{ "type": "Domain", "indicator": "chobemaster.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/chobemaster.com", "alexa": "http://www.alexa.com/siteinfo/chobemaster.com", "indicator": "chobemaster.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3410041736, "indicator": "chobemaster.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "63a483ff0d86374bb33b12c1", "name": "The Taxman Never Sleeps", "description": "FortiGuard Labs discovered an e-mail that included a tax form seemingly from the United States Internal Revenue Service (IRS) in early November that had been sent by the recently resurgent Emotet group. Emotet (aka, Geodo and Heodo) began life as a banking Trojan but has since morphed into a jack-of-all-trades tool that can exploit several vulnerabilities to compromise its victims. Once it has infected a system, it then typically delivers additional payloads. And because it\u2019s modular, it is easily customizable by its users. This flexibility and resiliency are part of why Emotet has managed to survive at least one coordinated industry/law enforcement takedown in 2021.", "modified": "2023-01-21T15:04:45.965000", "created": "2022-12-22T16:21:19.737000", "tags": [ "emotet", "fortiguards labs", "email threats", "email phishing", "threat research", "fortinet", "command", "control", "ioc section", "fortiguard", "web filtering", "antivirus", "fortimail", "forticlient", "malware", "apt & targeted attacks", "cyber crime" ], "references": [ "https://www.fortinet.com/blog/threat-research/the-taxman-never-sleeps" ], "public": 1, "adversary": "Emotet", "targeted_countries": [ "United States of America", "Germany", "Canada", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Daveshell", "display_name": "Daveshell", "target": null }, { "id": "Maltshake", "display_name": "Maltshake", "target": null }, { "id": "Warpgate", "display_name": "Warpgate", "target": null }, { "id": "WhiteDagger", "display_name": "WhiteDagger", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Foreign", "Companies" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "hostname": 1, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "URL": 23 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "1225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6372032fca2a16fe4ff0f171", "name": "Threat Intel Report - W47-2022.pdf", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2022-12-14T08:00:12.567000", "created": "2022-11-14T08:58:23.798000", "tags": [], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_ Real-time", "https://www.dnsbl.info/", "https://www.spamhaus.org/xbl/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 79, "hostname": 59, "FileHash-MD5": 16, "FileHash-SHA1": 38, "FileHash-SHA256": 26, "CVE": 3, "URL": 135 }, "indicator_count": 356, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "1263 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbdddd1fc2e2956bfacda5", "name": "vvvvv", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:22:53.511000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbdde0447b9617f24a8901", "name": "vvvvv", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:22:56.693000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbddf0c4709eb7b4d0fb94", "name": "data of hhh", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:23:12.624000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624298dada94224d29d4f8ee", "name": "TM Feed 29032022", "description": "Tech Mahindra Weekly Cyber Threat Intelligence Report", "modified": "2022-04-28T00:00:15.198000", "created": "2022-03-29T05:27:54.022000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "domain": 13, "URL": 145, "FileHash-MD5": 2, "FileHash-SHA1": 10, "FileHash-SHA256": 2, "hostname": 11 }, "indicator_count": 186, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_ Real-time", "https://www.fortinet.com/blog/threat-research/the-taxman-never-sleeps", "https://www.dnsbl.info/", "https://www.spamhaus.org/xbl/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Emotet" ], "malware_families": [ "Daveshell", "Maltshake", "Whitedagger", "Warpgate", "Emotet" ], "industries": [ "Companies", "Foreign", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "63a483ff0d86374bb33b12c1", "name": "The Taxman Never Sleeps", "description": "FortiGuard Labs discovered an e-mail that included a tax form seemingly from the United States Internal Revenue Service (IRS) in early November that had been sent by the recently resurgent Emotet group. Emotet (aka, Geodo and Heodo) began life as a banking Trojan but has since morphed into a jack-of-all-trades tool that can exploit several vulnerabilities to compromise its victims. Once it has infected a system, it then typically delivers additional payloads. And because it\u2019s modular, it is easily customizable by its users. This flexibility and resiliency are part of why Emotet has managed to survive at least one coordinated industry/law enforcement takedown in 2021.", "modified": "2023-01-21T15:04:45.965000", "created": "2022-12-22T16:21:19.737000", "tags": [ "emotet", "fortiguards labs", "email threats", "email phishing", "threat research", "fortinet", "command", "control", "ioc section", "fortiguard", "web filtering", "antivirus", "fortimail", "forticlient", "malware", "apt & targeted attacks", "cyber crime" ], "references": [ "https://www.fortinet.com/blog/threat-research/the-taxman-never-sleeps" ], "public": 1, "adversary": "Emotet", "targeted_countries": [ "United States of America", "Germany", "Canada", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Daveshell", "display_name": "Daveshell", "target": null }, { "id": "Maltshake", "display_name": "Maltshake", "target": null }, { "id": "Warpgate", "display_name": "Warpgate", "target": null }, { "id": "WhiteDagger", "display_name": "WhiteDagger", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Government", "Foreign", "Companies" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "hostname": 1, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3, "URL": 23 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "1225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6372032fca2a16fe4ff0f171", "name": "Threat Intel Report - W47-2022.pdf", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2022-12-14T08:00:12.567000", "created": "2022-11-14T08:58:23.798000", "tags": [], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_ Real-time", "https://www.dnsbl.info/", "https://www.spamhaus.org/xbl/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 79, "hostname": 59, "FileHash-MD5": 16, "FileHash-SHA1": 38, "FileHash-SHA256": 26, "CVE": 3, "URL": 135 }, "indicator_count": 356, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "1263 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbdddd1fc2e2956bfacda5", "name": "vvvvv", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:22:53.511000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbdde0447b9617f24a8901", "name": "vvvvv", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:22:56.693000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbddf0c4709eb7b4d0fb94", "name": "data of hhh", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:23:12.624000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624298dada94224d29d4f8ee", "name": "TM Feed 29032022", "description": "Tech Mahindra Weekly Cyber Threat Intelligence Report", "modified": "2022-04-28T00:00:15.198000", "created": "2022-03-29T05:27:54.022000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "domain": 13, "URL": 145, "FileHash-MD5": 2, "FileHash-SHA1": 10, "FileHash-SHA256": 2, "hostname": 11 }, "indicator_count": 186, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "chobemaster.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "chobemaster.com", "found": true, "verdict": "malicious", "url_count": 4, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://chobemaster.com/INFECTED/LEdXM4gdwN4mgnlC/", "status": "offline", "threat": "malware_download", "date_added": "2022-11-08", "tags": [ "dll", "emotet", "epoch4", "heodo" ] }, { "url": "https://chobemaster.com/components/HKSRjeYB/", "status": "offline", "threat": "malware_download", "date_added": "2022-06-10", "tags": [ "emotet", "epoch5", "exe", "heodo" ] }, { "url": "https://chobemaster.com/components/GxCs/", "status": "offline", "threat": "malware_download", "date_added": "2022-06-07", "tags": [ "emotet", "epoch5", "exe", "heodo" ] }, { "url": "https://chobemaster.com/components/gus/", "status": "offline", "threat": "malware_download", "date_added": "2022-03-27", "tags": [ "dll", "emotet", "epoch4", "heodo" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780211744.3873327 }