{ "type": "Domain", "indicator": "chrome-web.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/chrome-web.com", "alexa": "http://www.alexa.com/siteinfo/chrome-web.com", "indicator": "chrome-web.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3930179998, "indicator": "chrome-web.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "66aa153b000fe60e6fb7e7df", "name": "Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT", "description": "This analysis examines a recent malware campaign involving a dropper dubbed Gh0stGambit, which is employed to retrieve and execute encrypted payloads, specifically a variant of the notorious Gh0st Remote Access Trojan (RAT). The report details the multi-stage infection process, including the use of deceptive Chrome installer lures, the dropper's evasive techniques, and the capabilities of the delivered Gh0st RAT variant. The malware exhibits advanced functionality, such as rootkit components, keylogging, process termination, and data exfiltration. The investigation concludes that the campaign primarily targets Chinese-speaking users, based on the use of Chinese web lures and the malware's ability to gather information from Chinese applications.", "modified": "2024-08-30T10:03:16.174000", "created": "2024-07-31T10:43:07.182000", "tags": [ "rat", "mydoor", "moudoor", "encryption", "evasion", "malware", "gh0st rat", "dropper" ], "references": [ "https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "gh0st RAT - S0032", "display_name": "gh0st RAT - S0032", "target": null }, { "id": "Mydoor", "display_name": "Mydoor", "target": null }, { "id": "Moudoor", "display_name": "Moudoor", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1024", "name": "Custom Cryptographic Protocol", "display_name": "T1024 - Custom Cryptographic Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 250, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "URL": 2, "domain": 2, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 386936, "modified_text": "641 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67653e5cfde52f358df2c545", "name": "\u7591\u4f3c\u94f6\u72d0\u53d8\u79cd\u5229\u7528 Gh0st RAT \u6295\u6bd2", "description": "\u7591\u4f3c\u94f6\u72d0\u53d8\u79cd\u5229\u7528 Gh0st RAT \u6295\u6bd2", "modified": "2025-01-19T09:01:16.404000", "created": "2024-12-20T09:52:28.419000", "tags": [ "gh0st rat", "figure", "gh0stgambit", "threat response", "unit", "xored", "remove data", "response", "tru team", "ghostnet", "hunters", "cyber", "june", "path", "null", "mimikatz", "phishing", "HotSpot", "hotspot", "Hotspot", "\u94f6\u72d0" ], "references": [ "https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "hitip_forever", "id": "160134", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_160134/resized/80/avatar_7b3beafbcd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "499 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a9dc385e9a61bdfee6a4d2", "name": "eSentire | Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT", "description": "", "modified": "2024-08-30T06:02:30.068000", "created": "2024-07-31T06:39:52.361000", "tags": [ "gh0st rat", "figure", "gh0stgambit", "threat response", "unit", "xored", "remove data", "response", "tru team", "ghostnet", "hunters", "cyber", "june", "path", "null", "mimikatz", "phishing" ], "references": [ "https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Taiwan" ], "malware_families": [ { "id": "Gh0st RAT", "display_name": "Gh0st RAT", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null } ], "attack_ids": [ { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dominik.degroot", "id": "48191", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "641 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a765979f4aef2a326ae999", "name": "eSentire | Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT", "description": "", "modified": "2024-08-28T09:00:31.693000", "created": "2024-07-29T09:49:11.398000", "tags": [ "path", "button", "span", "script", "link", "template", "iconbutton", "github", "form", "footer", "code", "meta", "reload", "enterprise", "close", "autoit", "darkvnc", "ducktail", "icedid", "pikabot", "asyncrat", "venomrat", "webdav", "solarmarker", "download", "body", "find", "write", "star", "copy", "open", "main", "contact", "gh0st rat", "figure", "gh0stgambit", "threat response", "unit", "xored", "remove data", "response", "tru team", "ghostnet", "hunters", "cyber", "june", "null", "mimikatz", "phishing" ], "references": [ "https://github.com/esThreatIntelligence/iocs/blob/main/Gh0stGambit_Gh0stRAT/Gh0stGambit_Gh0stRAT.txt", "https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 1, "FileHash-SHA256": 12, "URL": 227, "domain": 21, "hostname": 4, "CVE": 1 }, "indicator_count": 276, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "643 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a74deb8ae7dc0919fab86a", "name": "eSentire | Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT", "description": "", "modified": "2024-08-28T08:01:34.815000", "created": "2024-07-29T08:08:11.029000", "tags": [ "gh0st rat", "figure", "gh0stgambit", "threat response", "unit", "xored", "remove data", "response", "tru team", "ghostnet", "hunters", "cyber", "june", "path", "null", "mimikatz", "phishing" ], "references": [ "https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "URL": 4, "domain": 3, "hostname": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "643 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat", "https://github.com/esThreatIntelligence/iocs/blob/main/Gh0stGambit_Gh0stRAT/Gh0stGambit_Gh0stRAT.txt" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Mydoor", "Gh0st