{ "type": "Domain", "indicator": "facabeand.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/facabeand.com", "alexa": "http://www.alexa.com/siteinfo/facabeand.com", "indicator": "facabeand.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 624277737, "indicator": "facabeand.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "65707c434f91523ec123b1cf", "name": "Hancitor Malware Indicators", "description": "", "modified": "2023-12-06T13:50:59.476000", "created": "2023-12-06T13:50:59.476000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 674, "URL": 732, "IPv4": 15, "email": 6, "FileHash-SHA256": 13, "hostname": 24, "FileHash-MD5": 3 }, "indicator_count": 1467, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "909 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707a49c9c4e24ed9f94a29", "name": "Vertek - Hancitor Malware Indicators", "description": "", "modified": "2023-12-06T13:42:33.314000", "created": "2023-12-06T13:42:33.314000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 674, "URL": 732, "IPv4": 15, "email": 6, "FileHash-SHA256": 13, "hostname": 24, "FileHash-MD5": 3 }, "indicator_count": 1467, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "909 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651e6908ade83b630de8740f", "name": "Cuba\u2019s BurntCigar malware", "description": "", "modified": "2023-11-04T07:02:32.756000", "created": "2023-10-05T07:43:03.865000", "tags": [], "references": [ "September 16th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3255 Cuba\u2019s BurntCigar malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 74, "domain": 33, "FileHash-SHA256": 56, "hostname": 11, "BitcoinAddress": 18, "CVE": 4, "FileHash-MD5": 20, "FileHash-SHA1": 21, "email": 24 }, "indicator_count": 261, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "941 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6440c56aba60e316105e8b2e", "name": "#StopRansomware: Cuba Ransomware", "description": "The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA\nto disseminate known Cuba ransomware IOCs and TTPs associated with Cuba ransomware actors\nidentified through FBI investigations, third-party reporting, and open-source reporting", "modified": "2023-04-20T04:54:02.758000", "created": "2023-04-20T04:54:02.758000", "tags": [], "references": [ "https://www.cisa.gov/sites/default/files/publications/aa22-335a-stopransomware-cuba-ransomware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Oracle02", "id": "234687", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 65, "BitcoinAddress": 18, "CVE": 2, "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 2, "URL": 19, "domain": 19, "email": 11, "hostname": 2 }, "indicator_count": 145, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "1139 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6399a7bc796f92394867f43b", "name": "#StopRansomware: Cuba Ransomware | CISA", "description": "", "modified": "2023-01-13T10:03:55.198000", "created": "2022-12-14T10:38:52.042000", "tags": [ "uscert", "csirt", "cert", "cybersecurity", "cyber security", "computer security", "u. s. computer emergency readiness", "cyber risks", "cuba ransomware", "sha256", "industrial spy", "late august", "palo alto", "fbi flash", "august", "networks unit", "romcom", "romcom rat", "hancitor", "phishing", "rats", "cuba", "service", "lsass", "qbot", "ukraine", "powershell" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-335a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 12, "BitcoinAddress": 18, "CVE": 2, "FileHash-MD5": 13, "FileHash-SHA1": 14, "FileHash-SHA256": 47, "URL": 19, "domain": 19, "hostname": 1 }, "indicator_count": 145, "is_author": false, "is_subscribing": null, "subscriber_count": 867, "modified_text": "1236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63aa973b66bd186912d90650", "name": "Cuba Ransomware | CISA", "description": "", "modified": "2023-01-13T10:03:55.198000", "created": "2022-12-27T06:56:59.946000", "tags": [ "uscert", "csirt", "cert", "cybersecurity", "cyber security", "computer security", "u. s. computer emergency readiness", "cyber risks", "cuba ransomware", "sha256", "industrial spy", "late august", "palo alto", "fbi flash", "august", "networks unit", "romcom", "romcom