{ "type": "Domain", "indicator": "devilspen.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/devilspen.com", "alexa": "http://www.alexa.com/siteinfo/devilspen.com", "indicator": "devilspen.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3974095836, "indicator": "devilspen.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "687059a339b3b2a79765dbec", "name": "inverte", "description": "", "modified": "2026-02-01T17:53:50.806000", "created": "2025-07-11T00:24:03.079000", "tags": [], "references": [ "https://github.com/Abjuri5t/SarlackLab/raw/refs/heads/main/IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 10129, "URL": 14767, "domain": 3421, "hostname": 7022, "CVE": 7 }, "indicator_count": 35346, "is_author": false, "is_subscribing": null, "subscriber_count": 179, "modified_text": "77 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684cd7ad87254fdda87d3054", "name": "Devilspen.com (awsdns) | Strictor/ Installmonster | Emotet", "description": "\u2022 Python Initiated Connection by frack113\n\u2022 Creation of an Executable by an Executable by frack113\n\u2022 ET DNS Query to a *.top domain - Likely Hostile\n\u2022 ET INFO TLS Handshake Failure\n\u2022 INDICATOR-COMPROMISE Suspicious .top dns query\n* MALWARE TROJAN\n#emotet\n More\u2026", "modified": "2025-07-14T01:04:45.357000", "created": "2025-06-14T02:00:13.883000", "tags": [ "united", "date", "flag", "server", "gandi sas", "name server", "proxy", "llc name", "overview dns", "requests domain", "logo analysis", "size45b type", "threat score", "av detection", "community score", "url scan", "analysis no", "domain scam", "score clean", "domain abuse", "error", "june", "malicious", "falcon sandbox", "march", "score", "size426kib type", "mime", "scan analysis", "upgrade", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "spawns", "mitre att", "sha1", "copy md5", "copy sha1", "copy sha256", "ascii text", "sha256", "show", "null", "body", "class", "refresh", "span", "window", "hybrid", "possible", "general", "local", "path", "click", "strings", "tools", "false", "look", "verify", "restart", "data", "v3 serial", "number", "cus olet", "encrypt cnr10", "validity", "subject public", "key info", "key algorithm", "rsa public", "dynadot", "dynadot llc", "dynadot inc", "thumbprint", "win32 exe", "pe32", "ms windows", "win16 ne", "icons library", "os2 executable", "generic windos", "executable", "pe64 compiler", "ltcgc", "file type", "google update", "setup", "kb file", "ico mainicon", "javascript", "redacted for", "privacy create", "domain", "registrant fax", "privacy update", "defense evasion", "access ta0006", "ta0008 command", "control ta0011", "ob0002 defense", "evasion ob0006", "file system", "oc0001 process", "oc0003 data", "system oc0008", "ja3s", "azure tls", "issuing ca", "cus subject", "stwa lredmond", "resolved ips", "ip traffic", "tls sni", "delphi generic", "intel", "dos borland", "pe32 compiler", "borland delphi", "linker", "delphi", "get http", "post http", "rstunf", "tad436770", "productname", "subid", "encodedpixel", "dns resolutions", "privacy", "internal name", "adobe help", "viewer file", "version" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 449, "hostname": 504, "FileHash-SHA256": 2208, "URL": 1109, "FileHash-MD5": 201, "FileHash-SHA1": 204, "SSLCertFingerprint": 9 }, "indicator_count": 4684, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "279 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684cad9bc64e61ae0e6df4c1", "name": "Ransom REevil | AWS.DEV | MaaS", "description": "Malicious campaigners paid to target specific groups and individuals. Large ongoing operation.", "modified": "2025-07-13T22:02:31.447000", "created": "2025-06-13T23:00:43.338000", "tags": [ "filehashmd5", "filehashsha1", "showing", "copyright", "levelblue", "packer entropy", "pe features", "pe unknown", "resource name", "allocates rwx", "network icmp", "antivm network", "exe nolookup", "proxy wpad", "dead host", "tools", "generic", "deletes self", "ransom", "evader", "active", "learn", "ck id", "name tactics", "suspicious", "informative", "installs", "adversaries", "windows", "modules", "registry", "persistence", "execution", "service", "united", "path", "flag", "date", "access