description": "", "modified": "2023-04-13T13:17:56.967000", "created": "2023-03-13T00:19:30.399000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 177, "domain": 931, "URL": 1475, "hostname": 262, "FileHash-SHA1": 18, "FileHash-MD5": 6 }, "indicator_count": 2869, "is_author": false, "is_subscribing": null, "subscriber_count": 1625, "modified_text": "1146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640d1e6b88d23a17b58e422d", "name": "InQuest - 11-03-2023", "description": "", "modified": "2023-04-13T13:11:36.876000", "created": "2023-03-12T00:35:55.122000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 175, "URL": 1516, "domain": 1049, "hostname": 232, "FileHash-SHA1": 13, "FileHash-MD5": 11 }, "indicator_count": 2996, "is_author": false, "is_subscribing": null, "subscriber_count": 1625, "modified_text": "1146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640bcd190eefa1035e8ba17f", "name": "InQuest - 10-03-2023", "description": "", "modified": "2023-04-10T00:04:51.028000", "created": "2023-03-11T00:36:41.123000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 181, "domain": 904, "URL": 1409, "hostname": 244, "FileHash-SHA1": 14, "FileHash-MD5": 41 }, "indicator_count": 2793, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "1150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640a773e2ec4f56370397ea3", "name": "URLHaus data - 09-03-2023", "description": "", "modified": "2023-04-09T00:03:14.392000", "created": "2023-03-10T00:18:06.563000", "tags": [ "32-bit", "elf", "mips", "Mozi", "mirai", "arm", "hajime", "32", "intel", "sparc", "PowerPC", "renesas", "motorola", "BB18", "dll", "geofenced", "Qakbot", "qbot", "Quakbot", "ua-ps", "USA", "dropped-by-PrivateLoader", "zip", "encrypted", "RedLine", "gafgyt", "250255", "5050", "Gozi", "ISFB", "ITA", "ursnif", "dropped-by-amadey", "LaplasClipper", "exe", "ascii", "powershell", "ps", "7712", "redir-302", "emotet", "epoch4", "heodo", "batloader", "msi", "Pinesville Ltd", "RecordBreaker", "RedLineStealer", "Amadey", "Vidar", "AgentTesla", "SnakeKeylogger", "2022", "Password-protected", "rar", "1234", "2023", "agenziaentrate", "MEF", "MISE", "QuasarRAT", "rat", "hta", "Formbook", "opendir", "Loki", "Stealc", "Encoded", "GuLoader", "shellscript", "Rhadamanthys", "CoinMiner", "njRAT", "SocGholish" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "domain": 39, "hostname": 14 }, "indicator_count": 1053, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "1151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640a7749915cf578a0f31000", "name": "InQuest - 09-03-2023", "description": "", "modified": "2023-04-09T00:03:14.392000", "created": "2023-03-10T00:18:17.075000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 8, "domain": 1360, "URL": 1668, "hostname": 167, "FileHash-MD5": 31, "FileHash-SHA256": 102 }, "indicator_count": 3336, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "1151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://labs.inquest.net/iocdb", "https://urlhaus.abuse.ch/browse/", "https://www.trellix.com/en-us/about/newsroom/stories/research/icymi-emotet-reappeared-early-this-year-unfortunately.html", "https://twitter.com/Cryptolaemus1/status/1633099154623803394?s=20", "https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Emotet" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "6654198962e43dc463f692c2", "name": "DOH IP & URL IOC", "description": "The following is the full text of the report on the findings of this year's World Cup in Brazil, which was held at the same time as the 2016 Olympics in Rio de Janeiro, Brazil.", "modified": "2024-09-25T04:01:33.267000", "created": "2024-05-27T05:26:33.698000", "tags": [ "iocs https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fueledbycoffeeDXB", "id": "272228", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 270, "CIDR": 1, "domain": 116, "hostname": 33, "FileHash-MD5": 1 }, "indicator_count": 421, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "616 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6513eca597c209f832387d68", "name": "\u4eca\u5e74\u5e74\u521d\uff0cEmotet\u94f6\u884c\u6728\u9a6c\u518d\u6b21\u51fa\u73b0", "description": "Emotet\uff08\u4e5f\u88ab\u79f0\u4e3aGeodo\u548cHeodo\uff09\u4e0d\u4ec5\u662f\u4e00\u79cd\u8457\u540d\u7684\u94f6\u884c\u6728\u9a6c\uff0c\u540c\u65f6\u4e5f\u53ef\u4ee5\u4f5c\u4e3a\u5176\u4ed6\u6076\u610f\u8f6f\u4ef6\u7684downloader\u6216dropper\u3002\u81ea2014\u5e74\u9996\u6b21\u51fa\u73b0\u4ee5\u6765\uff0c\u4e00\u76f4\u662f\u4e00\u79cd\u5177\u6709\u5371\u9669\u6027\u548c\u6301\u4e45\u6027\u7684\u6076\u610f\u8f6f\u4ef6\u3002\u5c3d\u7ba1\u57282021\u5e74\u521d\u6267\u6cd5\u673a\u6784\u8bd5\u56fe\u5c06\u5176\u5173\u95ed\uff0c\u4f46Emotet\u8868\u73b0\u51fa\u6781\u5f3a\u7684\u751f\u5b58\u529b\uff0c\u751a\u81f3\u5728\u6b27\u6d32\u5211\u8b66\u7ec4\u7ec7\u8fdb\u884c\u4e86\u91cd\u5927\u6253\u51fb\u884c\u52a8\u540e\u4ecd\u7136\u5b58\u6d3b\u3002\u4eca\u5e74\uff0c\u5b83\u4ee5epoch4\u548cepoch5\u7248\u672c\u56de\u5f52\uff0c\u5e76\u5229\u7528Microsoft Word\u548cMicrosoft OneNote\u4e2d\u7684\u5b8f\u548c\u5d4c\u5165\u5f0f\u811a\u672c\u8fdb\u884c\u611f\u67d3\u548c\u4f20\u64ad\u3002", "modified": "2023-10-27T08:05:43.362000", "created": "2023-09-27T08:49:41.129000", "tags": [ "Emotet", "downloader", "HotSpot" ], "references": [ "https://www.trellix.com/en-us/about/newsroom/stories/research/icymi-emotet-reappeared-early-this-year-unfortunately.