{ "type": "Domain", "indicator": "faceappinc.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/faceappinc.com", "alexa": "http://www.alexa.com/siteinfo/faceappinc.com", "indicator": "faceappinc.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3669798099, "indicator": "faceappinc.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "6710059101b736e38b9cd2b0", "name": "Black Basta", "description": "Black Basta is a financially motivated ransomware group that began operations in 2022. It targets organizations across various sectors, including manufacturing, healthcare, and finance, using a double extortion method. The group encrypts victims' systems and threatens to leak stolen data unless a ransom is paid. Their ransomware spreads via phishing campaigns, exploiting vulnerabilities in systems. Black Basta is known for collaborating with other cybercriminals, which enhances the impact and sophistication of their attacks.", "modified": "2024-11-15T17:03:59.652000", "created": "2024-10-16T18:27:29.179000", "tags": [ "strong", "black basta", "cisa", "powershell", "ransomware", "cobalt strike", "phishing", "mimikatz", "qakbot", "psexec", "bits", "webdav", "winscp", "conti", "anydesk", "quick assist", "netsupport", "windows", "blackbasta", "batloader", "rclone", "vmware esxi", "netcat", "qbot", "emotet", "trickbot", "pinkslipbot", "team", "C++", "Linux", "ChaCha20", "RSA-4096", "ConnectWise", "ZeroLogon", "NoPac", "PrintNightmare", "CVE-2024-1709", "CVE-2024-26169", "CVE-2020-1472", "CVE-2021-42278", "CVE-2021-42287", "CVE-2021-34527", "BITSAdmin", "Cobalt Strike", "Netcat", "ScreenConnect", "NetSupport Manager", "SystemBC", "Qakbot", "WMI", "RClone", "SoftPerfect", "BackStab", "EvilProxy", "Splashtop", "WinSCP", "C2", "CVE-2022-30190", "Storm-1811", "spear phishing", "Coroxy", "cobeacon", "RaaS", "aa24-131a", "wandering spider", "Conti", "wizard spider", "BGH" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://blog.qualys.com/vulnerabilities-threat-research/2024/09/19/black-basta-ransomware-what-you-need-to-know", "https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/", "https://darktrace.com/blog/black-basta-old-dogs-with-new-tricks", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-black-basta", "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies", "https://www.cve.org/CVERecord?id=CVE-2020-1472", "https://www.cve.org/CVERecord?id=CVE-2021-34527", "https://www.cve.org/CVERecord?id=CVE-2021-42278", "https://www.cve.org/CVERecord?id=CVE-2021-42287", "https://www.cve.org/CVERecord?id=CVE-2024-1709", "https://www.cve.org/CVERecord?id=CVE-2024-26169", "https://www.cve.org/CVERecord?id=CVE-2022-30190", "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta" ], "public": 1, "adversary": "Black Basta", "targeted_countries": [ "United States of America", "Germany", "Canada", "Australia", "New Zealand", "Japan", "France", "United Kingdom of Great Britain and Northern Ireland", "Italy", "Switzerland" ], "malware_families": [ { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Black Basta", "display_name": "Black Basta", "target": null }, { "id": "Primary NetSupport", "display_name": "Primary NetSupport", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Basta Linux", "display_name": "Basta Linux", "target": null }, { "id": "Widespread QBot", "display_name": "Widespread