rat - s0032", "Moudoor" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Gh0st rat", "Mimikatz" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "66aa153b000fe60e6fb7e7df", "name": "Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT", "description": "This analysis examines a recent malware campaign involving a dropper dubbed Gh0stGambit, which is employed to retrieve and execute encrypted payloads, specifically a variant of the notorious Gh0st Remote Access Trojan (RAT). The report details the multi-stage infection process, including the use of deceptive Chrome installer lures, the dropper's evasive techniques, and the capabilities of the delivered Gh0st RAT variant. The malware exhibits advanced functionality, such as rootkit components, keylogging, process termination, and data exfiltration. The investigation concludes that the campaign primarily targets Chinese-speaking users, based on the use of Chinese web lures and the malware's ability to gather information from Chinese applications.", "modified": "2024-08-30T10:03:16.174000", "created": "2024-07-31T10:43:07.182000", "tags": [ "rat", "mydoor", "moudoor", "encryption", "evasion", "malware", "gh0st rat", "dropper" ], "references": [ "https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "gh0st RAT - S0032", "display_name": "gh0st RAT - S0032", "target": null }, { "id": "Mydoor", "display_name": "Mydoor", "target": null }, { "id": "Moudoor", "display_name": "Moudoor", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1024", "name": "Custom Cryptographic Protocol", "display_name": "T1024 - Custom Cryptographic Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 250, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "URL": 2, "domain": 2, "hostname": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 386936, "modified_text": "641 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67653e5cfde52f358df2c545", "name": "\u7591\u4f3c\u94f6\u72d0\u53d8\u79cd\u5229\u7528 Gh0st RAT \u6295\u6bd2", "description": "\u7591\u4f3c\u94f6\u72d0\u53d8\u79cd\u5229\u7528 Gh0st RAT \u6295\u6bd2", "modified": "2025-01-19T09:01:16.404000", "created": "2024-12-20T09:52:28.419000", "tags": [ "gh0st rat", "figure", "gh0stgambit", "threat response", "unit", "xored", "remove data", "response", "tru team", "ghostnet", "hunters", "cyber", "june", "path", "null", "mimikatz", "phishing", "HotSpot", "hotspot", "Hotspot", "\u94f6\u72d0" ], "references": [ "https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "hitip_forever", "id": "160134", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_160134/resized/80/avatar_7b3beafbcd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 35, "modified_text": "499 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a9dc385e9a61bdfee6a4d2", "name": "eSentire | Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT", "description": "", "modified": "2024-08-30T06:02:30.068000", "created": "2024-07-31T06:39:52.361000", "tags": [ "gh0st rat", "figure", "gh0stgambit", "threat response", "unit", "xored", "remove data", "response", "tru team", "ghostnet", "hunters", "cyber", "june", "path", "null", "mimikatz", "phishing" ], "references": [ "https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Taiwan" ], "malware_families": [ { "id": "Gh0st RAT", "display_name": "Gh0st RAT", "target": null }, { "id": "Mimikatz", "display_name": "Mimikatz", "target": null } ], "attack_ids": [ { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dominik.degroot", "id": "48191", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "URL": 2, "domain": 3, "hostname": 1 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "641 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a765979f4aef2a326ae999", "name": "eSentire | Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT", "description": "", "modified": "2024-08-28T09:00:31.693000", "created": "2024-07-29T09:49:11.398000", "tags": [ "path", "button", "span", "script", "link", "template", "iconbutton", "github", "form", "footer", "code", "meta", "reload", "enterprise", "close", "autoit", "darkvnc", "ducktail", "icedid", "pikabot", "asyncrat", "venomrat", "webdav", "solarmarker", "download", "body", "find", "write", "star", "copy", "open", "main", "contact", "gh0st rat", "figure", "gh0stgambit", "threat response", "unit", "xored", "remove data", "response", "tru team", "ghostnet", "hunters", "cyber", "june", "null", "mimikatz", "phishing" ], "references": [ "https://github.com/esThreatIntelligence/iocs/blob/main/Gh0stGambit_Gh0stRAT/Gh0stGambit_Gh0stRAT.txt", "https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 1, "FileHash-SHA256": 12, "URL": 227, "domain": 21, "hostname": 4, "CVE": 1 }, "indicator_count": 276, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "643 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a74deb8ae7dc0919fab86a", "name": "eSentire | Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT", "description": "", "modified": "2024-08-28T08:01:34.815000", "created": "2024-07-29T08:08:11.029000", "tags": [ "gh0st rat", "figure", "gh0stgambit", "threat response", "unit", "xored", "remove data", "response", "tru team", "ghostnet", "hunters", "cyber", "june", "path", "null", "mimikatz", "phishing" ], "references": [ "https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "URL": 4, "domain": 3, "hostname": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "643 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "chrome-web.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "chrome-web.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780423503.2626572 }