{ "type": "SHA256", "indicator": "e9ad648589aa3e15ce61c6a3be4fc98429581be738792ed17a713b4980c9a4a2", "general": { "sections": [ "general", "analysis" ], "type": "sha256", "type_title": "FileHash-SHA256", "indicator": "e9ad648589aa3e15ce61c6a3be4fc98429581be738792ed17a713b4980c9a4a2", "validation": [], "base_indicator": { "id": 3895974004, "indicator": "e9ad648589aa3e15ce61c6a3be4fc98429581be738792ed17a713b4980c9a4a2", "type": "FileHash-SHA256", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "66953c49237688e18327a6ac", "name": "A Social Engineering Tactic to Deploy Malware", "description": "McAfee Labs uncovered a sophisticated social engineering technique, dubbed 'ClickFix,' for deploying malware such as DarkGate and Lumma Stealer. Victims are lured to compromised websites displaying error messages with instructions to paste scripts in PowerShell, facilitating malware downloads and execution. This deceptive tactic exploits users' trust by masquerading as legitimate error prompts, tricking them into unknowingly executing malicious code that compromises their systems.", "modified": "2024-07-15T15:13:09.215000", "created": "2024-07-15T15:12:08.753000", "tags": [ "DarkGate", "Lumma Stealer", "ClickFix" ], "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-social-engineering-tactic-to-deploy-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1223", "name": "Compiled HTML File", "display_name": "T1223 - Compiled HTML File" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 343, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 376706, "modified_text": "638 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "666162acc519496e8fdc8a0b", "name": "Warning Against Phishing Emails Prompting Execution of Commands via Paste", "description": "This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exercising caution with files from unknown sources.", "modified": "2024-06-06T07:34:53.388000", "created": "2024-06-06T07:18:04.975000", "tags": [ "phishing", "emails", "malicious", "darkgate", "commands", "powershell" ], "references": [ "https://asec.ahnlab.com/en/66300/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DarkGate", "display_name": "DarkGate", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 355, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "URL": 9, "domain": 5, "hostname": 1 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 376704, "modified_text": "677 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "667e748f956c243bf611e3d3", "name": "Malicious Object (IP / Hash / URL)", "description": "Malicious Object (IP / Hash)\nLast Update : 27/12/2024 (Add Hash & BL IP)", "modified": "2025-01-26T00:03:47.506000", "created": "2024-06-28T08:30:07.764000", "tags": [ "Malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Indonesia" ], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [ { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1595.001", "name": "Scanning IP Blocks", "display_name": "T1595.001 - Scanning IP Blocks" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1110.004", "name": "Credential Stuffing", "display_name": "T1110.004 - Credential Stuffing" }, { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1590.004", "name": "Network Topology", "display_name": "T1590.004 - Network Topology" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1133, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IndoOpenThreatXchange", "id": "286483", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_286483/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1839, "FileHash-SHA256": 48, "FileHash-MD5": 23, "FileHash-SHA1": 48, "URL": 3, "domain": 22, "hostname": 3, "CIDR": 1 }, "indicator_count": 1987, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "444 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6695abd8da05c504990e0255", "name": "Weekly OSINT Highlights, 15 July 2024", "description": "", "modified": "2024-08-14T23:00:18.722000", "created": "2024-07-15T23:08:08.904000", "tags": [ "OSINT" ], "references": [ "https://community.riskiq.com/article/fdcb22e4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "FileHash-SHA256": 140, "FileHash-MD5": 10, "hostname": 3, "domain": 20 }, "indicator_count": 178, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "608 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "669e2741dcd4f9596558c537", "name": "\u201cClickFix\u201d Malware Delivery Method", "description": "", "modified": "2024-07-22T09:32:49.017000", "created": "2024-07-22T09:32:49.017000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 9, "domain": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 482, "modified_text": "631 