{ "type": "Domain", "indicator": "elemblo.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/elemblo.com", "alexa": "http://www.alexa.com/siteinfo/elemblo.com", "indicator": "elemblo.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3401205951, "indicator": "elemblo.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "65708a2c17363fdfb72ab1d3", "name": "Conti Group IOCs (March 2022) with other Ransomware Indicators", "description": "", "modified": "2023-12-06T14:50:20.091000", "created": "2023-12-06T14:50:20.091000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 349, "FileHash-SHA1": 327, "email": 67, "FileHash-MD5": 51, "FileHash-SHA256": 121, "URL": 19, "hostname": 20 }, "indicator_count": 954, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5b9d2f89f48dcf0e2966255a", "name": "Spam Email Dump", "description": "", "modified": "2023-09-06T16:01:10.409000", "created": "2018-09-15T16:12:57.942000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Silius_Soddus", "id": "67731", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_67731/resized/80/avatar_51e2b48419.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 348, "FileHash-SHA1": 337, "FileHash-SHA256": 2248, "domain": 1474, "hostname": 627, "URL": 1304, "email": 11, "IPv4": 16, "IPv6": 31 }, "indicator_count": 6396, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "998 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62b99e4340a6731c9c1f9bb9", "name": "Exotic Lily provides initial access for Conti ransomware gang", "description": "", "modified": "2022-07-27T00:02:05.219000", "created": "2022-06-27T12:10:43.250000", "tags": [], "references": [ "March 18th, 2022- CryptoGen Cyber Threat Intelligence -Exotic Lily provides initial access for Conti ransomware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 11, "URL": 1, "domain": 21 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1404 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "626186a215fc527fe850e655", "name": "IoC Ransomware CONTI", "description": "IoC related with Ransomware CONTI. \nRelated to the security event that occurred in Costa Rica on April 20, 2022", "modified": "2022-05-21T00:03:44.725000", "created": "2022-04-21T16:30:26.680000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 8, "URL": 3, "domain": 55, "hostname": 2 }, "indicator_count": 68, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "1471 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "626187c84feab57d98f61579", "name": "IoC Ransomware", "description": "IoC related with. Ransomware. related with security event that occurred in Costa Rica on April 20, 2022", "modified": "2022-05-21T00:03:44.725000", "created": "2022-04-21T16:35:20.919000", "tags": [ "nombre", "sha1", "otros dominios", "sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 7, "FileHash-SHA256": 26, "domain": 64, "hostname": 64 }, "indicator_count": 169, "is_author": false, "is_subscribing": null, "subscriber_count": 209, "modified_text": "1471 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6242ff76ccf35c60b225e7c4", "name": "Conti Group IOCs (March 2022) with other Ransomware Indicators", "description": "Here are the latest indicators of attack for the Conti group (March 2022) including IOCs for Redline Stealer, Lockbit, BazarLoader, among others.", "modified": "2022-04-28T00:00:15.198000", "created": "2022-03-29T12:45:42.136000", "tags": [ "ransom", "bazarloader", "lockbit", "lokilocker", "Redline" ], "references": [], "public": 1, "adversary": "Conti Group", "targeted_countries": [], "malware_families": [ { "id": "Ransom:Win32/LockBit", "display_name": "Ransom:Win32/LockBit", "target": "/malware/Ransom:Win32/LockBit" }, { "id": "ALF:Trojan:MSIL/LokiLoader", "display_name": "ALF:Trojan:MSIL/LokiLoader", "target": null }, { "id": "Loki", "display_name": "Loki", "target": null }, { "id": "TEL:Trojan:Win32/BazarLoader", "display_name": "TEL:Trojan:Win32/BazarLoader", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Redline", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Redline", "target": null }, { "id": "ALF:HeraklezEval:PWS:MSIL/RedLine", "display_name": "ALF:HeraklezEval:PWS:MSIL/RedLine", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Mitchell.Darnell", "id": "165445", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 67, "domain": 349, "FileHash-MD5": 51, "FileHash-SHA1": 327, "FileHash-SHA256": 121, "URL": 19, "hostname": 20 }, "indicator_count": 954, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "623981e128e810d8780f021d", "name": "Exposing initial access broker with ties to Conti", "description": "The BBC News website uses cookies to track visitors to our website, which is also used by the BBC and Newsround to broadcast live coverage of the UK's Brexit vote and the US presidential election.", "modified": "2022-04-21T00:00:11.580000", "created": "2022-03-22T07:59:29.981000", "tags": [ "conti", "cobalt strike", "trickbot", "threat analysis", "cybercrime investigation", "exotic lily", "group", "google", "analysis group", "shane huntley", "cve202140444", "bazarloader iso", "microsoft", "exposing", "bazarloader", "february", "glupteba", "diavol", "example", "phishing", "malware", "ukraine", "august" ], "references": [ "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee" ], "public": 1, "adversary": "CyberCrime Investigation", "targeted_countries": [], "malware_families": [ { "id": "THREAT ANALYSIS", "display_name": "THREAT ANALYSIS", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Conti", "display_name": "Conti", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 8, "URL": 1, "domain": 20 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 363, "modified_text": "1501 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62380071387a053e59591393", "name": "Exposing initial access broker with ties to Conti.", "description": "Exposing initial access broker with ties to Conti. Added 21/03/2022.", "modified": "2022-04-20T00:02:21.571000", "created": "2022-03-21T04:34:57.634000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sarventhar1993", "id": "125638", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_125638/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 1, "domain": 20 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "1502 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62382bc2ac9a0bd6688bb3d9", "name": "Google: Exotic Lily, an Initial Access Broker is Affiliated with Conti and Diavol Ransomware Groups", "description": "Google's Threat Analysis Group (TAG) observed a financially motivated threat actor named Exotic Lily, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). The TAG determined they are an Initial Access Broker (IAB) and said it is closely affiliated with a Russian cybercrime gang notorious for its Conti and Diavol ransomware operations.