{ "type": "Domain", "indicator": "dclogictrust.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/dclogictrust.com", "alexa": "http://www.alexa.com/siteinfo/dclogictrust.com", "indicator": "dclogictrust.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2871369659, "indicator": "dclogictrust.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "606c9900cc9dabf9542b6d8d", "name": "What is Astro Locker Team?", "description": "A recent incident with a new Sophos Managed Threat Response (MTR) customer has raised questions about the Mount Locker ransomware group and the relationship it has with Astro Locker Team. From the tactics, techniques, and procedures (TTPs) used, to the files involved, and even the ransom note left behind \u2013 pointed to this being the work of the Mount Locker group; however, something odd happened when the investigators followed the link included in the ransom note. Upon following the TOR link, MTR investigators were presented with a chat directly with the \u201csupport\u201d team for the ransomware who introduced themselves as the \u201cAstroLocker Team\u201d and also the \u201cAstro Locker Team.\u201d", "modified": "2021-05-06T00:05:56.335000", "created": "2021-04-06T17:23:12.116000", "tags": [ "Astro Locker", "Mount Locker", "Ransomware", "Cobalt Strike" ], "references": [ "https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/", "https://github.com/sophoslabs/IoCs/blob/master/Ransomware-MountLocker.csv", "https://github.com/sophoslabs/IoCs/blob/master/Ransomware-AstroLocker.csv" ], "public": 1, "adversary": "Astro Locker Team", "targeted_countries": [], "malware_families": [ { "id": "Mount Locker", "display_name": "Mount Locker", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 272, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA256": 5, "FileHash-SHA1": 5, "domain": 7 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 386976, "modified_text": "1853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://github.com/sophoslabs/IoCs/blob/master/Ransomware-MountLocker.csv", "https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/", "https://github.com/sophoslabs/IoCs/blob/master/Ransomware-AstroLocker.csv" ], "related": { "alienvault": { "adversary": [ "Astro Locker Team" ], "malware_families": [ "Mount locker", "Cobalt strike - s0154" ], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "606c9900cc9dabf9542b6d8d", "name": "What is Astro Locker Team?", "description": "A recent incident with a new Sophos Managed Threat Response (MTR) customer has raised questions about the Mount Locker ransomware group and the relationship it has with Astro Locker Team. From the tactics, techniques, and procedures (TTPs) used, to the files involved, and even the ransom note left behind \u2013 pointed to this being the work of the Mount Locker group; however, something odd happened when the investigators followed the link included in the ransom note. Upon following the TOR link, MTR investigators were presented with a chat directly with the \u201csupport\u201d team for the ransomware who introduced themselves as the \u201cAstroLocker Team\u201d and also the \u201cAstro Locker Team.\u201d", "modified": "2021-05-06T00:05:56.335000", "created": "2021-04-06T17:23:12.116000", "tags": [ "Astro Locker", "Mount Locker", "Ransomware", "Cobalt Strike" ], "references": [ "https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/", "https://github.com/sophoslabs/IoCs/blob/master/Ransomware-MountLocker.csv", "https://github.com/sophoslabs/IoCs/blob/master/Ransomware-AstroLocker.csv" ], "public": 1, "adversary": "Astro Locker Team", "targeted_countries": [], "malware_families": [ { "id": "Mount Locker", "display_name": "Mount Locker", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 272, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA256": 5, "FileHash-SHA1": 5, "domain": 7 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 386976, "modified_text": "1853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "dclogictrust.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "dclogictrust.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780440627.8020103 }