{ "type": "Domain", "indicator": "data-file-data-18.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/data-file-data-18.com", "alexa": "http://www.alexa.com/siteinfo/data-file-data-18.com", "indicator": "data-file-data-18.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3311084104, "indicator": "data-file-data-18.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 25, "pulses": [ { "id": "6274f6ff986f055b6848f825", "name": "NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service", "description": "Trend Micro recently encountered a fairly sophisticated malware framework that we named NetDooka after the names of some of its components. The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that implements its own network communication protocol. During our analysis, Trend Micro discovered that NetDooka was being spread via the PrivateLoader malware which, once installed, starts the whole infection chain.", "modified": "2022-06-05T00:03:45.266000", "created": "2022-05-06T10:22:55.089000", "tags": [ "privateloader", "netdooka" ], "references": [ "https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null }, { "id": "PPI", "display_name": "PPI", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null } ], "attack_ids": [ { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 255, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 2, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 38 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 386918, "modified_text": "1458 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b6379553e9978bfcf11f19", "name": "InQuest - 01-09-2025", "description": "", "modified": "2025-10-02T00:00:16.307000", "created": "2025-09-02T00:17:25.854000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 60, "URL": 240, "FileHash-SHA256": 442, "domain": 56, "FileHash-MD5": 4, "FileHash-SHA1": 2 }, "indicator_count": 804, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b25306325c3fb239ca86b3", "name": "InQuest - 29-08-2025", "description": "", "modified": "2025-09-29T01:04:43.453000", "created": "2025-08-30T01:25:26.597000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 25, "URL": 94, "FileHash-SHA1": 11, "FileHash-SHA256": 262, "domain": 31 }, "indicator_count": 423, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "687739a6d0dd92f3a9ae3a9d", "name": "InQuest - 15-07-2025", "description": "", "modified": "2025-08-15T05:01:22.570000", "created": "2025-07-16T05:33:26.837000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 35, "URL": 236, "domain": 72, "FileHash-SHA1": 20, "FileHash-SHA256": 245, "FileHash-MD5": 4 }, "indicator_count": 612, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "291 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68549fb1f50b3ff0a6a57aad", "name": "InQuest - 19-06-2025", "description": "", "modified": "2025-07-19T23:05:44.525000", "created": "2025-06-19T23:39:29.412000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 50, "URL": 218, "FileHash-SHA256": 437, "domain": 31, "FileHash-SHA1": 11, "FileHash-MD5": 10 }, "indicator_count": 757, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "317 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6851fc2bbb7719d78332fd97", "name": "InQuest - 17-06-2025", "description": "", "modified": "2025-07-17T23:01:16", "created": "2025-06-17T23:37:15.678000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 63, "URL": 212, "domain": 55, "FileHash-SHA256": 307, "FileHash-MD5": 8, "FileHash-SHA1": 14 }, "indicator_count": 659, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "319 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68155cbc27e0d955e80be706", "name": "InQuest - 02-05-2025", "description": "", "modified": "2025-06-02T00:02:21.575000", "created": "2025-05-03T00:01:00.649000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 55, "URL": 260, "FileHash-SHA256": 324, "domain": 46, "FileHash-MD5": 2, "FileHash-SHA1": 12 }, "indicator_count": 699, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680583e4949d837b1ac2108d", "name": "InQuest - 20-04-2025", "description": "", "modified": "2025-05-20T23:03:20.084000", "created": "2025-04-20T23:31:48.943000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 388, "FileHash-SHA1": 19, "FileHash-SHA256": 539, "hostname": 73, "FileHash-MD5": 59, "domain": 94 }, "indicator_count": 1172, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "377 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6804338b912660361861d33d", "name": "InQuest - 19-04-2025", "description": "", "modified": "2025-05-19T23:00:01.837000", "created": "2025-04-19T23:36:43.305000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 407, "FileHash-SHA1": 18, "FileHash-SHA256": 520, "FileHash-MD5": 21, "domain": 105, "hostname": 69 }, "indicator_count": 1140, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "378 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6802e4f858f021d995613c7d", "name": "InQuest - 18-04-2025", "description": "", "modified": "2025-05-18T23:01:09.323000", "created": "2025-04-18T23:49:12.546000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 436, "FileHash-MD5": 22, "URL": 346, "FileHash-SHA1": 19, "hostname": 57, "domain": 108 }, "indicator_count": 988, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "379 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676606b553a8a1195438ea52", "name": "InQuest - 20-12-2024", "description": "", "modified": "2025-01-20T00:01:24.271000", "created": "2024-12-21T00:07:17.278000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 415, "FileHash-SHA256": 