QBot", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "TrojanDownloader:O97M/Qakbot", "display_name": "TrojanDownloader:O97M/Qakbot", "target": "/malware/TrojanDownloader:O97M/Qakbot" }, { "id": "Trojan:Win32/QBot", "display_name": "Trojan:Win32/QBot", "target": "/malware/Trojan:Win32/QBot" }, { "id": "Trojan:Win32/Qakbot", "display_name": "Trojan:Win32/Qakbot", "target": "/malware/Trojan:Win32/Qakbot" }, { "id": "TrojanSpy:Win32/Qakbot", "display_name": "TrojanSpy:Win32/Qakbot", "target": "/malware/TrojanSpy:Win32/Qakbot" }, { "id": "Behavior:Win32/Qakbot", "display_name": "Behavior:Win32/Qakbot", "target": "/malware/Behavior:Win32/Qakbot" }, { "id": "Behavior:Win32/Basta", "display_name": "Behavior:Win32/Basta", "target": "/malware/Behavior:Win32/Basta" }, { "id": "Ransom:Win32/Basta", "display_name": "Ransom:Win32/Basta", "target": "/malware/Ransom:Win32/Basta" }, { "id": "Trojan:Win32/Basta", "display_name": "Trojan:Win32/Basta", "target": "/malware/Trojan:Win32/Basta" }, { "id": "Behavior:Win32/CobaltStrike", "display_name": "Behavior:Win32/CobaltStrike", "target": "/malware/Behavior:Win32/CobaltStrike" }, { "id": "Backdoor:Win64/CobaltStrike", "display_name": "Backdoor:Win64/CobaltStrike", "target": "/malware/Backdoor:Win64/CobaltStrike" }, { "id": "HackTool:Win64/CobaltStrike", "display_name": "HackTool:Win64/CobaltStrike", "target": "/malware/HackTool:Win64/CobaltStrike" }, { "id": "TrojanDropper:PowerShell/Cobacis", "display_name": "TrojanDropper:PowerShell/Cobacis", "target": "/malware/TrojanDropper:PowerShell/Cobacis" }, { "id": "Trojan:Win64/TurtleLoader.CS", "display_name": "Trojan:Win64/TurtleLoader.CS", "target": "/malware/Trojan:Win64/TurtleLoader.CS" }, { "id": "Exploit:Win32/ShellCode.BN", "display_name": "Exploit:Win32/ShellCode.BN", "target": "/malware/Exploit:Win32/ShellCode.BN" }, { "id": "Behavior:Win32/SystemBC", "display_name": "Behavior:Win32/SystemBC", "target": "/malware/Behavior:Win32/SystemBC" }, { "id": "Trojan: Win32/SystemBC", "display_name": "Trojan: Win32/SystemBC", "target": "/malware/Trojan: Win32/SystemBC" } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [ "Critical Infrastructure", "Healthcare", "Manufacturing", "Construction", "Retail", "Legal", "Finance", "Technology", "Emergency Services", "Media", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 111, "FileHash-SHA1": 110, "FileHash-SHA256": 148, "CVE": 7, "domain": 113, "hostname": 62, "URL": 4 }, "indicator_count": 555, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709a1e31eda9b131962779", "name": "InQuest - 04-05-2023", "description": "", "modified": "2023-12-06T15:58:22.072000", "created": "2023-12-06T15:58:22.072000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 469, "URL": 1770, "hostname": 821, "domain": 718, "FileHash-MD5": 78, "FileHash-SHA1": 69 }, "indicator_count": 3925, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709a1560115cb73927eaa1", "name": "InQuest - 03-05-2023", "description": "", "modified": "2023-12-06T15:58:13.968000", "created": "2023-12-06T15:58:13.968000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 454, "URL": 1797, "hostname": 843, "domain": 724, "FileHash-MD5": 55, "FileHash-SHA1": 69 }, "indicator_count": 3942, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709a095facfe58fcad4bd0", "name": "InQuest - 02-05-2023", "description": "", "modified": "2023-12-06T15:58:01.458000", "created": "2023-12-06T15:58:01.458000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 419, "URL": 1822, "hostname": 891, "domain": 701, "FileHash-MD5": 55, "FileHash-SHA1": 41 }, "indicator_count": 3929, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709a04b18f314c64abf0c8", "name": "InQuest - 01-05-2023", "description": "", "modified": "2023-12-06T15:57:56.775000", "created": "2023-12-06T15:57:56.775000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 419, "URL": 1829, "hostname": 899, "domain": 701, "FileHash-MD5": 55, "FileHash-SHA1": 41 }, "indicator_count": 3944, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657099ea0b8537116278bcd0", "name": "InQuest - 30-04-2023", "description": "", "modified": "2023-12-06T15:57:30.763000", "created": "2023-12-06T15:57:30.763000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 399, "URL": 1842, "hostname": 919, "domain": 694, "FileHash-MD5": 55, "FileHash-SHA1": 41 }, "indicator_count": 