{ "type": "Domain", "indicator": "bascif.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/bascif.com", "alexa": "http://www.alexa.com/siteinfo/bascif.com", "indicator": "bascif.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2116086694, "indicator": "bascif.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "5d1e22a82ecd4fa614684a6e", "name": "TA505 using new malware Gelup and Flowerpipi", "description": "TA505 using new malware Gelup and Flowerpipi. Obtaining samples and infrastructure.", "modified": "2019-07-05T10:00:36.792000", "created": "2019-07-04T16:00:40.011000", "tags": [ "TA05", "Gelup", "Flowerpipi", "spam", "malware" ], "references": [ "https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf" ], "public": 1, "adversary": "TA505", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 67, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 6, "FileHash-SHA256": 10 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 386627, "modified_text": "2522 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657098fb4c59f8ac3f86f612", "name": "202303251514", "description": "", "modified": "2023-12-06T15:53:31.627000", "created": "2023-12-06T15:53:31.627000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 976, "FileHash-MD5": 196, "FileHash-SHA1": 196, "domain": 174, "hostname": 171, "URL": 3 }, "indicator_count": 1716, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708e7ca78fb9ed8bda43d0", "name": "Part 2 of the small sub section post - This a sample of the infrastructure on the perimeter of each of those controlled websrv and devuces on home lans", "description": "", "modified": "2023-12-06T15:08:44.795000", "created": "2023-12-06T15:08:44.795000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 19, "hostname": 404, "FileHash-SHA256": 1484, "FileHash-SHA1": 1, "URL": 1141, "domain": 202, "FileHash-MD5": 1 }, "indicator_count": 3252, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641f01b25f684f5bb91cea7f", "name": "202303251514", "description": "Hashes for the first time are being shared by users using the same IP address as the BBC News app and BBC Radio 4's Newsround website, which is available to listen to any of the above.", "modified": "2023-04-24T14:04:42.146000", "created": "2023-03-25T14:14:10.717000", "tags": [ "emotet", "wannacry", "systembc", "trickbot", "qbot", "cobalt strike", "agent tesla", "wannycry", "domains", "hashes", "wcry", "emotet malware", "fake net", "iocs ip", "microsoft", "cobaltstrike", "trojan", "flawedammyy", "first", "eternalblue", "desktop", "malware", "fallout" ], "references": [ "a.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WannyCry", "display_name": "WannyCry", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlessandroFiori", "id": "91912", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_91912/resized/80/avatar_2b1b2b88b6.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 196, "FileHash-SHA1": 196, "FileHash-SHA256": 976, "URL": 3, "domain": 174, "hostname": 171 }, "indicator_count": 1716, "is_author": false, "is_subscribing": null, "subscriber_count": 417, "modified_text": "1133 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6286f196943a5ae10bc4e72c", "name": "Part 2 of the small sub section post - This a sample of the infrastructure on the perimeter of each of those controlled websrv and devuces on home lans", "description": "", "modified": "2022-06-19T00:05:22.053000", "created": "2022-05-20T01:40:38.150000", "tags": [], "references": [ "layer 2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 404, "FileHash-SHA256": 1484, "URL": 1141, "domain": 202, "CVE": 19, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 3252, "is_author": false, "is_subscribing": null, "subscriber_count": 395, "modified_text": "1442 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "layer 2", "a.txt", "https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf" ], "related": { "alienvault": { "adversary": [ "TA505" ], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Agent tesla", "Wannycry", "Trickbot", "Qbot", "Systembc", "Wannacry", "Cobalt strike", "Emotet" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "5d1e22a82ecd4fa614684a6e", "name": "TA505 using new malware Gelup and Flowerpipi", "description": "TA505 using new malware Gelup and Flowerpipi. Obtaining samples and infrastructure.", "modified": "2019-07-05T10:00:36.792000", "created": "2019-07-04T16:00:40.011000", "tags": [ "TA05", "Gelup", "Flowerpipi", "spam", "malware" ], "references": [ "https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf" ], "public": 1, "adversary": "TA505", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 67, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 6, "FileHash-SHA256": 10 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 386627, "modified_text": "2522 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657098fb4c59f8ac3f86f612", "name": "202303251514", "description": "", "modified": "2023-12-06T15:53:31.627000", "created": "2023-12-06T15:53:31.627000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 976, "FileHash-MD5": 196, "FileHash-SHA1": 196, "domain": 174, "hostname": 171, "URL": 3 }, "indicator_count": 1716, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708e7ca78fb9ed8bda43d0", "name": "Part 2 of the small sub section post - This a sample of the infrastructure on the perimeter of each of those controlled websrv and devuces on home lans", "description": "", "modified": "2023-12-06T15:08:44.795000", "created": "2023-12-06T15:08:44.795000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 19, "hostname": 404, "FileHash-SHA256": 1484, "FileHash-SHA1": 1, "URL": 1141, "domain": 202, "FileHash-MD5": 1 }, "indicator_count": 3252, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641f01b25f684f5bb91cea7f", "name": "202303251514", "description": "Hashes for the first time are being shared by users using the same IP address as the BBC News app and BBC Radio 4's Newsround website, which is available to listen to any of the above.", "modified": "2023-04-24T14:04:42.146000", "created": "2023-03-25T14:14:10.717000", "tags": [ "emotet", "wannacry", "systembc", "trickbot", "qbot", "cobalt strike", "agent tesla", "wannycry", "domains", "hashes", "wcry", "emotet malware", "fake net", "iocs ip", "microsoft", "cobaltstrike", "trojan", "flawedammyy", "first", "eternalblue", "desktop", "malware", "fallout" ], "references": [ "a.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "WannyCry", "display_name": "WannyCry", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "SystemBC", "display_name": "SystemBC", "target": null }, { "id": "WannaCry", "display_name": "WannaCry", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlessandroFiori", "id": "91912", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_91912/resized/80/avatar_2b1b2b88b6.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 196, "FileHash-SHA1": 196, "FileHash-SHA256": 976, "URL": 3, "domain": 174, "hostname": 171 }, "indicator_count": 1716, "is_author": false, "is_subscribing": null, "subscriber_count": 417, "modified_text": "1133 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6286f196943a5ae10bc4e72c", "name": "Part 2 of the small sub section post - This a sample of the infrastructure on the perimeter of each of those controlled websrv and devuces on home lans", "description": "", "modified": "2022-06-19T00:05:22.053000", "created": "2022-05-20T01:40:38.150000", "tags": [], "references": [ "layer 2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 404, "FileHash-SHA256": 1484, "URL": 1141, "domain": 202, "CVE": 19, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 3252, "is_author": false, "is_subscribing": null, "subscriber_count": 395, "modified_text": "1442 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "bascif.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "bascif.com", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "http://bascif.com/tt2", "status": "offline", "threat": "malware_download", "date_added": "2019-06-17", "tags": [ "exe", "ServHelper" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780266330.7257376 }