{ "type": "Domain", "indicator": "customer-certificate.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/customer-certificate.com", "alexa": "http://www.alexa.com/siteinfo/customer-certificate.com", "indicator": "customer-certificate.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 1829778908, "indicator": "customer-certificate.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "5cefdae12f7645afa995961e", "name": "Continued activity by APT28", "description": "Upon execution, nbmssl.dll (MD5: d51d485f98810ab1278df4e41b692761) decrypts strings and URLs utilizing two observed encryption keys. One for string decryption and another for URL decryption. Strings are decrypted and then concatenated to build URLs which may be backup C2 nodes. Additionally, three URLs are decrypted to test for network connectivity. First, google.com is decrypted followed by yahoo.com. A DNS request is then generated for google.com, if that fails it attempts to reach yahoo.com. If an attempt succeeds, the file calls out to what appears to be a C2 node named maylaytravelgroup.com with multiple GET requests.", "modified": "2019-10-02T15:46:24.866000", "created": "2019-05-30T13:30:08.887000", "tags": [ "apt28", "fancy bear" ], "references": [ "https://www.virustotal.com/#/file/b40909ac0b70b7bd82465dfc7761a6b4e0df55b894dd42290e3f72cb4280fa44/community", "https://twitter.com/ClearskySec/status/1139160272755744774", "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/StrontiumIOCs.yaml" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 27, "FileHash-SHA256": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 386547, "modified_text": "2432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5c9bb407e5a06b014da016e3", "name": "Microsoft uses court order to shut down APT35 websites", "description": "Microsoft has used a court order to wrest control of 99 websites from suspected Iranian hackers that were using them to conduct cyberattacks, court documents unsealed Wednesday show.\n\nThe tech giant last week took down websites that were \u201ccore to [the] operations\u201d of an Iranian hacking group known as APT35 or Phosphorus, Tom Burt, a Microsoft vice president, wrote in a blog post.\n\nAPT35, also known as Charming Kitten, used spoofed websites of well-known companies, including Microsoft and Yahoo, to conduct their malicious activity, he said. But the court order will force the group to recreate some of that infrastructure.", "modified": "2019-10-02T15:33:20.427000", "created": "2019-03-27T17:33:59.004000", "tags": [ "iran", "APT25" ], "references": [ "https://www.cyberscoop.com/microsoft-uses-court-order-shut-apt-linked-websites/" ], "public": 1, "adversary": "Charming Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 136, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "hostname": 36, "FileHash-SHA256": 2, "URL": 124, "domain": 140, "FileHash-MD5": 2 }, "indicator_count": 304, "is_author": false, "is_subscribing": null, "subscriber_count": 386555, "modified_text": "2432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65539ae80b7b6e0d9c669216", "name": "Test Pulse", "description": "", "modified": "2023-12-16T16:02:10.435000", "created": "2023-11-14T16:06:00.013000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "gzerphPer", "id": "197016", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 3, "URL": 189, "FileHash-MD5": 442, "FileHash-SHA1": 395, "FileHash-SHA256": 659, "email": 1, "hostname": 298, "domain": 515, "FilePath": 12 }, "indicator_count": 2514, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/#/file/b40909ac0b70b7bd82465dfc7761a6b4e0df55b894dd42290e3f72cb4280fa44/community", "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/StrontiumIOCs.yaml", "https://twitter.com/ClearskySec/status/1139160272755744774", "https://www.cyberscoop.com/microsoft-uses-court-order-shut-apt-linked-websites/" ], "related": { "alienvault": { "adversary": [ "Sofacy", "Charming Kitten" ], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "5cefdae12f7645afa995961e", "name": "Continued activity by APT28", "description": "Upon execution, nbmssl.dll (MD5: d51d485f98810ab1278df4e41b692761) decrypts strings and URLs utilizing two observed encryption keys. One for string decryption and another for URL decryption. Strings are decrypted and then concatenated to build URLs which may be backup C2 nodes. Additionally, three URLs are decrypted to test for network connectivity. First, google.com is decrypted followed by yahoo.com. A DNS request is then generated for google.com, if that fails it attempts to reach yahoo.com. If an attempt succeeds, the file calls out to what appears to be a C2 node named maylaytravelgroup.com with multiple GET requests.", "modified": "2019-10-02T15:46:24.866000", "created": "2019-05-30T13:30:08.887000", "tags": [ "apt28", "fancy bear" ], "references": [ "https://www.virustotal.com/#/file/b40909ac0b70b7bd82465dfc7761a6b4e0df55b894dd42290e3f72cb4280fa44/community", "https://twitter.com/ClearskySec/status/1139160272755744774", "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/StrontiumIOCs.yaml" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 27, "FileHash-SHA256": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 386547, "modified_text": "2432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5c9bb407e5a06b014da016e3", "name": "Microsoft uses court order to shut down APT35 websites", "description": "Microsoft has used a court order to wrest control of 99 websites from suspected Iranian hackers that were using them to conduct cyberattacks, court documents unsealed Wednesday show.\n\nThe tech giant last week took down websites that were \u201ccore to [the] operations\u201d of an Iranian hacking group known as APT35 or Phosphorus, Tom Burt, a Microsoft vice president, wrote in a blog post.\n\nAPT35, also known as Charming Kitten, used spoofed websites of well-known companies, including Microsoft and Yahoo, to conduct their malicious activity, he said. But the court order will force the group to recreate some of that infrastructure.", "modified": "2019-10-02T15:33:20.427000", "created": "2019-03-27T17:33:59.004000", "tags": [ "iran", "APT25" ], "references": [ "https://www.cyberscoop.com/microsoft-uses-court-order-shut-apt-linked-websites/" ], "public": 1, "adversary": "Charming Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 136, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "hostname": 36, "FileHash-SHA256": 2, "URL": 124, "domain": 140, "FileHash-MD5": 2 }, "indicator_count": 304, "is_author": false, "is_subscribing": null, "subscriber_count": 386555, "modified_text": "2432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65539ae80b7b6e0d9c669216", "name": "Test Pulse", "description": "", "modified": "2023-12-16T16:02:10.435000", "created": "2023-11-14T16:06:00.013000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "gzerphPer", "id": "197016", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 3, "URL": 189, "FileHash-MD5": 442, "FileHash-SHA1": 395, "FileHash-SHA256": 659, "email": 1, "hostname": 298, "domain": 515, "FilePath": 12 }, "indicator_count": 2514, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "896 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "customer-certificate.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "customer-certificate.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780206058.0252507 }