3950, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657099e050d6f13c0fe4bf5d", "name": "InQuest - 29-04-2023", "description": "", "modified": "2023-12-06T15:57:20.556000", "created": "2023-12-06T15:57:20.556000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 399, "URL": 1842, "hostname": 919, "domain": 694, "FileHash-MD5": 55, "FileHash-SHA1": 41 }, "indicator_count": 3950, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64543de5371b85332405dc01", "name": "InQuest - 04-05-2023", "description": "", "modified": "2023-05-04T23:21:09.455000", "created": "2023-05-04T23:21:09.455000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 469, "domain": 718, "URL": 1770, "FileHash-MD5": 78, "hostname": 821, "IPv4": 75, "FileHash-SHA1": 69 }, "indicator_count": 4000, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1122 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6452ec4398064bbe35f12ffa", "name": "InQuest - 03-05-2023", "description": "", "modified": "2023-05-03T23:20:35.475000", "created": "2023-05-03T23:20:35.475000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 724, "URL": 1797, "FileHash-SHA1": 69, "IPv4": 73, "FileHash-SHA256": 454, "hostname": 843, "FileHash-MD5": 55 }, "indicator_count": 4015, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1123 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64519b5f16e353d4bebbbdd9", "name": "InQuest - 02-05-2023", "description": "", "modified": "2023-05-02T23:23:11.858000", "created": "2023-05-02T23:23:11.858000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 701, "URL": 1822, "hostname": 891, "FileHash-SHA256": 419, "FileHash-MD5": 55, "IPv4": 72, "FileHash-SHA1": 41 }, "indicator_count": 4001, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "645048e2231cba9be9c8d5c2", "name": "InQuest - 01-05-2023", "description": "", "modified": "2023-05-01T23:18:58.420000", "created": "2023-05-01T23:18:58.420000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 701, "URL": 1829, "hostname": 899, "FileHash-SHA256": 419, "FileHash-MD5": 55, "IPv4": 72, "FileHash-SHA1": 41 }, "indicator_count": 4016, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1125 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "644ef75b3a875ec8d5e5065e", "name": "InQuest - 30-04-2023", "description": "", "modified": "2023-04-30T23:18:51.673000", "created": "2023-04-30T23:18:51.673000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 919, "URL": 1842, "FileHash-SHA256": 399, "FileHash-MD5": 55, "IPv4": 74, "domain": 694, "FileHash-SHA1": 41 }, "indicator_count": 4024, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1126 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "644da5e57d7d32f3177b9871", "name": "InQuest - 29-04-2023", "description": "", "modified": "2023-04-29T23:19:01.733000", "created": "2023-04-29T23:19:01.733000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 919, "URL": 1842, "FileHash-SHA256": 399, "FileHash-MD5": 55, "IPv4": 74, "domain": 694, "FileHash-SHA1": 41 }, "indicator_count": 4024, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1127 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "644b03abf6537892ff63a718", "name": "InQuest - 27-04-2023", "description": "", "modified": "2023-04-27T23:22:17.833000", "created": "2023-04-27T23:22:17.833000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 979, "URL": 1905, "FileHash-SHA256": 217, "FileHash-MD5": 54, "IPv4": 62, "domain": 712, "FileHash-SHA1": 42 }, "indicator_count": 3971, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1129 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6449b1f3523698c1219d730e", "name": "InQuest - 26-04-2023", "description": "", "modified": "2023-04-26T23:21:23.657000", "created": "2023-04-26T23:21:23.657000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 987, "URL": 1906, "IPv4": 54, "FileHash-SHA256": 205, "FileHash-MD5": 