{ "type": "Domain", "indicator": "digitalsoundmaker99.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/digitalsoundmaker99.com", "alexa": "http://www.alexa.com/siteinfo/digitalsoundmaker99.com", "indicator": "digitalsoundmaker99.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2216729618, "indicator": "digitalsoundmaker99.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "5f4fd46ac0f4e7ee5448bd40", "name": "OpBlueRaven: Unveiling Fin7/Carbanak - Part II: BadUSB Attacks", "description": "This article aims to provide its readers with the details about PRODAFT & INVICTUS Threat Intelligence (PTI) team's latest operation on different threat actors; who have been detected to be working in cooperation with the notorious FIN7 APT group.\n\nWe appreciate all your support after the first part of this series. Before disclosing the relationship between Fin7 and REvil groups, we are trying to reach the ransomware victims. Until reaching all necessary parties, we will continue to publish articles about FIN7 attackers' tools.", "modified": "2020-10-02T00:04:12.395000", "created": "2020-09-02T17:20:42.241000", "tags": [ "FIN7", "Carbanak", "BadUSB", "Bella RAT", "Tirion Loader", "macOS" ], "references": [ "https://threatintel.blog/OPBlueRaven-Part2/", "https://threatintel.blog/OPBlueRaven-Part1/", "https://github.com/kdaoudieh/Bella" ], "public": 1, "adversary": "FIN7", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Russian Federation", "Spain", "Sweden", "Switzerland", "Israel", "Italy", "Mexico", "Netherlands", "Panama", "Poland", "Chile", "Slovakia" ], "malware_families": [ { "id": "Carbanak - S0030", "display_name": "Carbanak - S0030", "target": null }, { "id": "Bella RAT", "display_name": "Bella RAT", "target": null }, { "id": "BadUSB", "display_name": "BadUSB", "target": null }, { "id": "Tirion Loader", "display_name": "Tirion Loader", "target": null } ], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1544", "name": "Remote File Copy", "display_name": "T1544 - Remote File Copy" }, { "id": "T1021.005", "name": "VNC", "display_name": "T1021.005 - VNC" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 106, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 16 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 387180, "modified_text": "2070 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61d615a3fa213074f805deaa", "name": "OpBlueRaven IOC", "description": "These IOCs were released as part of our threat intelligence research on the OpBlueRaven. Between the months of May and July 2020; four members of PRODAFT Threat Intelligence team have conducted operation BlueRaven. A case study which originated from discovering a minor OpSec failure of a seemingly unimportant group of threat actors. Of course these threat actors have later been found to have ties with the notorious Fin7 / Carbanak threat actors. The full report will be available in references.", "modified": "2022-02-04T00:00:10.799000", "created": "2022-01-05T22:03:15.460000", "tags": [ "carbanak", "backdoor" ], "references": [ "https://threatintel.blog/OPBlueRaven-Part1/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Carbanak", "display_name": "Carbanak", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PRODAFT_", "id": "176319", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_176319/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 425, "domain": 16 }, "indicator_count": 441, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "1580 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://threatintel.blog/OPBlueRaven-Part1/", "https://github.com/kdaoudieh/Bella", "https://threatintel.blog/OPBlueRaven-Part2/" ], "related": { "alienvault": { "adversary": [ "FIN7" ], "malware_families": [ "Carbanak - s0030", "Tirion loader", "Badusb", "Bella rat" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Carbanak" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "5f4fd46ac0f4e7ee5448bd40", "name": "OpBlueRaven: Unveiling Fin7/Carbanak - Part II: BadUSB Attacks", "description": "This article aims to provide its readers with the details about PRODAFT & INVICTUS Threat Intelligence (PTI) team's latest operation on different threat actors; who have been detected to be working in cooperation with the notorious FIN7 APT group.\n\nWe appreciate all your support after the first part of this series. Before disclosing the relationship between Fin7 and REvil groups, we are trying to reach the ransomware victims. Until reaching all necessary parties, we will continue to publish articles about FIN7 attackers' tools.", "modified": "2020-10-02T00:04:12.395000", "created": "2020-09-02T17:20:42.241000", "tags": [ "FIN7", "Carbanak", "BadUSB", "Bella RAT", "Tirion Loader", "macOS" ], "references": [ "https://threatintel.blog/OPBlueRaven-Part2/", "https://threatintel.blog/OPBlueRaven-Part1/", "https://github.com/kdaoudieh/Bella" ], "public": 1, "adversary": "FIN7", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Russian Federation", "Spain", "Sweden", "Switzerland", "Israel", "Italy", "Mexico", "Netherlands", "Panama", "Poland", "Chile", "Slovakia" ], "malware_families": [ { "id": "Carbanak - S0030", "display_name": "Carbanak - S0030", "target": null }, { "id": "Bella RAT", "display_name": "Bella RAT", "target": null }, { "id": "BadUSB", "display_name": "BadUSB", "target": null }, { "id": "Tirion Loader", "display_name": "Tirion Loader", "target": null } ], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1544", "name": "Remote File Copy", "display_name": "T1544 - Remote File Copy" }, { "id": "T1021.005", "name": "VNC", "display_name": "T1021.005 - VNC" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 106, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 16 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 387180, "modified_text": "2070 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61d615a3fa213074f805deaa", "name": "OpBlueRaven IOC", "description": "These IOCs were released as part of our threat intelligence research on the OpBlueRaven. Between the months of May and July 2020; four members of PRODAFT Threat Intelligence team have conducted operation BlueRaven. A case study which originated from discovering a minor OpSec failure of a seemingly unimportant group of threat actors. Of course these threat actors have later been found to have ties with the notorious Fin7 / Carbanak threat actors. The full report will be available in references.", "modified": "2022-02-04T00:00:10.799000", "created": "2022-01-05T22:03:15.460000", "tags": [ "carbanak", "backdoor" ], "references": [ "https://threatintel.blog/OPBlueRaven-Part1/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Carbanak", "display_name": "Carbanak", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PRODAFT_", "id": "176319", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_176319/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 425, "domain": 16 }, "indicator_count": 441, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "1580 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "digitalsoundmaker99.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "digitalsoundmaker99.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780515345.8477771 }