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6696722ef047e3eef77e772b", "name": "\u201cClickFix\u201d Malware Delivery Method", "description": "", "modified": "2024-07-16T13:14:22.390000", "created": "2024-07-16T13:14:22.390000", "tags": [ "hashes", "sha256", "domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 9, "domain": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 482, "modified_text": "637 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "666aff8b28f34d845ca6a7d2", "name": "ACTIVIDAD MALICIOSA | Relacionada DarkGate 13-06-2024", "description": "DarkGate es una herramienta vers\u00e1til de malware que ha estado presente desde al menos 2018, con su variante m\u00e1s reciente emergiendo en julio de 2023. Las versiones antiguas se propagaban principalmente a trav\u00e9s de correo no deseado y sitios de Torrent, centr\u00e1ndose en usuarios de habla hispana en Europa. La \u00faltima iteraci\u00f3n de DarkGate se ha observado utilizando t\u00e9cnicas de malvertising, envenenamiento de motores de b\u00fasqueda y campa\u00f1as de spam.\n\nDarkGate implementa varios mecanismos anti-detecci\u00f3n y anti-an\u00e1lisis, como ofuscaci\u00f3n, capacidades anti-VM (detecci\u00f3n al ejecutarse en una m\u00e1quina virtual) y exclusi\u00f3n de detecci\u00f3n de Microsoft Defender Antivirus. Este malware se oculta en el Administrador de tareas de Windows y permanece invisible al inicio, incluso para herramientas avanzadas.", "modified": "2024-06-13T14:17:47.190000", "created": "2024-06-13T14:17:47.190000", "tags": [ "abuse elevation", "access token", "manipulation", "ta0005", "ta0006", "setgid", "bypass user", "account control", "sudo caching", "create process" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=DarkGate", "https://www.virustotal.com/graph/embed/g49400ea54a2642979b202121bbe4d7ac31adce9d7d8a409090d1902380140fcf?theme=light", "https://alertas-y-seguridad.jimdosite.com/repositorio-ioc/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DarkGate - S1111", "display_name": "DarkGate - S1111", "target": null } ], "attack_ids": [ { "id": "T1052", "name": "Exfiltration Over Physical Medium", "display_name": "T1052 - Exfiltration Over Physical Medium" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 23 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "670 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6662d357439f5f13ac888b7a", "name": "Warning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V) - ASEC BLOG", "description": "", "modified": "2024-06-07T09:31:03.677000", "created": "2024-06-07T09:31:03.677000", "tags": [ "figure", "ctrlv", "autoit", "ahnlab", "ahnlab security", "center", "asec", "html", "html file", "ms word" ], "references": [ "https://asec.ahnlab.com/en/66300/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 9, "domain": 5, "hostname": 1 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 842, "modified_text": "676 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "66559f377688f201e86f1d83", "name": "Phishing Scams Exploiting Paste Function (CTRL+V)", "description": "", "modified": "2024-05-28T09:09:11.743000", "created": "2024-05-28T09:09:11.743000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "686 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "references": [ "", "https://community.riskiq.com/article/fdcb22e4", "https://threatfox.abuse.ch/export/csv/recent/", "https://darfe.es/ciberwiki/index.php?title=DarkGate", "https://www.virustotal.com/graph/embed/g49400ea54a2642979b202121bbe4d7ac31adce9d7d8a409090d1902380140fcf?theme=light", "https://asec.ahnlab.com/en/66300/", "https://alertas-y-seguridad.jimdosite.com/repositorio-ioc/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-social-engineering-tactic-to-deploy-malware/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Lumma stealer", "Darkgate" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "", "Darkgate - s1111" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "66953c49237688e18327a6ac", "name": "A Social Engineering Tactic to Deploy Malware", "description": "McAfee Labs uncovered a sophisticated social engineering technique, dubbed 'ClickFix,' for deploying malware such as DarkGate and Lumma Stealer. Victims are lured to compromised websites displaying error messages with instructions to paste scripts in PowerShell, facilitating malware downloads and execution. This deceptive tactic exploits users' trust by masquerading as legitimate error prompts, tricking them into unknowingly executing malicious code that compromises their systems.", "modified": "2024-07-15T15:13:09.215000", "created": "2024-07-15T15:12:08.753000", "tags": [ "DarkGate", "Lumma Stealer", "ClickFix" ], "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-social-engineering-tactic-to-deploy-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1223", "name": "Compiled HTML File", "display_name": "T1223 - Compiled HTML File" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 343, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 376706, "modified_text": "638 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "666162acc519496e8fdc8a0b", "name": "Warning Against Phishing Emails Prompting Execution of Commands via Paste", "description": "This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exercising caution with files from unknown sources.", "modified": "2024-06-06T07:34:53.388000", "created": "2024-06-06T07:18:04.975000", "tags": [ "phishing", "emails", "malicious", "darkgate", "commands", "powershell" ], "references": [ "https://asec.ahnlab.com/en/66300/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DarkGate", "display_name": "DarkGate", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 355, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "URL": 9, "domain": 5, "hostname": 1 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 376704, "modified_text": "677 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "667e748f956c243bf611e3d3", "name": "Malicious Object (IP / Hash / URL)", "description": "Malicious Object (IP / Hash)\nLast Update : 27/12/2024 (Add Hash & BL IP)", "modified": "2025-01-26T00:03:47.506000", "created": "2024-06-28T08:30:07.764000", "tags": [ "Malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Indonesia" ], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [ { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1595.001", "name": "Scanning IP Blocks", "display_name": "T1595.001 - Scanning IP Blocks" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1110.004", "name": "Credential Stuffing", "display_name": "T1110.004 - Credential Stuffing" }, { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1110.003", "name": "Password Spraying", "display_name": "T1110.003 - Password Spraying" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1590.004", "name": "Network Topology", "display_name": "T1590.004 - Network Topology" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1133, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IndoOpenThreatXchange", "id": "286483", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_286483/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1839, "FileHash-SHA256": 48, "FileHash-MD5": 23, "FileHash-SHA1": 48, "URL": 3, "domain": 22, "hostname": 3, "CIDR": 1 }, "indicator_count": 1987, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "444 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6695abd8da05c504990e0255", "name": "Weekly OSINT Highlights, 15 July 2024", "description": "", "modified": "2024-08-14T23:00:18.722000", "created": "2024-07-15T23:08:08.904000", "tags": [ "OSINT" ], "references": [ "https://community.riskiq.com/article/fdcb22e4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "FileHash-SHA256": 140, "FileHash-MD5": 10, "hostname": 3, "domain": 20 }, "indicator_count": 178, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "608 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "669e2741dcd4f9596558c537", "name": "\u201cClickFix\u201d Malware Delivery Method", "description": "", "modified": "2024-07-22T09:32:49.017000", "created": "2024-07-22T09:32:49.017000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 9, "domain": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 482, "modified_text": "631 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6696722ef047e3eef77e772b", "name": "\u201cClickFix\u201d Malware Delivery Method", "description": "", "modified": "2024-07-16T13:14:22.390000", "created": "2024-07-16T13:14:22.390000", "tags": [ "hashes", "sha256", "domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 9, "domain": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 482, "modified_text": "637 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "666aff8b28f34d845ca6a7d2", "name": "ACTIVIDAD MALICIOSA | Relacionada DarkGate 13-06-2024", "description": "DarkGate es una herramienta vers\u00e1til de malware que ha estado presente desde al menos 2018, con su variante m\u00e1s reciente emergiendo en julio de 2023. Las versiones antiguas se propagaban principalmente a trav\u00e9s de correo no deseado y sitios de Torrent, centr\u00e1ndose en usuarios de habla hispana en Europa. La \u00faltima iteraci\u00f3n de DarkGate se ha observado utilizando t\u00e9cnicas de malvertising, envenenamiento de motores de b\u00fasqueda y campa\u00f1as de spam.