{ "type": "Domain", "indicator": "decryptor.top", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/decryptor.top", "alexa": "http://www.alexa.com/siteinfo/decryptor.top", "indicator": "decryptor.top", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 1835572666, "indicator": "decryptor.top", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "5cc8a71ca4bf12a77a84f902", "name": "Sodinokibi ransomware exploits WebLogic Server vulnerability", "description": "Attackers are actively exploiting a recently disclosed vulnerability in Oracle WebLogic to install a new variant of ransomware called Sodinokibi. Sodinokibi attempts to encrypt data in a users directory and delete shadow copy backups to make data recovery more difficult. Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10. Attackers have been making use of this exploit in the wild since at least April 17. Ciscos Incident Response (IR) team, along with Cisco Talos, are actively investigating these attacks and Sodinokibi.", "modified": "2019-05-01T16:01:22.655000", "created": "2019-04-30T19:50:52.292000", "tags": [ "Sodinokibi", "Ransomware", "WebLogic", "Oracle", "CVE-2019-2725", "Gandcrab" ], "references": [ "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 87, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14, "CVE": 1, "URL": 4, "domain": 1, "FileHash-MD5": 1 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386527, "modified_text": "2586 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709c1a3462dae3a7d8714b", "name": "IOC202306052234", "description": "", "modified": "2023-12-06T16:06:50.890000", "created": "2023-12-06T16:06:50.890000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1096, "FileHash-MD5": 307, "FileHash-SHA1": 268, "domain": 265, "CVE": 6, "hostname": 246, "URL": 29 }, "indicator_count": 2217, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "647e46cde36f3b047c03f8db", "name": "IOC202306052234", "description": "", "modified": "2023-07-05T20:01:39.023000", "created": "2023-06-05T20:34:21.028000", "tags": [ "june", "seen", "track them", "all at", "chatgpt", "april", "march", "recent blog", "february", "lockbit", "smoke loader", "qbot", "predator", "emotet", "danabot", "gandcrab", "orcus rat", "icedid", "sodinokibi", "agent tesla", "ave maria", "gootkit", "cobalt strike", "dharma", "hawkeye", "trojan", "zloader", "formbook", "crimson rat", "trickbot", "nemty", "netwalker", "pony", "glupteba", "azorult", "dridex", "hancitor", "raccoon", "maze", "vidar", "ryuk ransomware", "guloader", "amadey", "adwind", "quasar rat", "troldesh", "rats", "remcos", "revenge", "ursnif", "cryptbot", "flawedammyy", "phobos", "august", "snake", "ryuk", "quasar", "netwire", "darkside", "redline", "asyncrat", "ransomware", "darkcomet", "wannacry", "nanocore", "lokibot", "orcus", "thief", "malware", "systembc", "powershell", "adwind rat", "squirrelwaffle", "redline stealer", "bitcoin", "open", "copy", "ukraine", "nanocore rat", "houdini", "revenge rat", "dyre", "first", "eternalblue", "fallout", "smokeloader", "dofoil", "macos", "predator pain", "revil", "wcry ransomware", "bladabindi", "teamviewer", "agenttesla", "belarus", "cobaltstrike", "hermes", "execution", "crimson", "crysis", "shadow", "njrat", "next", "loader", "malspam", "ransom", "mimikatz", "cloudeye", "hworm", "friendly", "napoleon", "qakbot", "click", "ammyy admin", "flawedammy", "andromut", "vawtrak", "windigo", "mailto", "kill", "desktop", "discord", "loki bot", "mars", "apart", "smokeldr", "racealer", "hunter", "psexec", "mega", "cve201711882", "maldoc", "dunihi", "jenxcus", "xtremerat", "poisonivy", "fareit", "siplog", "gozi", "egregor", "browserpassview", "mailpassview", "aggah", "virustotal", "pinkslipbot", "path", "chacha", "spelevo", "killswitch", "sockrat", "mexico", "alienspy", "chthonic", "aurora", "winrar", "bokbot", "ammyy", "servhelper", "neutrino", "angler", "chanitor", "teamspy", "axpergle", "nuclear", "cridex", "service", "scarimson", "sticky", "terdot", "zbot", "panda banker", "screen", "polish" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1220", "name": "XSL Script Processing", "display_name": "T1220 - XSL Script Processing" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlessandroFiori", "id": "91912", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_91912/resized/80/avatar_2b1b2b88b6.