\n\nBusiness proposal-themed emails sent\nAs part of widespread phishing campaigns, the threat group has sent no fewer than 5,000 business proposal-themed emails a day to 650 targeted organizations globally. These groups specialize in breaching a target to open the doors, or the Windows, to the malicious actor with the highest bid.", "modified": "2022-04-20T00:02:21.571000", "created": "2022-03-21T07:39:46.288000", "tags": [ "iocs domains", "bazarloader iso", "bumblebee iso", "bumblebee c2", "Google", "Exotic Lily" ], "references": [ "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" ], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "domain": 20 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 193, "modified_text": "1502 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "623830bd47cc4a95fa27a39c", "name": "Exposing initial access broker with ties to Conti", "description": "", "modified": "2022-04-20T00:02:21.571000", "created": "2022-03-21T08:01:01.639000", "tags": [ "iocs domains", "bazarloader iso", "bumblebee iso", "bumblebee c2", "Google", "Exotic Lily" ], "references": [ "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" ], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "62382bc2ac9a0bd6688bb3d9", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "domain": 20 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 865, "modified_text": "1502 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "623382c9bea233082695df4d", "name": "Exposing initial access broker with ties to Conti", "description": "In early September 2021, Threat Analysis Group (TAG) observed a financially motivated threat actor we refer to as EXOTIC LILY, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigating this group's activity, we determined they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as UNC1878 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike).", "modified": "2022-04-16T00:04:53.479000", "created": "2022-03-17T18:49:45.060000", "tags": [ "bazarloader iso", "bumblebee c2" ], "references": [ "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" ], "public": 1, "adversary": "Conti", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 246, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "343GuiltySpark", "id": "91492", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_91492/resized/80/avatar_b7653559df.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 1, "domain": 20 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 557, "modified_text": "1506 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee", "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", "March 18th, 2022- CryptoGen Cyber Threat Intelligence -Exotic Lily provides initial access for Conti ransomware.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "CyberCrime Investigation", "Conti Group", "Informational", "Conti" ], "malware_families": [ "Loki", "Cobalt strike", "Alf:heraklezeval:trojan:msil/redline", "Tel:trojan:win32/bazarloader", "Alf:trojan:msil/lokiloader", "Ransom:win32/lockbit", "Trickbot", "Alf:heraklezeval:pws:msil/redline", "Threat analysis", "Conti" ], "industries": [ "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "65708a2c17363fdfb72ab1d3", "name": "Conti Group IOCs (March 2022) with other Ransomware Indicators", "description": "", "modified": "2023-12-06T14:50:20.091000", "created": "2023-12-06T14:50:20.091000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 349, "FileHash-SHA1": 327, "email": 67, "FileHash-MD5": 51, "FileHash-SHA256": 121, "URL": 19, "hostname": 20 }, "indicator_count": 954, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5b9d2f89f48dcf0e2966255a", "name": "Spam Email Dump", "description": "", "modified": "2023-09-06T16:01:10.409000", "created": "2018-09-15T16:12:57.942000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Silius_Soddus", "id": "67731", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_67731/resized/80/avatar_51e2b48419.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 348, "FileHash-SHA1": 337, "FileHash-SHA256": 2248, "domain": 1474, "hostname": 627, "URL": 1304, "email": 11, "IPv4": 16, "IPv6": 31 }, "indicator_count": 6396, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "998 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62b99e4340a6731c9c1f9bb9", "name": "Exotic Lily provides initial access for Conti ransomware gang", "description": "", "modified": "2022-07-27T00:02:05.219000", "created": "2022-06-27T12:10:43.250000", "tags": [], "references": [ "March 18th, 2022- CryptoGen Cyber Threat Intelligence -Exotic Lily provides initial access for Conti ransomware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 11, "URL": 1, "domain": 21 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1404 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "626186a215fc527fe850e655", "name": "IoC Ransomware CONTI", "description": "IoC related with Ransomware CONTI. \nRelated to the security event that occurred in Costa Rica on April 20, 2022", "modified": "2022-05-21T00:03:44.725000", "created": "2022-04-21T16:30:26.680000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 8, "URL": 3, "domain": 55, "hostname": 2 }, "indicator_count": 68, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "1471 