701, "FileHash-SHA1": 30, "domain": 126, "FileHash-MD5": 27, "hostname": 96 }, "indicator_count": 1395, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "498 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fe1df5960b2b713030f1ef", "name": "InQuest - 22-03-2024", "description": "", "modified": "2024-04-22T00:00:57.561000", "created": "2024-03-23T00:10:29.642000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "URL": 670, "FileHash-SHA256": 1011, "hostname": 132, "domain": 182, "FileHash-SHA1": 19 }, "indicator_count": 2023, "is_author": false, "is_subscribing": null, "subscriber_count": 1627, "modified_text": "771 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fccc7a3a18d3ba83fd0b18", "name": "InQuest - 21-03-2024", "description": "", "modified": "2024-04-21T00:00:20.716000", "created": "2024-03-22T00:10:34.733000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 17, "FileHash-MD5": 80, "URL": 467, "hostname": 99, "domain": 79, "FileHash-SHA256": 445 }, "indicator_count": 1187, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "772 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f8d83b34c59648564330b4", "name": "InQuest - 18-03-2024", "description": "", "modified": "2024-04-18T00:00:00.444000", "created": "2024-03-19T00:11:39.370000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 16, "FileHash-MD5": 78, "URL": 476, "hostname": 105, "domain": 80, "FileHash-SHA256": 444 }, "indicator_count": 1199, "is_author": false, "is_subscribing": null, "subscriber_count": 1625, "modified_text": "775 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65ef9d82ec84f478f9d4d4dd", "name": "InQuest - 11-03-2024", "description": "", "modified": "2024-04-11T00:00:37.934000", "created": "2024-03-12T00:10:42.546000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 17, "FileHash-MD5": 77, "URL": 514, "hostname": 97, "domain": 118, "FileHash-SHA256": 432 }, "indicator_count": 1255, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "782 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eba7b2dc1f080455cb7e26", "name": "InQuest - 08-03-2024", "description": "", "modified": "2024-04-08T00:01:33.958000", "created": "2024-03-09T00:05:06.345000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 17, "FileHash-MD5": 76, "URL": 500, "hostname": 103, "domain": 96, "FileHash-SHA256": 436 }, "indicator_count": 1228, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "785 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65ea5a0e004ee52e83065b1d", "name": "InQuest - 07-03-2024", "description": "", "modified": "2024-04-07T00:02:33.847000", "created": "2024-03-08T00:21:34.326000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 17, "FileHash-MD5": 76, "URL": 501, "hostname": 98, "domain": 87, "FileHash-SHA256": 436 }, "indicator_count": 1215, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "786 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e66523ef1445c7a5f85bea", "name": "InQuest - 04-03-2024", "description": "", "modified": "2024-04-04T00:00:30.517000", "created": "2024-03-05T00:19:47.841000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 576, "FileHash-SHA256": 866, "hostname": 116, "domain": 149, "FileHash-SHA1": 15, "FileHash-MD5": 7 }, "indicator_count": 1729, "is_author": false, "is_subscribing": null, "subscriber_count": 1626, "modified_text": "789 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e2719c1dc6aea056d0a025", "name": "InQuest - 01-03-2024", "description": "", "modified": "2024-04-01T00:00:42.552000", "created": "2024-03-02T00:23:56.467000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 16, "FileHash-MD5": 78, "URL": 489, "hostname": 102, "domain": 82, "FileHash-SHA256": 453 }, "indicator_count": 1220, "is_author": false, "is_subscribing": null, "subscriber_count": 1625, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65de7d2eed4cceb4d654bf89", "name": "InQuest - 27-02-2024", "description": "", "modified": "2024-03-29T00:00:48.199000", "created": "2024-02-28T00:24:14.056000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 16, "FileHash-MD5": 77, "URL": 477, "hostname": 100, "domain": 79, "FileHash-SHA256": 440 }, "indicator_count": 1189, "is_author": false, "is_subscribing": null, "subscriber_count": 1626, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62ba4cb68e77a4a9c57a2fd3", "name": "NetDooka Malware Distributed Using PrivateLoader PPI Service", "description": "", "modified": "2022-07-28T00:02:14.384000", "created": "2022-06-28T00:35:02.553000", "tags": [], "references": [ "May 06th 2022 - CryptoGen Cyber Threat Intelligence - NetDooka Malware Distributed Using PrivateLoader PPI Service .pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 38, "URL": 5, "domain": 2 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1405 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "627941de8556971d2cc795a7", "name": "NetDooka Malware: Propagation, Exploitation, and Indicators of Compromise", "description": "NetDooka is a malware framework that has been spreading using the PrivateLoader Pay-Per-Install (PPI) malware distribution service.