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "FileHash-MD5": 307, "FileHash-SHA1": 268, "FileHash-SHA256": 1096, "CVE": 6, "domain": 265, "hostname": 246 }, "indicator_count": 2217, "is_author": false, "is_subscribing": null, "subscriber_count": 424, "modified_text": "1060 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "5cc8a71ca4bf12a77a84f902", "name": "Sodinokibi ransomware exploits WebLogic Server vulnerability", "description": "Attackers are actively exploiting a recently disclosed vulnerability in Oracle WebLogic to install a new variant of ransomware called Sodinokibi. Sodinokibi attempts to encrypt data in a users directory and delete shadow copy backups to make data recovery more difficult. Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10. Attackers have been making use of this exploit in the wild since at least April 17. Ciscos Incident Response (IR) team, along with Cisco Talos, are actively investigating these attacks and Sodinokibi.", "modified": "2019-05-01T16:01:22.655000", "created": "2019-04-30T19:50:52.292000", "tags": [ "Sodinokibi", "Ransomware", "WebLogic", "Oracle", "CVE-2019-2725", "Gandcrab" ], "references": [ "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 87, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14, "CVE": 1, "URL": 4, "domain": 1, "FileHash-MD5": 1 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386527, "modified_text": "2586 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709c1a3462dae3a7d8714b", "name": "IOC202306052234", "description": "", "modified": "2023-12-06T16:06:50.890000", "created": "2023-12-06T16:06:50.890000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1096, "FileHash-MD5": 307, "FileHash-SHA1": 268, "domain": 265, "CVE": 6, "hostname": 246, "URL": 29 }, "indicator_count": 2217, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "647e46cde36f3b047c03f8db", "name": "IOC202306052234", "description": "", "modified": "2023-07-05T20:01:39.023000", "created": "2023-06-05T20:34:21.028000", "tags": [ "june", "seen", "track them", "all at", "chatgpt", "april", "march", "recent blog", "february", "lockbit", "smoke loader", "qbot", "predator", "emotet", "danabot", "gandcrab", "orcus rat", "icedid", "sodinokibi", "agent tesla", "ave maria", "gootkit", "cobalt strike", "dharma", "hawkeye", "trojan", "zloader", "formbook", "crimson rat", "trickbot", "nemty", "netwalker", "pony", "glupteba", "azorult", "dridex", "hancitor", "raccoon", "maze", "vidar", "ryuk ransomware", "guloader", "amadey", "adwind", "quasar rat", "troldesh", "rats", "remcos", "revenge", "ursnif", "cryptbot", "flawedammyy", "phobos", "august", "snake", "ryuk", "quasar", "netwire", "darkside", "redline", "asyncrat", "ransomware", "darkcomet", "wannacry", "nanocore", "lokibot", "orcus", "thief", "malware", "systembc", "powershell", "adwind rat", "squirrelwaffle", "redline stealer", "bitcoin", "open", "copy", "ukraine", "nanocore rat", "houdini", "revenge rat", "dyre", "first", "eternalblue", "fallout", "smokeloader", "dofoil", "macos", "predator pain", "revil", "wcry ransomware", "bladabindi", "teamviewer", "agenttesla", "belarus", "cobaltstrike", "hermes", "execution", "crimson", "crysis", "shadow", "njrat", "next", "loader", "malspam", "ransom", "mimikatz", "cloudeye", "hworm", "friendly", "napoleon", "qakbot", "click", "ammyy admin", "flawedammy", "andromut", "vawtrak", "windigo", "mailto", "kill", "desktop", "discord", "loki bot", "mars", "apart", "smokeldr", "racealer", "hunter", "psexec", "mega", "cve201711882", "maldoc", "dunihi", "jenxcus", "xtremerat", "poisonivy", "fareit", "siplog", "gozi", "egregor", "browserpassview", "mailpassview", "aggah", "virustotal", "pinkslipbot", "path", "chacha", "spelevo", "killswitch", "sockrat", "mexico", "alienspy", "chthonic", "aurora", "winrar", "bokbot", "ammyy", "servhelper", "neutrino", "angler", "chanitor", "teamspy", "axpergle", "nuclear", "cridex", "service", "scarimson", "sticky", "terdot", "zbot", "panda banker", "screen", "polish" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1220", "name": "XSL Script Processing", "display_name": "T1220 - XSL Script Processing" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlessandroFiori", "id": "91912", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_91912/resized/80/avatar_2b1b2b88b6.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 29, "FileHash-MD5": 307, "FileHash-SHA1": 268, "FileHash-SHA256": 1096, "CVE": 6, "domain": 265, "hostname": 246 }, "indicator_count": 2217, "is_author": false, "is_subscribing": null, "subscriber_count": 424, "modified_text": "1060 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "decryptor.top", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "decryptor.top", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780197323.4276946 }