type", "germany germany", "create", "http header", "tcp traffic", "et info", "entropy", "hybrid", "malicious", "general", "click", "strings", "inject", "remote", "encrypt files", "python", "global", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "overlay", "data", "pe32 executable", "borland delphi", "delphi generic", "md5 code", "empty hash", "file type", "success", "regopenkeyexw", "regopenkeyexa", "hkeycurrentuser", "virtualallocex", "createfilew", "genericread", "hkeyclassesroot", "genericwrite", "regsetvalueexw", "desktop", "webview", "mirai", "russsian data", "reevil", "money doc", "gmt flag", "server", "united kingdom", "france france", "ukraine ukraine", "llc name", "viet nam", "show", "cve", "bad traffic", "false", "error", "tags", "ipv4", "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "monitor", "target", "members", "maas", "attack", "mitre att" ], "references": [ "RANSOM_REvil - https://www.nextron-systems.com/notes-on-virustotal-matches/", "YARA: Matches rule MAL_RANSOM_REvil_Oct20_1 from ruleset crime_ransom_revil by Florian Roth (Nextron Systems)", "YARA: Matches rule Windows_Ransomware_Sodinokibi_83f05fbe from ruleset Windows_Ransomware_Sodinokibi by Elastic Security", "YARA: Matches rule win_revil_auto from ruleset win.revil_auto by Felix Bilstein - yara-signator at cocacoding dot com", "https://otx.alienvault.com/malware/Ransom:Win32/Makop/", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "Permissions requested: SE_DEBUG_PRIVILEGE SE_LOAD_DRIVER_PRIVILEGE", "Behaviour: Extract file to system directory" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Makop.PA!MTB", "display_name": "Ransom:Win32/Makop.PA!MTB", "target": "/malware/Ransom:Win32/Makop.PA!MTB" }, { "id": "Trojan/Win32.BlueCrab.R331768", "display_name": "Trojan/Win32.BlueCrab.R331768", "target": null }, { "id": "Trojan.Ransom.Sodinokibi", "display_name": "Trojan.Ransom.Sodinokibi", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Virus.Neshta", "display_name": "Virus.Neshta", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "RANSOM_REvil", "display_name": "RANSOM_REvil", "target": null }, { "id": "Labeled as: Ransom.Sodinokibi.Generic", "display_name": "Labeled as: Ransom.Sodinokibi.Generic", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1181", "name": "Extra Window Memory Injection", "display_name": "T1181 - Extra Window Memory Injection" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "URL": 83, "CVE": 1, "domain": 102, "hostname": 36 }, "indicator_count": 516, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "279 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684c8fcde05dacb07f1a202e", "name": "Payment - Ref Id- H3426584.doc (aws.dev) Emotet", "description": "", "modified": "2025-07-13T20:04:30.723000", "created": "2025-06-13T20:53:33.231000", "tags": [ "learn more", "added active", "related pulses", "emotet", "malware", "get http", "dns resolutions", "resolved ips", "post http", "ua71173394", "ip address", "status code", "body length", "kb body", "media sharing", "known infection source", "spyware", "real estate", "compromised websites", "malware sites", "huge domains", "parking crew", "business", "malware service", "mas", "aws", "dev", "false", "error", "url https", "url http", "indicator role", "title added", "active related", "pulses", "showing", "entries", "sha256", "ttl value", "first", "privacy admin", "domain status", "redacted for", "server", "admin city", "country", "organization", "postal code", "stateprovince", "date", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "algorithm", "cus olet", "encrypt cnr11", "validity", "subject public", "dirtsearch", "dns" ], "references": [ "Payment - Ref Id- H3426584.doc FileHash SHA256 ed2914efddb8e8f4c89abf95faa32572d35b3cfdfb202266993f6e7624a2048c", "The sandbox Zenbox flags this file as: EVADER", "The sandbox Dr.Web vxCube flags this file as: MALWARE EXPLOIT", "IDS: Matches rule SURICATA STREAM Packet with invalid ack", "IDS: Matches rule SURICATA STREAM SHUTDOWN RST invalid ack", "YARA: Office_Document_with_VBA_Project from ruleset Office_Document_with_VBA_Project by InQuest Labs", "YARA: Microsoft_Office_Documents_Excessive_Variables from ruleset Microsoft_Office_Documents_Excessive_Variables by InQuest Labs", "Dr. Web known infection source", "Emotet download site = dirt search.org / aws.dev and other related DGA\u2019s (active)", "Xcitium Verdict Cloud government & legal - https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "DirtSearch.org | BitDefender business | Forcepoint ThreatSeeker reference materials | Xcitium Verdict Cloud government & legal", "Verdict: Defense Law Firm | malicious tools / agitators" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Doc.Downloader.Emotet-7196349-0", "display_name": "Doc.Downloader.Emotet-7196349-0", "target": null }, { "id": "vb:Trojan.Agent.EEZZ", "display_name": "vb:Trojan.Agent.EEZZ", "target": null }, { "id": "trojan.w97m/emotetdldr", "display_name": "trojan.w97m/emotetdldr", "target": null }, { "id": "Troj/DocDl-SOK", "display_name": "Troj/DocDl-SOK", "target": null }, { "id": "Static AI - Malicious OLE", "display_name": "Static AI - Malicious OLE", "target": null }, { "id": "Trojan.W97M.POWLOAD.SMRV08", "display_name": "Trojan.W97M.POWLOAD.SMRV08", "target": null } ], "attack_ids": [ { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 44, "FileHash-SHA256": 117, "URL": 47, "domain": 41, "hostname": 43 }, "indicator_count": 329, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "279 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684c792c7a89d98470ecef31", "name": "aws.dev - Emotet - Hub for malicious activity", "description": "\u2022 Domain Name: aws.dev |\n\u2022 (DGA) https://www.google.com/search?client=ms-google-coop&q=%22deploy-delete-app-eu-west-1-0.deploy-delete-test-eu-west-1-oigwi9v.us-east-1.forgeapps.ec2.aws.dev%22&cx=003414466004237966221:dgg7iftvryo | \n\u2022 34.226.76.55 |\n\u2022\u2019domains.amazon | \n\u2022 devilspen.com |\n\u2022 aisux.aws.dev |\t\t\n\u2022 alex.aws.dev |\t\n\u2022 askjarvis.aws.dev |\n\u2022 atrium.aws.dev |\n\u2022 automated-runbooks.aws.dev |\nFalse 404 codes and Error pages - very active malicious behavior", "modified": "2025-07-13T18:02:18.648000", "created": "2025-06-13T19:17:00.818000", "tags": [ "united", "creation date", "search", "entries", "passive dns", "urls", "showing", "pulse pulses", "files", "domain", "dnssec", "expiration date", "unknown cname", "hostname add", "date", "redacted for", "email", "code", "organization", "privacy billing", "privacy tech", "postal code", "privacy admin", "com laude", "ltd dba", "nomiq", "limited dba", "admin city", "country", "stateprovince", "city", "mtb oct", "win32", "next associated", "mtb mar", "ipv4 add", "trojan", "apanas", "ransom", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1111, "hostname": 1014, "URL": 2554, "FileHash-SHA256": 1461, "FileHash-MD5": 64, "email": 6, "FileHash-SHA1": 63 }, "indicator_count": 6273, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "280 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "YARA: Matches rule MAL_RANSOM_REvil_Oct20_1 from ruleset crime_ransom_revil by Florian Roth (Nextron Systems)", "IDS: Matches rule SURICATA STREAM Packet with invalid ack", "YARA: Matches rule win_revil_auto from ruleset win.revil_auto by Felix Bilstein - yara-signator at cocacoding dot com", "The sandbox Dr.Web vxCube flags this file as: MALWARE EXPLOIT", "Permissions requested: SE_DEBUG_PRIVILEGE SE_LOAD_DRIVER_PRIVILEGE", "https://otx.alienvault.com/malware/Ransom:Win32/Makop/", "Behaviour: Extract file to system directory", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "The sandbox Zenbox flags this file as: EVADER", "Dr. Web known infection source", "YARA: Matches rule Windows_Ransomware_Sodinokibi_83f05fbe from ruleset Windows_Ransomware_Sodinokibi by Elastic Security", "YARA: Office_Document_with_VBA_Project from ruleset Office_Document_with_VBA_Project by InQuest Labs", "DirtSearch.org | BitDefender business | Forcepoint ThreatSeeker reference materials | Xcitium Verdict Cloud government & legal", "Emotet download site = dirt search.org / aws.dev and