\n\nHow it Spreads\nThe infection begins when a user downloads PrivateLoader, usually via pirated software downloads after an installation of the first NetDooka malware, a dropper component that is behind the decrypting and executing of the loader component. The loader then performs specific checks to ensure that it is not running in a virtual environment. After the checks, it downloads another malware from the remote server", "modified": "2022-06-08T00:03:25.734000", "created": "2022-05-09T16:31:26.351000", "tags": [ "dropper", "c server", "driver", "loader", "Malware", "NetDooka" ], "references": [ "https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html" ], "public": 1, "adversary": "Malware Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 38 }, "indicator_count": 106, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "1455 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62792716717a9ca0fb969ddc", "name": "NetDooka Malware Framework Distributed via PPI Service Installs PrivateLoader Malware", "description": "Security researchers recently encountered a fairly sophisticated malware framework named NetDooka. NetDooka is being spread via the PrivateLoader malware which, once installed, starts the whole infection chain.\n\nKey features\nThe framework is distributed via a pay-per-install (PPI) service and contains a loader, a dropper, a protection driver, and a full-featured RAT that implements its own network communication protocol. The PrivateLoader malware downloads and installs multiple malware into the infected system as part of the PPI service. Some of the known malware families that are reportedly being distributed via PPI services include SmokeLoader, RedLine, and Anubis.", "modified": "2022-06-08T00:03:25.734000", "created": "2022-05-09T14:37:10.723000", "tags": [ "dropper", "iocs sha256", "privateloader", "driver", "loader", "domains", "c server", "Malware", "NetDooka" ], "references": [ "https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html" ], "public": 1, "adversary": "Malware Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "FileHash-MD5": 33, "FileHash-SHA1": 33, "FileHash-SHA256": 38 }, "indicator_count": 106, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "1455 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6274ce540290f7eaf4a5a5ed", "name": "NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service", "description": "", "modified": "2022-06-05T00:03:45.266000", "created": "2022-05-06T07:29:24.962000", "tags": [ "trojanspy", "privateloader", "smokeloader", "ppi", "malware", "articles", "news", "reports", "research", "netdooka", "figure", "trend micro", "c server", "part", "support", "rat component", "rat payload", "find", "indonesia", "hybrid", "small", "alliance", "tools", "redline", "anubis", "contact" ], "references": [ "https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null }, { "id": "PPI", "display_name": "PPI", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null } ], "attack_ids": [ { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 38, "URL": 5, "hostname": 2 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 865, "modified_text": "1458 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6273f03865ae82b064c4b8a0", "name": "New NetDooka malware spreads via poisoned search results", "description": "A new malware framework known as NetDooka has been discovered being distributed through the PrivateLoader pay-per-install (PPI) malware distribution service, allowing threat actors full access to an infected device.\n\nThis previously undocumented malware framework features a loader, a dropper, a protection driver, and a powerful RAT component that relies on a custom network communication protocol.\n\nThe first samples of NetDooka were discovered by researchers at TrendMicro, who warn that while the tool is still in an early development phase, it is already very capable.", "modified": "2022-06-04T00:03:57.626000", "created": "2022-05-05T15:41:44.152000", "tags": [ "trojanspy", "privateloader", "smokeloader", "ppi", "malware", "articles", "news", "reports", "research", "netdooka", "figure", "trend micro", "c server", "part", "support", "rat component", "rat payload", "find", "indonesia", "hybrid", "small", "alliance", "tools", "redline", "anubis", "contact" ], "references": [ "https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html", "https://www.bleepingcomputer.com/news/security/new-netdooka-malware-spreads-via-poisoned-search-results/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null }, { "id": "PPI", "display_name": "PPI", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null } ], "attack_ids": [ { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 171, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 38, "URL": 5, "hostname": 2 }, "indicator_count": 67, "is_author": false, "is_subscribing": null, "subscriber_count": 436, "modified_text": "1459 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html", "https://labs.inquest.net/iocdb", "May 06th 2022 - CryptoGen Cyber Threat Intelligence - NetDooka Malware Distributed Using PrivateLoader PPI Service .pdf", "https://www.bleepingcomputer.com/news/security/new-netdooka-malware-spreads-via-poisoned-search-results/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Trojanspy", "Privateloader", "Smokeloader", "Ppi" ], "industries": [] }, "other": { "adversary": [ "Malware Advisory" ], "malware_families": [ "Trojanspy", "Privateloader", "Smokeloader", "Ppi" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 25, "pulses": [ { "id": "6274f6ff986f055b6848f825", "name": "NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service", "description": "Trend Micro recently encountered a fairly sophisticated malware framework that we named NetDooka after the names of some of its components. The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that implements its own network communication protocol. During our analysis, Trend Micro discovered that NetDooka was being spread via the PrivateLoader