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "626187c84feab57d98f61579", "name": "IoC Ransomware", "description": "IoC related with. Ransomware. related with security event that occurred in Costa Rica on April 20, 2022", "modified": "2022-05-21T00:03:44.725000", "created": "2022-04-21T16:35:20.919000", "tags": [ "nombre", "sha1", "otros dominios", "sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 7, "FileHash-SHA256": 26, "domain": 64, "hostname": 64 }, "indicator_count": 169, "is_author": false, "is_subscribing": null, "subscriber_count": 209, "modified_text": "1471 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6242ff76ccf35c60b225e7c4", "name": "Conti Group IOCs (March 2022) with other Ransomware Indicators", "description": "Here are the latest indicators of attack for the Conti group (March 2022) including IOCs for Redline Stealer, Lockbit, BazarLoader, among others.", "modified": "2022-04-28T00:00:15.198000", "created": "2022-03-29T12:45:42.136000", "tags": [ "ransom", "bazarloader", "lockbit", "lokilocker", "Redline" ], "references": [], "public": 1, "adversary": "Conti Group", "targeted_countries": [], "malware_families": [ { "id": "Ransom:Win32/LockBit", "display_name": "Ransom:Win32/LockBit", "target": "/malware/Ransom:Win32/LockBit" }, { "id": "ALF:Trojan:MSIL/LokiLoader", "display_name": "ALF:Trojan:MSIL/LokiLoader", "target": null }, { "id": "Loki", "display_name": "Loki", "target": null }, { "id": "TEL:Trojan:Win32/BazarLoader", "display_name": "TEL:Trojan:Win32/BazarLoader", "target": null }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Redline", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Redline", "target": null }, { "id": "ALF:HeraklezEval:PWS:MSIL/RedLine", "display_name": "ALF:HeraklezEval:PWS:MSIL/RedLine", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Mitchell.Darnell", "id": "165445", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 67, "domain": 349, "FileHash-MD5": 51, "FileHash-SHA1": 327, "FileHash-SHA256": 121, "URL": 19, "hostname": 20 }, "indicator_count": 954, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "623981e128e810d8780f021d", "name": "Exposing initial access broker with ties to Conti", "description": "The BBC News website uses cookies to track visitors to our website, which is also used by the BBC and Newsround to broadcast live coverage of the UK's Brexit vote and the US presidential election.", "modified": "2022-04-21T00:00:11.580000", "created": "2022-03-22T07:59:29.981000", "tags": [ "conti", "cobalt strike", "trickbot", "threat analysis", "cybercrime investigation", "exotic lily", "group", "google", "analysis group", "shane huntley", "cve202140444", "bazarloader iso", "microsoft", "exposing", "bazarloader", "february", "glupteba", "diavol", "example", "phishing", "malware", "ukraine", "august" ], "references": [ "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee" ], "public": 1, "adversary": "CyberCrime Investigation", "targeted_countries": [], "malware_families": [ { "id": "THREAT ANALYSIS", "display_name": "THREAT ANALYSIS", "target": null }, { "id": "Trickbot", "display_name": "Trickbot", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Conti", "display_name": "Conti", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 8, "URL": 1, "domain": 20 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 363, "modified_text": "1501 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62380071387a053e59591393", "name": "Exposing initial access broker with ties to Conti.", "description": "Exposing initial access broker with ties to Conti. Added 21/03/2022.", "modified": "2022-04-20T00:02:21.571000", "created": "2022-03-21T04:34:57.634000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "sarventhar1993", "id": "125638", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_125638/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "URL": 1, "domain": 20 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "1502 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62382bc2ac9a0bd6688bb3d9", "name": "Google: Exotic Lily, an Initial Access Broker is Affiliated with Conti and Diavol Ransomware Groups", "description": "Google's Threat Analysis Group (TAG) observed a financially motivated threat actor named Exotic Lily, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). The TAG determined they are an Initial Access Broker (IAB) and said it is closely affiliated with a Russian cybercrime gang notorious for its Conti and Diavol ransomware operations.\n\nBusiness proposal-themed emails sent\nAs part of widespread phishing campaigns, the threat group has sent no fewer than 5,000 business proposal-themed emails a day to 650 targeted organizations globally. These groups specialize in breaching a target to open the doors, or the Windows, to the malicious actor with the highest bid.", "modified": "2022-04-20T00:02:21.571000", "created": "2022-03-21T07:39:46.288000", "tags": [ "iocs domains", "bazarloader iso", "bumblebee iso", "bumblebee c2", "Google", "Exotic Lily" ], "references": [ "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" ], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "domain": 20 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 193, "modified_text": "1502 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "623830bd47cc4a95fa27a39c", "name": "Exposing initial access broker with ties to Conti", "description": "", "modified": "2022-04-20T00:02:21.571000", "created": "2022-03-21T08:01:01.639000", "tags": [ "iocs domains", "bazarloader iso", "bumblebee iso", "bumblebee c2", "Google", "Exotic Lily" ], "references": [ "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" ], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "62382bc2ac9a0bd6688bb3d9", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "domain": 20 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 865, "modified_text": "1502 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "elemblo.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "elemblo.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780245572.8191853 }