{ "type": "Domain", "indicator": "cloudxml.com.br", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cloudxml.com.br", "alexa": "http://www.alexa.com/siteinfo/cloudxml.com.br", "indicator": "cloudxml.com.br", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3491862499, "indicator": "cloudxml.com.br", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "636bcf00a10e2af3275eb9af", "name": "Emotet coming in hot", "description": "Emotet is back again with a new campaign displaying many characteristics of older runs, including the use of Auto Open macros inside XLS documents. Cisco Talos has observed an increased activity of spam distributing this new strain beginning in early November 2022, and the volume of spam and Emotet infrastructure has been increasing since then to target multiple geographies around the world.", "modified": "2022-12-09T13:00:49.050000", "created": "2022-11-09T16:02:08.058000", "tags": [ "emotet", "phishing", "maldoc", "xls documents", "office macros", "social engineering", "banking trojan" ], "references": [ "https://blog.talosintelligence.com/emotet-coming-in-hot/", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_contacted_URLs.txt", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_hashes.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": "636bb8de4eb9290f5cc657ae", "export_count": 470, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 59, "domain": 26, "hostname": 11, "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 2328 }, "indicator_count": 2462, "is_author": false, "is_subscribing": null, "subscriber_count": 386539, "modified_text": "1269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "636ce56b5861d61a50c11523", "name": "Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns", "description": "New technologies like the InterPlanetary File System (IPFS) are being used by cybercriminals to host malicious content, including malware and phishing kit, according to Cisco Talos Intelligence.", "modified": "2022-12-10T11:02:24.049000", "created": "2022-11-10T11:50:03.310000", "tags": [ "grabber", "securex", "top story", "threat spotlight", "threats", "ipfs", "ipfs network", "ipfs gateway", "python", "system", "appliance", "talos", "web3 technology", "web3", "pe32 executable", "discord", "swift", "powershell" ], "references": [ "https://blog.talosintelligence.com/ipfs-abuse/", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_URLs.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_domains.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_ips.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_emails.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_hashes.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_parents.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/ipfs-abuse.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Grabber", "display_name": "Grabber", "target": null } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 28, "URL": 70, "domain": 66, "FileHash-SHA256": 2427, "FileHash-MD5": 302, "FileHash-SHA1": 302 }, "indicator_count": 3195, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1268 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "636bb8de4eb9290f5cc657ae", "name": "Emotet coming in hot", "description": "Emotet is back again with a new campaign displaying many characteristics of older runs, including the use of Auto_Open macros inside XLS documents. Cisco Talos has observed an increased activity of spam distributing this new strain beginning in early November 2022, and the volume of spam and Emotet infrastructure has been increasing since then to target multiple geographies around the world.", "modified": "2022-12-09T13:00:49.050000", "created": "2022-11-09T14:27:42.407000", "tags": [ "emotet", "phishing", "maldoc", "xls documents", "office macros", "social engineering", "banking trojan" ], "references": [ "https://blog.talosintelligence.com/emotet-coming-in-hot/", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_contacted_URLs.txt", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_hashes.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Sampson.thong", "id": "210149", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 67, "domain": 26, "hostname": 11, "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 2328 }, "indicator_count": 2470, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "1269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blog.talosintelligence.com/ipfs-abuse/", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_ips.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/ipfs-abuse.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_hashes.txt", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_contacted_URLs.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_URLs.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_emails.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_domains.txt", "https://blog.talosintelligence.com/emotet-coming-in-hot/", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_parents.txt", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_hashes.txt" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Emotet" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Emotet", "Grabber" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "636bcf00a10e2af3275eb9af", "name": "Emotet coming in hot", "description": "Emotet is back again with a new campaign displaying many characteristics of older runs, including the use of Auto Open macros inside XLS documents. Cisco Talos has observed an increased activity of spam distributing this new strain beginning in early November 2022, and the volume of spam and Emotet infrastructure has been increasing since then to target multiple geographies around the world.", "modified": "2022-12-09T13:00:49.050000", "created": "2022-11-09T16:02:08.058000", "tags": [ "emotet", "phishing", "maldoc", "xls documents", "office macros", "social engineering", "banking trojan" ], "references": [ "https://blog.talosintelligence.com/emotet-coming-in-hot/", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_contacted_URLs.txt", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_hashes.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": "636bb8de4eb9290f5cc657ae", "export_count": 470, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 59, "domain": 26, "hostname": 11, "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 2328 }, "indicator_count": 2462, "is_author": false, "is_subscribing": null, "subscriber_count": 386539, "modified_text": "1269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "636ce56b5861d61a50c11523", "name": "Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns", "description": "New technologies like the InterPlanetary File System (IPFS) are being used by cybercriminals to host malicious content, including malware and phishing kit, according to Cisco Talos Intelligence.", "modified": "2022-12-10T11:02:24.049000", "created": "2022-11-10T11:50:03.310000", "tags": [ "grabber", "securex", "top story", "threat spotlight", "threats", "ipfs", "ipfs network", "ipfs gateway", "python", "system", "appliance", "talos", "web3 technology", "web3", "pe32 executable", "discord", "swift", "powershell" ], "references": [ "https://blog.talosintelligence.com/ipfs-abuse/", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_URLs.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_domains.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_ips.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_emails.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_hashes.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_parents.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/ipfs-abuse.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Grabber", "display_name": "Grabber", "target": null } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 28, "URL": 70, "domain": 66, "FileHash-SHA256": 2427, "FileHash-MD5": 302, "FileHash-SHA1": 302 }, "indicator_count": 3195, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1268 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "636bb8de4eb9290f5cc657ae", "name": "Emotet coming in hot", "description": "Emotet is back again with a new campaign displaying many characteristics of older runs, including the use of Auto_Open macros inside XLS documents. Cisco Talos has observed an increased activity of spam distributing this new strain beginning in early November 2022, and the volume of spam and Emotet infrastructure has been increasing since then to target multiple geographies around the world.", "modified": "2022-12-09T13:00:49.050000", "created": "2022-11-09T14:27:42.407000", "tags": [ "emotet", "phishing", "maldoc", "xls documents", "office macros", "social engineering", "banking trojan" ], "references": [ "https://blog.talosintelligence.com/emotet-coming-in-hot/", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_contacted_URLs.txt", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_hashes.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Sampson.thong", "id": "210149", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 67, "domain": 26, "hostname": 11, "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 2328 }, "indicator_count": 2470, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "1269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cloudxml.com.br", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cloudxml.com.br", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "http://cloudxml.com.br/L45R4qJJFH/ESXAIhm/", "status": "offline", "threat": "malware_download", "date_added": "2022-11-06", "tags": [ "emotet", "epoch5", "exe", "heodo" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780236837.2811399 }