{ "type": "Domain", "indicator": "diyabip.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/diyabip.com", "alexa": "http://www.alexa.com/siteinfo/diyabip.com", "indicator": "diyabip.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3344839658, "indicator": "diyabip.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "621a124b91058b5be1cf1bbe", "name": "Emotet Malware back in Action", "description": "Cyble Research Labs\u2019s analysis of Emotet malware shows that the malware has recently introduced new techniques for delivering malicious files to targets, including password-protected zip files, and even installed Cobalt Strike Beacons.", "modified": "2022-02-28T10:32:41.250000", "created": "2022-02-26T11:43:07.283000", "tags": [ "emotet", "trickbot", "cobalt strike", "vultur banking", "geopolitical conflict" ], "references": [ "https://blog.cyble.com/2022/02/26/emotet-malware-back-in-action/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 395, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "hostname": 2, "URL": 11, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 12, "domain": 11 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 386926, "modified_text": "1555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570811a101af38d2fb539fb", "name": "Conti Ransomware - updated IOCs March 2022", "description": "", "modified": "2023-12-06T14:11:37.055000", "created": "2023-12-06T14:11:37.055000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 92, "FileHash-SHA1": 92, "FileHash-SHA256": 104, "URL": 67, "domain": 123, "hostname": 2 }, "indicator_count": 480, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "909 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62293b9a646dbc541ea04ba4", "name": "Conti Ransomware - updated IOCs March 2022", "description": "Here are the latest IOCs released from CISA, Fortinet, and some other security reports. Included are hashes for Trickbot, Emotet, and Bazzarloader.", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-09T23:43:22.541000", "tags": [ "Ransomware" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa21-265a", "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one" ], "public": 1, "adversary": "Conti Group", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Emotet", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Emotet", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Emotet", "display_name": "ALF:HeraklezEval:Trojan:Win32/Emotet", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null }, { "id": "Trojan:Win32/Bazzarldr", "display_name": "Trojan:Win32/Bazzarldr", "target": "/malware/Trojan:Win32/Bazzarldr" }, { "id": "Trojan:Win64/Bazzarldr", "display_name": "Trojan:Win64/Bazzarldr", "target": "/malware/Trojan:Win64/Bazzarldr" }, { "id": "ALF:Backdoor:Win64/Bazarldr", "display_name": "ALF:Backdoor:Win64/Bazarldr", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Mitchell.Darnell", "id": "165445", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 67, "hostname": 2, "FileHash-MD5": 92, "FileHash-SHA1": 92, "FileHash-SHA256": 104, "domain": 123 }, "indicator_count": 480, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "1516 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6203f94c82904772ae8e07c9", "name": "Example of Cobalt Strike from Emotet infection", "description": "This was an infection from the epoch 5 botnet, and approximately 5 hours after the initial infection, Cobalt Strike traffic started on 2022-02-08 at 19:54 UTC. The Cobalt Strike binary was sent over HTTPS Emotet C2 traffic, so there were no indicators over the network for Cobalt Strike until the Cobalt Strike traffic started.", "modified": "2022-03-11T00:02:25.171000", "created": "2022-02-09T17:26:36.645000", "tags": [ "cobalt strike", "emotet dll", "emotet", "https traffic", "update", "december", "tuesday", "https emotet", "c2 traffic", "strike dll", "sandbox" ], "references": [ "https://isc.sans.edu/diary.html?date=2022-02-09" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Emotet DLL", "display_name": "Emotet DLL", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 2 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 356, "modified_text": "1544 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6226c4604c854ec24a39fa78", "name": "Cyble — Emotet Malware back in Action", "description": "Cyble Research Labs\u89c2\u5bdf\u5230\u4e0eEmotet\u6076\u610f\u8f6f\u4ef6\u76f8\u5173\u7684\u653b\u51fb\u6709\u6240\u589e\u52a0\uff0c\u8be5\u6076\u610f\u8f6f\u4ef6\u4e8e2014\u5e74\u9996\u6b21\u89c2\u5bdf\u5230\uff0c\u8fd1\u671f\u8be5\u6076\u610f\u8f6f\u4ef6\u5f15\u5165\u4e86\u7528\u4e8e\u4f20\u9012\u6076\u610f\u6587\u4ef6\u7684\u65b0\u6280\u672f\u3002", "modified": "2022-03-08T02:50:08.327000", "created": "2022-03-08T02:50:08.327000", "tags": [ "emotet", "trickbot", "emotet malware", "phishing", "HotSpot" ], "references": [ "https://blog.cyble.com/2022/02/26/emotet-malware-back-in-action/" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Singapore", "Australia", "Georgia" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2, "URL": 11, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 12, "domain": 11 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "1547 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "621a13b170997f96e56381a4", "name": "Emotet IOCs", "description": "A full list of links to the Emotet ransomware, which has infected more than 100,000 victims in the past week.. and the first of its kind in its current form, has been published.", "modified": "2022-02-26T11:49:05.415000", "created": "2022-02-26T11:49:05.415000", "tags": [ "url url", "md5 sha1", "latest", "sha256 hash", "excel file", "emotet dll", "url cobalt", "indicator type", "description", "excel", "powershell", "cobalt strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2, "URL": 11, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 12, "domain": 11 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "1557 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa21-265a", "https://blog.cyble.com/2022/02/26/emotet-malware-back-in-action/", "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one", "https://isc.sans.edu/diary.html?date=2022-02-09" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Cobalt