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jintianxingqiji", "id": "243725", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243725/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "domain": 38, "hostname": 9 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "949 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64186efb728d1ea3633c3dc6", "name": "Emotet Sending Malicious Emails After Three-Month Hiatus", "description": "New Emotet malicious email activity suggest the Emotet Group has restarted activities after taking a few months long hiatus. The detected email activity shows it inserting itself into existing email chains with a malicious unprotected zip attachment, with a financial invoice theme to lure victims. Inside the zip file, there is an Office Word document with macros. Office requests the user to enable content, to which, if accepted, macros run in the background to download and execute the Emotet DLL. It is not known how long this round of email activity will take but from previous rounds, it can be expected to last a few weeks and then disappear for months. Trellix ENS detection: W97M/Downloader.dwu trojan For the current Emotet campaign, Trellix has added a policy rule for the zip attachments that can be enabled on the Email appliances.", "modified": "2023-04-19T14:04:39.791000", "created": "2023-03-20T14:34:35.037000", "tags": [ "https", "http", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "twitter", "emotet", "figure", "tuesday", "march", "office", "emotet botnet", "emotet email", "office document", "enable content", "november" ], "references": [ "https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/", "https://twitter.com/Cryptolaemus1/status/1633099154623803394?s=20" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1009", "name": "Binary Padding", "display_name": "T1009 - Binary Padding" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1117", "name": "Regsvr32", "display_name": "T1117 - Regsvr32" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 40, "URL": 108, "hostname": 10, "FileHash-MD5": 325, "FileHash-SHA1": 277, "FileHash-SHA256": 279 }, "indicator_count": 1039, "is_author": false, "is_subscribing": null, "subscriber_count": 242, "modified_text": "1140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640e6c120984f885fb32fb26", "name": "InQuest - 12-03-2023", "description": "", "modified": "2023-04-13T13:17:56.967000", "created": "2023-03-13T00:19:30.399000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 177, "domain": 931, "URL": 1475, "hostname": 262, "FileHash-SHA1": 18, "FileHash-MD5": 6 }, "indicator_count": 2869, "is_author": false, "is_subscribing": null, "subscriber_count": 1625, "modified_text": "1146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640d1e6b88d23a17b58e422d", "name": "InQuest - 11-03-2023", "description": "", "modified": "2023-04-13T13:11:36.876000", "created": "2023-03-12T00:35:55.122000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 175, "URL": 1516, "domain": 1049, "hostname": 232, "FileHash-SHA1": 13, "FileHash-MD5": 11 }, "indicator_count": 2996, "is_author": false, "is_subscribing": null, "subscriber_count": 1625, "modified_text": "1146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640bcd190eefa1035e8ba17f", "name": "InQuest - 10-03-2023", "description": "", "modified": "2023-04-10T00:04:51.028000", "created": "2023-03-11T00:36:41.123000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 181, "domain": 904, "URL": 1409, "hostname": 244, "FileHash-SHA1": 14, "FileHash-MD5": 41 }, "indicator_count": 2793, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "1150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640a773e2ec4f56370397ea3", "name": "URLHaus data - 09-03-2023", "description": "", "modified": "2023-04-09T00:03:14.392000", "created": "2023-03-10T00:18:06.563000", "tags": [ "32-bit", "elf", "mips", "Mozi", "mirai", "arm", "hajime", "32", "intel", "sparc", "PowerPC", "renesas", "motorola", "BB18", "dll", "geofenced", "Qakbot", "qbot", "Quakbot", "ua-ps", "USA", "dropped-by-PrivateLoader", "zip", "encrypted", "RedLine", "gafgyt", "250255", "5050", "Gozi", "ISFB", "ITA", "ursnif", "dropped-by-amadey", "LaplasClipper", "exe", "ascii", "powershell", "ps", "7712", "redir-302", "emotet", "epoch4", "heodo", "batloader", "msi", "Pinesville Ltd", "RecordBreaker", "RedLineStealer", "Amadey", "Vidar", "AgentTesla", "SnakeKeylogger", "2022", "Password-protected", "rar", "1234", "2023", "agenziaentrate", "MEF", "MISE", "QuasarRAT", "rat", "hta", "Formbook", "opendir", "Loki", "Stealc", "Encoded", "GuLoader", "shellscript", "Rhadamanthys", "CoinMiner", "njRAT", "SocGholish" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "domain": 39, "hostname": 14 }, "indicator_count": 1053, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "1151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640a7749915cf578a0f31000", "name": "InQuest - 09-03-2023", "description": "", "modified": "2023-04-09T00:03:14.392000", "created": "2023-03-10T00:18:17.075000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 8, "domain": 1360, "URL": 1668, "hostname": 167, "FileHash-MD5": 31, "FileHash-SHA256": 102 }, "indicator_count": 3336, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "1151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "aim-time.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "aim-time.com", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://aim-time.com/bitrix/AN/", "status": "offline", "threat": "malware_download", "date_added": "2023-03-09", "tags": [ "dll", "emotet", "epoch4", "heodo", "zip" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780461377.0652404 }