rat", "hancitor", "phishing", "rats", "cuba", "service", "lsass", "qbot", "ukraine", "powershell" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-335a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "6399a7bc796f92394867f43b", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fontwang1234", "id": "196068", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 12, "BitcoinAddress": 18, "CVE": 2, "FileHash-MD5": 13, "FileHash-SHA1": 14, "FileHash-SHA256": 47, "URL": 19, "domain": 19, "hostname": 1 }, "indicator_count": 145, "is_author": false, "is_subscribing": null, "subscriber_count": 53, "modified_text": "1236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6388fb4f9a5a24fe5862157d", "name": "#StopRansomware: Cuba Ransomware | CISA", "description": "The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing a joint cybersecurity advisory on Cuba ransomware, which they say has compromised more than 100 entities worldwide and demanded ransoms for their services.", "modified": "2023-01-12T21:02:22.235000", "created": "2022-12-01T19:06:55.243000", "tags": [ "romcom", "cuba", "industrial spy", "use", "remote access", "qbot", "lapsus nvidia", "sample cuba", "uscert", "csirt", "cert", "cybersecurity", "cyber security", "computer security", "u. s. computer emergency readiness", "cyber risks", "cuba ransomware", "sha256", "late august", "palo alto", "fbi flash", "august", "networks unit", "romcom rat", "hancitor", "phishing", "rats", "service", "lsass", "ukraine", "powershell" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-335a", "https://www.ic3.gov/Media/News/2021/211203-2.pdf", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-335A-2.stix.xml" ], "public": 1, "adversary": "RomCom", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Sample Cuba", "display_name": "Sample Cuba", "target": null }, { "id": "RomCom", "display_name": "RomCom", "target": null }, { "id": "LAPSUS NVIDIA", "display_name": "LAPSUS NVIDIA", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "Use", "display_name": "Use", "target": null }, { "id": "Industrial Spy", "display_name": "Industrial Spy", "target": null }, { "id": "Cuba", "display_name": "Cuba", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [ "Food", "Military", "Information Technology", "Manufacturing", "Government", "Financial Services", "Foreign", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 38, "BitcoinAddress": 18, "CVE": 2, "FileHash-MD5": 30, "FileHash-SHA1": 31, "FileHash-SHA256": 98, "URL": 19, "domain": 21, "hostname": 1 }, "indicator_count": 258, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "1237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "617b0857bbab1cd42903ced6", "name": "Hancitor Malware Indicators", "description": "", "modified": "2021-10-28T20:30:15.415000", "created": "2021-10-28T20:30:15.415000", "tags": [ "vsoc", "VertekMTI", "phishing", "hancitor" ], "references": [ "managedthreatintelligence.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "594ac5f2577ea418dd13ca9b", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 674, "URL": 732, "IPv4": 15, "email": 6, "FileHash-SHA256": 13, "hostname": 24, "FileHash-MD5": 3 }, "indicator_count": 1467, "is_author": false, "is_subscribing": null, "subscriber_count": 563, "modified_text": "1678 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "594ac5f2577ea418dd13ca9b", "name": "Vertek - Hancitor Malware Indicators", "description": "pulse last updated 2018-10-17", "modified": "2019-04-15T16:36:38.728000", "created": "2017-06-21T19:16:02.083000", "tags": [ "vsoc", "VertekMTI", "phishing", "hancitor" ], "references": [ "managedthreatintelligence.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vthelpdesk", "id": "1766", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_1766/resized/80/avatar_0be7a35fab.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 674, "URL": 732, "IPv4": 15, "email": 6, "FileHash-SHA256": 13, "hostname": 24, "FileHash-MD5": 3 }, "indicator_count": 1467, "is_author": false, "is_subscribing": null, "subscriber_count": 647, "modified_text": "2605 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "managedthreatintelligence.com", "https://www.cisa.gov/uscert/ncas/alerts/aa22-335a", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-335A-2.stix.xml", "https://www.ic3.gov/Media/News/2021/211203-2.pdf", "September 16th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3255 Cuba\u2019s BurntCigar malware", "https://www.cisa.gov/sites/default/files/publications/aa22-335a-stopransomware-cuba-ransomware.