\n\nDarkGate implementa varios mecanismos anti-detecci\u00f3n y anti-an\u00e1lisis, como ofuscaci\u00f3n, capacidades anti-VM (detecci\u00f3n al ejecutarse en una m\u00e1quina virtual) y exclusi\u00f3n de detecci\u00f3n de Microsoft Defender Antivirus. Este malware se oculta en el Administrador de tareas de Windows y permanece invisible al inicio, incluso para herramientas avanzadas.", "modified": "2024-06-13T14:17:47.190000", "created": "2024-06-13T14:17:47.190000", "tags": [ "abuse elevation", "access token", "manipulation", "ta0005", "ta0006", "setgid", "bypass user", "account control", "sudo caching", "create process" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=DarkGate", "https://www.virustotal.com/graph/embed/g49400ea54a2642979b202121bbe4d7ac31adce9d7d8a409090d1902380140fcf?theme=light", "https://alertas-y-seguridad.jimdosite.com/repositorio-ioc/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DarkGate - S1111", "display_name": "DarkGate - S1111", "target": null } ], "attack_ids": [ { "id": "T1052", "name": "Exfiltration Over Physical Medium", "display_name": "T1052 - Exfiltration Over Physical Medium" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 23 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "670 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6662d357439f5f13ac888b7a", "name": "Warning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V) - ASEC BLOG", "description": "", "modified": "2024-06-07T09:31:03.677000", "created": "2024-06-07T09:31:03.677000", "tags": [ "figure", "ctrlv", "autoit", "ahnlab", "ahnlab security", "center", "asec", "html", "html file", "ms word" ], "references": [ "https://asec.ahnlab.com/en/66300/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 9, "domain": 5, "hostname": 1 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 842, "modified_text": "676 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "66559f377688f201e86f1d83", "name": "Phishing Scams Exploiting Paste Function (CTRL+V)", "description": "", "modified": "2024-05-28T09:09:11.743000", "created": "2024-05-28T09:09:11.743000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "686 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "error": null, "vt": { "type": "Hash", "indicator": "e9ad648589aa3e15ce61c6a3be4fc98429581be738792ed17a713b4980c9a4a2", "stats": { "malicious": 33, "suspicious": 0, "harmless": 0, "undetected": 29, "total": 76, "verdict": "malicious", "ratio": "33/76" }, "verdict": "malicious", "ratio": "33/76", "file_name": "umkglnks", "file_type": "Powershell", "file_size": 246, "md5": "f2e4351aa516a1f2e59ade5d9e7aa1d6", "sha1": "1b751a2ee3af91c4cdf020914de19169fceb51ac", "sha256": "e9ad648589aa3e15ce61c6a3be4fc98429581be738792ed17a713b4980c9a4a2", "magic": "ASCII text, with no line terminators", "reputation": -13, "tags": [ "detect-debug-environment", "exe-pattern", "checks-cpu-name", "checks-network-adapters", "url-pattern", "powershell", "long-sleeps" ], "top_detections": [ { "vendor": "ALYac", "result": "Trojan.Downloader.PowerShell.Agent", "category": "malicious" }, { "vendor": "AVG", "result": "Other:Malware-gen [Trj]", "category": "malicious" }, { "vendor": "AhnLab-V3", "result": "Downloader/PowerShell.Generic", "category": "malicious" }, { "vendor": "Arcabit", "result": "Trojan.Agent.GNBP", "category": "malicious" }, { "vendor": "Avast", "result": "Other:Malware-gen [Trj]", "category": "malicious" }, { "vendor": "Avira", "result": "TR/Dldr.Agent.e9ad64", "category": "malicious" }, { "vendor": "BitDefender", "result": "Trojan.Agent.GNBP", "category": "malicious" }, { "vendor": "CAT-QuickHeal", "result": "PS.DARKGATE.48747", "category": "malicious" }, { "vendor": "CTX", "result": "powershell.trojan.bynoco", "category": "malicious" }, { "vendor": "Cynet", "result": "Malicious (score: 99)", "category": "malicious" } ], "last_analysis": 1772575857, "error": null }, "abuseipdb": null, "urlhaus": { "indicator": "e9ad648589aa3e15ce61c6a3be4fc98429581be738792ed17a713b4980c9a4a2", "found": true, "verdict": "malicious", "file_type": "unknown", "file_size": "246", "md5": "f2e4351aa516a1f2e59ade5d9e7aa1d6", "sha256": "e9ad648589aa3e15ce61c6a3be4fc98429581be738792ed17a713b4980c9a4a2", "signature": "DarkGate", "first_seen": "2024-05-14", "last_seen": "2024-05-17", "url_count": "2", "urls": [ { "url": "http://flexiblemaria.com/umkglnks", "status": "offline", "threat": "", "date_added": "", "tags": [] }, { "url": "http://91.222.173.186/umkglnks", "status": "offline", "threat": "", "date_added": "", "tags": [] } ], "error": null }, "from_cache": true, "_cached_at": 1776214251.7568855 }