45, "domain": 713, "FileHash-SHA1": 42 }, "indicator_count": 3952, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1130 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64485ff7dbe981c89fa08dd0", "name": "InQuest - 25-04-2023", "description": "", "modified": "2023-04-25T23:19:19.304000", "created": "2023-04-25T23:19:19.304000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 54, "FileHash-SHA256": 205, "FileHash-MD5": 45, "hostname": 986, "URL": 1905, "domain": 713, "FileHash-SHA1": 42 }, "indicator_count": 3950, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1131 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64470efb667d4ea9e2e506ea", "name": "InQuest - 24-04-2023", "description": "", "modified": "2023-04-24T23:21:31.731000", "created": "2023-04-24T23:21:31.731000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 54, "hostname": 996, "URL": 1912, "domain": 712, "FileHash-SHA256": 185, "FileHash-MD5": 41, "FileHash-SHA1": 42 }, "indicator_count": 3942, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1132 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64470eeead40962014c75fe5", "name": "Twitter Feed - malwrhunterteam - 24-04-2023", "description": "", "modified": "2023-04-24T23:21:18.636000", "created": "2023-04-24T23:21:18.636000", "tags": [], "references": [ "https://twitter.com/malwrhunterteam/status/1650455548649693187", "https://twitter.com/malwrhunterteam/status/1650469422404886528", "https://twitter.com/malwrhunterteam/status/1650472081589518338", "https://twitter.com/malwrhunterteam/status/1650513442090934276", "https://twitter.com/malwrhunterteam/status/1650552836684492813", "https://twitter.com/malwrhunterteam/status/1650560353149898753", "https://twitter.com/malwrhunterteam/status/1650562446996787205", "https://twitter.com/malwrhunterteam/status/1650626372811776001" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-SHA256": 8, "URL": 8, "IPv4": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1132 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://labs.inquest.net/iocdb", "https://twitter.com/malwrhunterteam/status/1650455548649693187", "https://www.cve.org/CVERecord?id=CVE-2024-26169", "https://blog.qualys.com/vulnerabilities-threat-research/2024/09/19/black-basta-ransomware-what-you-need-to-know", "https://twitter.com/malwrhunterteam/status/1650560353149898753", "https://twitter.com/malwrhunterteam/status/1650513442090934276", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta", "https://www.cve.org/CVERecord?id=CVE-2021-42278", "https://twitter.com/malwrhunterteam/status/1650472081589518338", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://twitter.com/malwrhunterteam/status/1650562446996787205", "https://www.cve.org/CVERecord?id=CVE-2020-1472", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-black-basta", "https://www.cve.org/CVERecord?id=CVE-2021-42287", "https://www.cve.org/CVERecord?id=CVE-2021-34527", "https://darktrace.com/blog/black-basta-old-dogs-with-new-tricks", "https://twitter.com/malwrhunterteam/status/1650552836684492813", "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/", "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies", "https://twitter.com/malwrhunterteam/status/1650626372811776001", "https://www.cve.org/CVERecord?id=CVE-2022-30190", "https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/", "https://www.cve.org/CVERecord?id=CVE-2024-1709", "https://twitter.com/malwrhunterteam/status/1650469422404886528", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Black Basta" ], "malware_families": [ "Cobalt strike", "Trojan:win64/turtleloader.cs", "Qbot", "Trojandropper:powershell/cobacis", "Behavior:win32/qakbot", "Trojan:win32/qakbot", "Trojan:win32/qbot", "Backdoor:win64/cobaltstrike", "Qakbot", "Trojanspy:win32/qakbot", "Primary netsupport", "Trojandownloader:o97m/qakbot", "Trojan:win32/basta", "Basta