malware which, once installed, starts the whole infection chain.", "modified": "2022-06-05T00:03:45.266000", "created": "2022-05-06T10:22:55.089000", "tags": [ "privateloader", "netdooka" ], "references": [ "https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null }, { "id": "PPI", "display_name": "PPI", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null } ], "attack_ids": [ { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 255, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 2, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 38 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 386918, "modified_text": "1458 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b6379553e9978bfcf11f19", "name": "InQuest - 01-09-2025", "description": "", "modified": "2025-10-02T00:00:16.307000", "created": "2025-09-02T00:17:25.854000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 60, "URL": 240, "FileHash-SHA256": 442, "domain": 56, "FileHash-MD5": 4, "FileHash-SHA1": 2 }, "indicator_count": 804, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b25306325c3fb239ca86b3", "name": "InQuest - 29-08-2025", "description": "", "modified": "2025-09-29T01:04:43.453000", "created": "2025-08-30T01:25:26.597000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 25, "URL": 94, "FileHash-SHA1": 11, "FileHash-SHA256": 262, "domain": 31 }, "indicator_count": 423, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "687739a6d0dd92f3a9ae3a9d", "name": "InQuest - 15-07-2025", "description": "", "modified": "2025-08-15T05:01:22.570000", "created": "2025-07-16T05:33:26.837000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 35, "URL": 236, "domain": 72, "FileHash-SHA1": 20, "FileHash-SHA256": 245, "FileHash-MD5": 4 }, "indicator_count": 612, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "291 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68549fb1f50b3ff0a6a57aad", "name": "InQuest - 19-06-2025", "description": "", "modified": "2025-07-19T23:05:44.525000", "created": "2025-06-19T23:39:29.412000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 50, "URL": 218, "FileHash-SHA256": 437, "domain": 31, "FileHash-SHA1": 11, "FileHash-MD5": 10 }, "indicator_count": 757, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "317 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6851fc2bbb7719d78332fd97", "name": "InQuest - 17-06-2025", "description": "", "modified": "2025-07-17T23:01:16", "created": "2025-06-17T23:37:15.678000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 63, "URL": 212, "domain": 55, "FileHash-SHA256": 307, "FileHash-MD5": 8, "FileHash-SHA1": 14 }, "indicator_count": 659, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "319 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68155cbc27e0d955e80be706", "name": "InQuest - 02-05-2025", "description": "", "modified": "2025-06-02T00:02:21.575000", "created": "2025-05-03T00:01:00.649000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 55, "URL": 260, "FileHash-SHA256": 324, "domain": 46, "FileHash-MD5": 2, "FileHash-SHA1": 12 }, "indicator_count": 699, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680583e4949d837b1ac2108d", "name": "InQuest - 20-04-2025", "description": "", "modified": "2025-05-20T23:03:20.084000", "created": "2025-04-20T23:31:48.943000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 388, "FileHash-SHA1": 19, "FileHash-SHA256": 539, "hostname": 73, "FileHash-MD5": 59, "domain": 94 }, "indicator_count": 1172, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "377 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6804338b912660361861d33d", "name": "InQuest - 19-04-2025", "description": "", "modified": "2025-05-19T23:00:01.837000", "created": "2025-04-19T23:36:43.305000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 407, "FileHash-SHA1": 18, "FileHash-SHA256": 520, "FileHash-MD5": 21, "domain": 105, "hostname": 69 }, "indicator_count": 1140, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "378 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6802e4f858f021d995613c7d", "name": "InQuest - 18-04-2025", "description": "", "modified": "2025-05-18T23:01:09.323000", "created": "2025-04-18T23:49:12.546000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 436, "FileHash-MD5": 22, "URL": 346, "FileHash-SHA1": 19, "hostname": 57, "domain": 108 }, "indicator_count": 988, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "379 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "data-file-data-18.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "data-file-data-18.com", "found": true, "verdict": "malicious", "url_count": 5, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "http://data-file-data-18.com/files/5423_1648404768_3323.exe", "status": "offline", "threat": "malware_download", "date_added": "2022-04-08", "tags": [ "exe" ] }, { "url": "http://data-file-data-18.com/files/4775_1647520667_6357.exe", "status": "offline", "threat": "malware_download", "date_added": "2022-04-08", "tags": [ "exe" ] }, { "url": "http://data-file-data-18.com/game.exe", "status": "offline", "threat": "malware_download", "date_added": "2022-04-08", "tags": [ "exe" ] }, { "url": "http://data-file-data-18.com/files/8022_1648579249_1702.exe", "status": "offline", "threat": "malware_download", "date_added": "2022-04-08", "tags": [ "exe" ] }, { "url": "http://data-file-data-18.com/files/8184_1648579362_8425.exe", "status": "offline", "threat": "malware_download", "date_added": "2022-04-08", "tags": [ "exe" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780415293.219565 }