other related DGA\u2019s (active)", "IDS: Matches rule SURICATA STREAM SHUTDOWN RST invalid ack", "Xcitium Verdict Cloud government & legal - https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "https://github.com/Abjuri5t/SarlackLab/raw/refs/heads/main/IOCs.csv", "Verdict: Defense Law Firm | malicious tools / agitators", "YARA: Microsoft_Office_Documents_Excessive_Variables from ruleset Microsoft_Office_Documents_Excessive_Variables by InQuest Labs", "RANSOM_REvil - https://www.nextron-systems.com/notes-on-virustotal-matches/", "Payment - Ref Id- H3426584.doc FileHash SHA256 ed2914efddb8e8f4c89abf95faa32572d35b3cfdfb202266993f6e7624a2048c" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Trojan.ransom.sodinokibi", "Doc.downloader.emotet-7196349-0", "Vb:trojan.agent.eezz", "Mirai", "Labeled as: ransom.sodinokibi.generic", "Emotet", "Virus.neshta", "Trojan.w97m/emotetdldr", "Troj/docdl-sok", "Trojan.w97m.powload.smrv08", "Ransom_revil", "Trojan/win32.bluecrab.r331768", "Ransom:win32/makop.pa!mtb", "Static ai - malicious ole" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "687059a339b3b2a79765dbec", "name": "inverte", "description": "", "modified": "2026-02-01T17:53:50.806000", "created": "2025-07-11T00:24:03.079000", "tags": [], "references": [ "https://github.com/Abjuri5t/SarlackLab/raw/refs/heads/main/IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 10129, "URL": 14767, "domain": 3421, "hostname": 7022, "CVE": 7 }, "indicator_count": 35346, "is_author": false, "is_subscribing": null, "subscriber_count": 179, "modified_text": "77 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684cd7ad87254fdda87d3054", "name": "Devilspen.com (awsdns) | Strictor/ Installmonster | Emotet", "description": "\u2022 Python Initiated Connection by frack113\n\u2022 Creation of an Executable by an Executable by frack113\n\u2022 ET DNS Query to a *.top domain - Likely Hostile\n\u2022 ET INFO TLS Handshake Failure\n\u2022 INDICATOR-COMPROMISE Suspicious .top dns query\n* MALWARE TROJAN\n#emotet\n More\u2026", "modified": "2025-07-14T01:04:45.357000", "created": "2025-06-14T02:00:13.883000", "tags": [ "united", "date", "flag", "server", "gandi sas", "name server", "proxy", "llc name", "overview dns", "requests domain", "logo analysis", "size45b type", "threat score", "av detection", "community score", "url scan", "analysis no", "domain scam", "score clean", "domain abuse", "error", "june", "malicious", "falcon sandbox", "march", "score", "size426kib type", "mime", "scan analysis", "upgrade", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "spawns", "mitre att", "sha1", "copy md5", "copy sha1", "copy sha256", "ascii text", "sha256", "show", "null", "body", "class", "refresh", "span", "window", "hybrid", "possible", "general", "local", "path", "click", "strings", "tools", "false", "look", "verify", "restart", "data", "v3 serial", "number", "cus olet", "encrypt cnr10", "validity", "subject public", "key info", "key algorithm", "rsa public", "dynadot", "dynadot llc", "dynadot inc", "thumbprint", "win32 exe", "pe32", "ms windows", "win16 ne", "icons library", "os2 executable", "generic windos", "executable", "pe64 compiler", "ltcgc", "file type", "google update", "setup", "kb file", "ico mainicon", "javascript", "redacted for", "privacy create", "domain", "registrant fax", "privacy update", "defense evasion", "access ta0006", "ta0008 command", "control ta0011", "ob0002 defense", "evasion ob0006", "file system", "oc0001 process", "oc0003 data", "system oc0008", "ja3s", "azure tls", "issuing ca", "cus subject", "stwa lredmond", "resolved ips", "ip traffic", "tls sni", "delphi generic", "intel", "dos borland", "pe32 compiler", "borland delphi", "linker", "delphi", "get http", "post http", "rstunf", "tad436770", "productname", "subid", "encodedpixel", "dns resolutions", "privacy", "internal name", "adobe help", "viewer file", "version" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 449, "hostname": 504, "FileHash-SHA256": 2208, "URL": 1109, "FileHash-MD5": 201, "FileHash-SHA1": 204, "SSLCertFingerprint": 9 }, "indicator_count": 4684, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "279 