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "RomCom" ], "malware_families": [ "Remote access", "Qbot", "Use", "Industrial spy", "Lapsus nvidia", "Sample cuba", "Romcom", "Cuba" ], "industries": [ "Healthcare", "Information technology", "Military", "Foreign", "Food", "Government", "Manufacturing", "Financial services" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "65707c434f91523ec123b1cf", "name": "Hancitor Malware Indicators", "description": "", "modified": "2023-12-06T13:50:59.476000", "created": "2023-12-06T13:50:59.476000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 674, "URL": 732, "IPv4": 15, "email": 6, "FileHash-SHA256": 13, "hostname": 24, "FileHash-MD5": 3 }, "indicator_count": 1467, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "909 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707a49c9c4e24ed9f94a29", "name": "Vertek - Hancitor Malware Indicators", "description": "", "modified": "2023-12-06T13:42:33.314000", "created": "2023-12-06T13:42:33.314000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 674, "URL": 732, "IPv4": 15, "email": 6, "FileHash-SHA256": 13, "hostname": 24, "FileHash-MD5": 3 }, "indicator_count": 1467, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "909 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651e6908ade83b630de8740f", "name": "Cuba\u2019s BurntCigar malware", "description": "", "modified": "2023-11-04T07:02:32.756000", "created": "2023-10-05T07:43:03.865000", "tags": [], "references": [ "September 16th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3255 Cuba\u2019s BurntCigar malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 74, "domain": 33, "FileHash-SHA256": 56, "hostname": 11, "BitcoinAddress": 18, "CVE": 4, "FileHash-MD5": 20, "FileHash-SHA1": 21, "email": 24 }, "indicator_count": 261, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "941 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6440c56aba60e316105e8b2e", "name": "#StopRansomware: Cuba Ransomware", "description": "The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA\nto disseminate known Cuba ransomware IOCs and TTPs associated with Cuba ransomware actors\nidentified through FBI investigations, third-party reporting, and open-source reporting", "modified": "2023-04-20T04:54:02.758000", "created": "2023-04-20T04:54:02.758000", "tags": [], "references": [ "https://www.cisa.gov/sites/default/files/publications/aa22-335a-stopransomware-cuba-ransomware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Oracle02", "id": "234687", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 65, "BitcoinAddress": 18, "CVE": 2, "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 2, "URL": 19, "domain": 19, "email": 11, "hostname": 2 }, "indicator_count": 145, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "1139 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6399a7bc796f92394867f43b", "name": "#StopRansomware: Cuba Ransomware | CISA", "description": "", "modified": "2023-01-13T10:03:55.198000", "created": "2022-12-14T10:38:52.042000", "tags": [ "uscert", "csirt", "cert", "cybersecurity", "cyber security", "computer security", "u. s. computer emergency readiness", "cyber risks", "cuba ransomware", "sha256", "industrial spy", "late august", "palo alto", "fbi flash", "august", "networks unit", "romcom", "romcom rat", "hancitor", "phishing", "rats", "cuba", "service", "lsass", "qbot", "ukraine", "powershell" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-335a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 12, "BitcoinAddress": 18, "CVE": 2, "FileHash-MD5": 13, "FileHash-SHA1": 14, "FileHash-SHA256": 47, "URL": 19, "domain": 19, "hostname": 1 }, "indicator_count": 145, "is_author": false, "is_subscribing": null, "subscriber_count": 867, "modified_text": "1236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63aa973b66bd186912d90650", "name": "Cuba Ransomware | CISA", "description": "", "modified": "2023-01-13T10:03:55.198000", "created": "2022-12-27T06:56:59.946000", "tags": [ "uscert", "csirt", "cert", "cybersecurity", "cyber security", "computer security", "u. s. computer emergency readiness", "cyber risks", "cuba ransomware", "sha256", "industrial spy", "late august", "palo alto", "fbi