strike", "Emotet", "Trickbot" ], "industries": [] }, "other": { "adversary": [ "Conti Group" ], "malware_families": [ "Emotet", "Trojan:win32/bazzarldr", "Emotet dll", "Trojan:win64/bazzarldr", "Cobalt strike", "Alf:heraklezeval:trojandownloader:win32/emotet", "Alf:backdoor:win64/bazarldr", "Trickbot", "Alf:heraklezeval:trojan:win32/emotet" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "621a124b91058b5be1cf1bbe", "name": "Emotet Malware back in Action", "description": "Cyble Research Labs\u2019s analysis of Emotet malware shows that the malware has recently introduced new techniques for delivering malicious files to targets, including password-protected zip files, and even installed Cobalt Strike Beacons.", "modified": "2022-02-28T10:32:41.250000", "created": "2022-02-26T11:43:07.283000", "tags": [ "emotet", "trickbot", "cobalt strike", "vultur banking", "geopolitical conflict" ], "references": [ "https://blog.cyble.com/2022/02/26/emotet-malware-back-in-action/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 395, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "hostname": 2, "URL": 11, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 12, "domain": 11 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 386926, "modified_text": "1555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570811a101af38d2fb539fb", "name": "Conti Ransomware - updated IOCs March 2022", "description": "", "modified": "2023-12-06T14:11:37.055000", "created": "2023-12-06T14:11:37.055000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 92, "FileHash-SHA1": 92, "FileHash-SHA256": 104, "URL": 67, "domain": 123, "hostname": 2 }, "indicator_count": 480, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "909 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62293b9a646dbc541ea04ba4", "name": "Conti Ransomware - updated IOCs March 2022", "description": "Here are the latest IOCs released from CISA, Fortinet, and some other security reports. Included are hashes for Trickbot, Emotet, and Bazzarloader.", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-09T23:43:22.541000", "tags": [ "Ransomware" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa21-265a", "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one" ], "public": 1, "adversary": "Conti Group", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Emotet", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Emotet", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Emotet", "display_name": "ALF:HeraklezEval:Trojan:Win32/Emotet", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null }, { "id": "Trojan:Win32/Bazzarldr", "display_name": "Trojan:Win32/Bazzarldr", "target": "/malware/Trojan:Win32/Bazzarldr" }, { "id": "Trojan:Win64/Bazzarldr", "display_name": "Trojan:Win64/Bazzarldr", "target": "/malware/Trojan:Win64/Bazzarldr" }, { "id": "ALF:Backdoor:Win64/Bazarldr", "display_name": "ALF:Backdoor:Win64/Bazarldr", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Mitchell.Darnell", "id": "165445", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 67, "hostname": 2, "FileHash-MD5": 92, "FileHash-SHA1": 92, "FileHash-SHA256": 104, "domain": 123 }, "indicator_count": 480, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "1516 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6203f94c82904772ae8e07c9", "name": "Example of Cobalt Strike from Emotet infection", "description": "This was an infection from the epoch 5 botnet, and approximately 5 hours after the initial infection, Cobalt Strike traffic started on 2022-02-08 at 19:54 UTC. The Cobalt Strike binary was sent over HTTPS Emotet C2 traffic, so there were no indicators over the network for Cobalt Strike until the Cobalt Strike traffic started.", "modified": "2022-03-11T00:02:25.171000", "created": "2022-02-09T17:26:36.645000", "tags": [ "cobalt strike", "emotet dll", "emotet", "https traffic", "update", "december", "tuesday", "https emotet", "c2 traffic", "strike dll", "sandbox" ], "references": [ "https://isc.sans.edu/diary.html?date=2022-02-09" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Emotet DLL", "display_name": "Emotet DLL", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 2 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 356, "modified_text": "1544 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6226c4604c854ec24a39fa78", "name": "Cyble — Emotet Malware back in Action", "description": "Cyble Research Labs\u89c2\u5bdf\u5230\u4e0eEmotet\u6076\u610f\u8f6f\u4ef6\u76f8\u5173\u7684\u653b\u51fb\u6709\u6240\u589e\u52a0\uff0c\u8be5\u6076\u610f\u8f6f\u4ef6\u4e8e2014\u5e74\u9996\u6b21\u89c2\u5bdf\u5230\uff0c\u8fd1\u671f\u8be5\u6076\u610f\u8f6f\u4ef6\u5f15\u5165\u4e86\u7528\u4e8e\u4f20\u9012\u6076\u610f\u6587\u4ef6\u7684\u65b0\u6280\u672f\u3002", "modified": "2022-03-08T02:50:08.327000", "created": "2022-03-08T02:50:08.327000", "tags": [ "emotet", "trickbot", "emotet malware", "phishing", "HotSpot" ], "references": [ "https://blog.cyble.com/2022/02/26/emotet-malware-back-in-action/" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Singapore", "Australia", "Georgia" ], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2, "URL": 11, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 12, "domain": 11 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "1547 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "621a13b170997f96e56381a4", "name": "Emotet IOCs", "description": "A full list of links to the Emotet ransomware, which has infected more than 100,000 victims in the past week.. and the first of its kind in its current form, has been published.", "modified": "2022-02-26T11:49:05.415000", "created": "2022-02-26T11:49:05.415000", "tags": [ "url url", "md5 sha1", "latest", "sha256 hash", "excel file", "emotet dll", "url cobalt", "indicator type", "description", "excel", "powershell", "cobalt strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2, "URL": 11, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 12, "domain": 11 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "1557 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "diyabip.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "diyabip.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780419626.0608804 }