linux", "Behavior:win32/cobaltstrike", "Conti", "Trojan: win32/systembc", "Widespread qbot", "Behavior:win32/basta", "Netsupport", "Ransom:win32/basta", "Hacktool:win64/cobaltstrike", "Behavior:win32/systembc", "Exploit:win32/shellcode.bn", "Black basta" ], "industries": [ "Finance", "Media", "Technology", "Manufacturing", "Healthcare", "Legal", "Critical infrastructure", "Retail", "Construction", "Emergency services", "Transportation" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 18, "pulses": [ { "id": "6710059101b736e38b9cd2b0", "name": "Black Basta", "description": "Black Basta is a financially motivated ransomware group that began operations in 2022. It targets organizations across various sectors, including manufacturing, healthcare, and finance, using a double extortion method. The group encrypts victims' systems and threatens to leak stolen data unless a ransom is paid. Their ransomware spreads via phishing campaigns, exploiting vulnerabilities in systems. Black Basta is known for collaborating with other cybercriminals, which enhances the impact and sophistication of their attacks.", "modified": "2024-11-15T17:03:59.652000", "created": "2024-10-16T18:27:29.179000", "tags": [ "strong", "black basta", "cisa", "powershell", "ransomware", "cobalt strike", "phishing", "mimikatz", "qakbot", "psexec", "bits", "webdav", "winscp", "conti", "anydesk", "quick assist", "netsupport", "windows", "blackbasta", "batloader", "rclone", "vmware esxi", "netcat", "qbot", "emotet", "trickbot", "pinkslipbot", "team", "C++", "Linux", "ChaCha20", "RSA-4096", "ConnectWise", "ZeroLogon", "NoPac", "PrintNightmare", "CVE-2024-1709", "CVE-2024-26169", "CVE-2020-1472", "CVE-2021-42278", "CVE-2021-42287", "CVE-2021-34527", "BITSAdmin", "Cobalt Strike", "Netcat", "ScreenConnect", "NetSupport Manager", "SystemBC", "Qakbot", "WMI", "RClone", "SoftPerfect", "BackStab", "EvilProxy", "Splashtop", "WinSCP", "C2", "CVE-2022-30190", "Storm-1811", "spear phishing", "Coroxy", "cobeacon", "RaaS", "aa24-131a", "wandering spider", "Conti", "wizard spider", "BGH" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a", "https://blog.qualys.com/vulnerabilities-threat-research/2024/09/19/black-basta-ransomware-what-you-need-to-know", "https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/", "https://darktrace.com/blog/black-basta-old-dogs-with-new-tricks", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-black-basta", "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies", "https://www.cve.org/CVERecord?id=CVE-2020-1472", "https://www.cve.org/CVERecord?id=CVE-2021-34527", "https://www.cve.org/CVERecord?id=CVE-2021-42278", "https://www.cve.org/CVERecord?id=CVE-2021-42287", "https://www.cve.org/CVERecord?id=CVE-2024-1709", "https://www.cve.org/CVERecord?id=CVE-2024-26169", "https://www.cve.org/CVERecord?id=CVE-2022-30190", "https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta" ], "public": 1, "adversary": "Black Basta", "targeted_countries": [ "United States of America", "Germany", "Canada", "Australia", "New Zealand", "Japan", "France", "United Kingdom of Great Britain and Northern Ireland", "Italy", "Switzerland" ], "malware_families": [ { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Black Basta", "display_name": "Black Basta", "target": null }, { "id": "Primary NetSupport", "display_name": "Primary NetSupport", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Basta Linux", "display_name": "Basta Linux", "target": null }, { "id": "Widespread QBot", "display_name": "Widespread