flash", "august", "networks unit", "romcom", "romcom rat", "hancitor", "phishing", "rats", "cuba", "service", "lsass", "qbot", "ukraine", "powershell" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-335a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "6399a7bc796f92394867f43b", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fontwang1234", "id": "196068", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 12, "BitcoinAddress": 18, "CVE": 2, "FileHash-MD5": 13, "FileHash-SHA1": 14, "FileHash-SHA256": 47, "URL": 19, "domain": 19, "hostname": 1 }, "indicator_count": 145, "is_author": false, "is_subscribing": null, "subscriber_count": 53, "modified_text": "1236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6388fb4f9a5a24fe5862157d", "name": "#StopRansomware: Cuba Ransomware | CISA", "description": "The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing a joint cybersecurity advisory on Cuba ransomware, which they say has compromised more than 100 entities worldwide and demanded ransoms for their services.", "modified": "2023-01-12T21:02:22.235000", "created": "2022-12-01T19:06:55.243000", "tags": [ "romcom", "cuba", "industrial spy", "use", "remote access", "qbot", "lapsus nvidia", "sample cuba", "uscert", "csirt", "cert", "cybersecurity", "cyber security", "computer security", "u. s. computer emergency readiness", "cyber risks", "cuba ransomware", "sha256", "late august", "palo alto", "fbi flash", "august", "networks unit", "romcom rat", "hancitor", "phishing", "rats", "service", "lsass", "ukraine", "powershell" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa22-335a", "https://www.ic3.gov/Media/News/2021/211203-2.pdf", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-335A-2.stix.xml" ], "public": 1, "adversary": "RomCom", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Sample Cuba", "display_name": "Sample Cuba", "target": null }, { "id": "RomCom", "display_name": "RomCom", "target": null }, { "id": "LAPSUS NVIDIA", "display_name": "LAPSUS NVIDIA", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "Use", "display_name": "Use", "target": null }, { "id": "Industrial Spy", "display_name": "Industrial Spy", "target": null }, { "id": "Cuba", "display_name": "Cuba", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [ "Food", "Military", "Information Technology", "Manufacturing", "Government", "Financial Services", "Foreign", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 38, "BitcoinAddress": 18, "CVE": 2, "FileHash-MD5": 30, "FileHash-SHA1": 31, "FileHash-SHA256": 98, "URL": 19, "domain": 21, "hostname": 1 }, "indicator_count": 258, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "1237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "617b0857bbab1cd42903ced6", "name": "Hancitor Malware Indicators", "description": "", "modified": "2021-10-28T20:30:15.415000", "created": "2021-10-28T20:30:15.415000", "tags": [ "vsoc", "VertekMTI", "phishing", "hancitor" ], "references": [ "managedthreatintelligence.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "594ac5f2577ea418dd13ca9b", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 674, "URL": 732, "IPv4": 15, "email": 6, "FileHash-SHA256": 13, "hostname": 24, "FileHash-MD5": 3 }, "indicator_count": 1467, "is_author": false, "is_subscribing": null, "subscriber_count": 563, "modified_text": "1678 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "594ac5f2577ea418dd13ca9b", "name": "Vertek - Hancitor Malware Indicators", "description": "pulse last updated 2018-10-17", "modified": "2019-04-15T16:36:38.728000", "created": "2017-06-21T19:16:02.083000", "tags": [ "vsoc", "VertekMTI", "phishing", "hancitor" ], "references": [ "managedthreatintelligence.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vthelpdesk", "id": "1766", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_1766/resized/80/avatar_0be7a35fab.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 674, "URL": 732, "IPv4": 15, "email": 6, "FileHash-SHA256": 13, "hostname": 24, "FileHash-MD5": 3 }, "indicator_count": 1467, "is_author": false, "is_subscribing": null, "subscriber_count": 647, "modified_text": "2605 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "facabeand.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "facabeand.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780440548.1497104 }