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684cad9bc64e61ae0e6df4c1", "name": "Ransom REevil | AWS.DEV | MaaS", "description": "Malicious campaigners paid to target specific groups and individuals. Large ongoing operation.", "modified": "2025-07-13T22:02:31.447000", "created": "2025-06-13T23:00:43.338000", "tags": [ "filehashmd5", "filehashsha1", "showing", "copyright", "levelblue", "packer entropy", "pe features", "pe unknown", "resource name", "allocates rwx", "network icmp", "antivm network", "exe nolookup", "proxy wpad", "dead host", "tools", "generic", "deletes self", "ransom", "evader", "active", "learn", "ck id", "name tactics", "suspicious", "informative", "installs", "adversaries", "windows", "modules", "registry", "persistence", "execution", "service", "united", "path", "flag", "date", "access type", "germany germany", "create", "http header", "tcp traffic", "et info", "entropy", "hybrid", "malicious", "general", "click", "strings", "inject", "remote", "encrypt files", "python", "global", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "overlay", "data", "pe32 executable", "borland delphi", "delphi generic", "md5 code", "empty hash", "file type", "success", "regopenkeyexw", "regopenkeyexa", "hkeycurrentuser", "virtualallocex", "createfilew", "genericread", "hkeyclassesroot", "genericwrite", "regsetvalueexw", "desktop", "webview", "mirai", "russsian data", "reevil", "money doc", "gmt flag", "server", "united kingdom", "france france", "ukraine ukraine", "llc name", "viet nam", "show", "cve", "bad traffic", "false", "error", "tags", "ipv4", "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "monitor", "target", "members", "maas", "attack", "mitre att" ], "references": [ "RANSOM_REvil - https://www.nextron-systems.com/notes-on-virustotal-matches/", "YARA: Matches rule MAL_RANSOM_REvil_Oct20_1 from ruleset crime_ransom_revil by Florian Roth (Nextron Systems)", "YARA: Matches rule Windows_Ransomware_Sodinokibi_83f05fbe from ruleset Windows_Ransomware_Sodinokibi by Elastic Security", "YARA: Matches rule win_revil_auto from ruleset win.revil_auto by Felix Bilstein - yara-signator at cocacoding dot com", "https://otx.alienvault.com/malware/Ransom:Win32/Makop/", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "Permissions requested: SE_DEBUG_PRIVILEGE SE_LOAD_DRIVER_PRIVILEGE", "Behaviour: Extract file to system directory" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Makop.PA!MTB", "display_name": "Ransom:Win32/Makop.PA!MTB", "target": "/malware/Ransom:Win32/Makop.PA!MTB" }, { "id": "Trojan/Win32.BlueCrab.R331768", "display_name": "Trojan/Win32.BlueCrab.R331768", "target": null }, { "id": "Trojan.Ransom.Sodinokibi", "display_name": "Trojan.Ransom.Sodinokibi", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Virus.Neshta", "display_name": "Virus.Neshta", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "RANSOM_REvil", "display_name": "RANSOM_REvil", "target": null }, { "id": "Labeled as: Ransom.Sodinokibi.Generic", "display_name": "Labeled as: Ransom.Sodinokibi.Generic", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1181", "name": "Extra Window Memory Injection", "display_name": "T1181 - Extra Window Memory Injection" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "URL": 83, "CVE": 1, "domain": 102, "hostname": 36 }, "indicator_count": 516, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "279 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684c8fcde05dacb07f1a202e", "name": "Payment - Ref Id- H3426584.doc (aws.dev) Emotet", "description": "", "modified": "2025-07-13T20:04:30.723000", "created": "2025-06-13T20:53:33.231000", "tags": [ "learn more", "added active", "related pulses", "emotet", "malware", "get http", "dns resolutions", "resolved ips", "post http", "ua71173394", "ip address", "status code", "body length", "kb body", "media sharing", "known infection source", "spyware", "real estate", "compromised websites", "malware sites", "huge domains", "parking crew", "business", "malware service", "mas", "aws", "dev", "false", "error", "url https", "url http", "indicator role", "title added", "active related", "pulses", "showing", "entries", "sha256", "ttl value", "first", "privacy admin", "domain status", "redacted for", "server", "admin city", "country", "organization", "postal code", "stateprovince", "date", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "algorithm", "cus olet", "encrypt cnr11", "validity", "subject public", "dirtsearch", "dns" ], "references": [ "Payment - Ref Id- H3426584.doc FileHash SHA256 ed2914efddb8e8f4c89abf95faa32572d35b3cfdfb202266993f6e7624a2048c", "The sandbox Zenbox flags this file as: EVADER", "The sandbox Dr.Web vxCube flags this file as: MALWARE EXPLOIT", "IDS: Matches rule SURICATA STREAM Packet with invalid ack", "IDS: Matches rule SURICATA STREAM SHUTDOWN RST invalid ack", "YARA: Office_Document_with_VBA_Project from ruleset Office_Document_with_VBA_Project by InQuest Labs", "YARA: Microsoft_Office_Documents_Excessive_Variables from ruleset Microsoft_Office_Documents_Excessive_Variables by InQuest Labs", "Dr. Web known infection source", "Emotet download site = dirt search.org / aws.dev and other related DGA\u2019s (active)", "Xcitium Verdict Cloud government & legal - https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "DirtSearch.org | BitDefender business | Forcepoint ThreatSeeker reference materials | Xcitium Verdict Cloud government & legal", "Verdict: Defense Law Firm | malicious tools / agitators" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Doc.Downloader.Emotet-7196349-0", "display_name": "Doc.Downloader.Emotet-7196349-0", "target": null }, { "id": "vb:Trojan.Agent.EEZZ", "display_name": "vb:Trojan.Agent.EEZZ", "target": null }, { "id": "trojan.w97m/emotetdldr", "display_name": "trojan.w97m/emotetdldr", "target": null }, { "id": "Troj/DocDl-SOK", "display_name": "Troj/DocDl-SOK", "target": null }, { "id": "Static AI - Malicious OLE", "display_name": "Static AI - Malicious OLE", "target": null }, { "id": "Trojan.W97M.POWLOAD.SMRV08", "display_name": "Trojan.W97M.POWLOAD.SMRV08", "target": null } ], "attack_ids": [ { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1578.003", "name": "Delete Cloud Instance", "display_name": "T1578.003 - Delete Cloud Instance" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 37, "FileHash-SHA1": 44, "FileHash-SHA256": 117, "URL": 47, "domain": 41, "hostname": 43 }, "indicator_count": 329, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "279 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684c792c7a89d98470ecef31", "name": "aws.dev - Emotet - Hub for malicious activity", "description": "\u2022 Domain Name: aws.dev |\n\u2022 (DGA) https://www.google.com/search?client=ms-google-coop&q=%22deploy-delete-app-eu-west-1-0.deploy-delete-test-eu-west-1-oigwi9v.us-east-1.forgeapps.ec2.aws.dev%22&cx=003414466004237966221:dgg7iftvryo | \n\u2022 34.226.76.55 |\n\u2022\u2019domains.amazon | \n\u2022 devilspen.com |\n\u2022 aisux.aws.dev |\t\t\n\u2022 alex.aws.dev |\t\n\u2022 askjarvis.aws.dev |\n\u2022 atrium.aws.dev |\n\u2022 automated-runbooks.aws.dev |\nFalse 404 codes and Error pages - very active malicious behavior", "modified": "2025-07-13T18:02:18.648000", "created": "2025-06-13T19:17:00.818000", "tags": [ "united", "creation date", "search", "entries", "passive dns", "urls", "showing", "pulse pulses", "files", "domain", "dnssec", "expiration date", "unknown cname", "hostname add", "date", "redacted for", "email", "code", "organization", "privacy billing", "privacy tech", "postal code", "privacy admin", "com laude", "ltd dba", "nomiq", "limited dba", "admin city", "country", "stateprovince", "city", "mtb oct", "win32", "next associated", "mtb mar", "ipv4 add", "trojan", "apanas", "ransom", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1111, "hostname": 1014, "URL": 2554, "FileHash-SHA256": 1461, "FileHash-MD5": 64, "email": 6, "FileHash-SHA1": 63 }, "indicator_count": 6273, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "280 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "devilspen.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "devilspen.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776622393.5271766 }