QBot", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "TrojanDownloader:O97M/Qakbot", "display_name": "TrojanDownloader:O97M/Qakbot", "target": "/malware/TrojanDownloader:O97M/Qakbot" }, { "id": "Trojan:Win32/QBot", "display_name": "Trojan:Win32/QBot", "target": "/malware/Trojan:Win32/QBot" }, { "id": "Trojan:Win32/Qakbot", "display_name": "Trojan:Win32/Qakbot", "target": "/malware/Trojan:Win32/Qakbot" }, { "id": "TrojanSpy:Win32/Qakbot", "display_name": "TrojanSpy:Win32/Qakbot", "target": "/malware/TrojanSpy:Win32/Qakbot" }, { "id": "Behavior:Win32/Qakbot", "display_name": "Behavior:Win32/Qakbot", "target": "/malware/Behavior:Win32/Qakbot" }, { "id": "Behavior:Win32/Basta", "display_name": "Behavior:Win32/Basta", "target": "/malware/Behavior:Win32/Basta" }, { "id": "Ransom:Win32/Basta", "display_name": "Ransom:Win32/Basta", "target": "/malware/Ransom:Win32/Basta" }, { "id": "Trojan:Win32/Basta", "display_name": "Trojan:Win32/Basta", "target": "/malware/Trojan:Win32/Basta" }, { "id": "Behavior:Win32/CobaltStrike", "display_name": "Behavior:Win32/CobaltStrike", "target": "/malware/Behavior:Win32/CobaltStrike" }, { "id": "Backdoor:Win64/CobaltStrike", "display_name": "Backdoor:Win64/CobaltStrike", "target": "/malware/Backdoor:Win64/CobaltStrike" }, { "id": "HackTool:Win64/CobaltStrike", "display_name": "HackTool:Win64/CobaltStrike", "target": "/malware/HackTool:Win64/CobaltStrike" }, { "id": "TrojanDropper:PowerShell/Cobacis", "display_name": "TrojanDropper:PowerShell/Cobacis", "target": "/malware/TrojanDropper:PowerShell/Cobacis" }, { "id": "Trojan:Win64/TurtleLoader.CS", "display_name": "Trojan:Win64/TurtleLoader.CS", "target": "/malware/Trojan:Win64/TurtleLoader.CS" }, { "id": "Exploit:Win32/ShellCode.BN", "display_name": "Exploit:Win32/ShellCode.BN", "target": "/malware/Exploit:Win32/ShellCode.BN" }, { "id": "Behavior:Win32/SystemBC", "display_name": "Behavior:Win32/SystemBC", "target": "/malware/Behavior:Win32/SystemBC" }, { "id": "Trojan: Win32/SystemBC", "display_name": "Trojan: Win32/SystemBC", "target": "/malware/Trojan: Win32/SystemBC" } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [ "Critical Infrastructure", "Healthcare", "Manufacturing", "Construction", "Retail", "Legal", "Finance", "Technology", "Emergency Services", "Media", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 111, "FileHash-SHA1": 110, "FileHash-SHA256": 148, "CVE": 7, "domain": 113, "hostname": 62, "URL": 4 }, "indicator_count": 555, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709a1e31eda9b131962779", "name": "InQuest - 04-05-2023", "description": "", "modified": "2023-12-06T15:58:22.072000", "created": "2023-12-06T15:58:22.072000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 469, "URL": 1770, "hostname": 821, "domain": 718, "FileHash-MD5": 78, "FileHash-SHA1": 69 }, "indicator_count": 3925, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709a1560115cb73927eaa1", "name": "InQuest - 03-05-2023", "description": "", "modified": "2023-12-06T15:58:13.968000", "created": "2023-12-06T15:58:13.968000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 454, "URL": 1797, "hostname": 843, "domain": 724, "FileHash-MD5": 55, "FileHash-SHA1": 69 }, "indicator_count": 3942, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709a095facfe58fcad4bd0", "name": "InQuest - 02-05-2023", "description": "", "modified": "2023-12-06T15:58:01.458000", "created": "2023-12-06T15:58:01.458000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 419, "URL": 1822, "hostname": 891, "domain": 701, "FileHash-MD5": 55, "FileHash-SHA1": 41 }, "indicator_count": 3929, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709a04b18f314c64abf0c8", "name": "InQuest - 01-05-2023", "description": "", "modified": "2023-12-06T15:57:56.775000", "created": "2023-12-06T15:57:56.775000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 419, "URL": 1829, "hostname": 899, "domain": 701, "FileHash-MD5": 55, "FileHash-SHA1": 41 }, "indicator_count": 3944, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657099ea0b8537116278bcd0", "name": "InQuest - 30-04-2023", "description": "", "modified": "2023-12-06T15:57:30.763000", "created": "2023-12-06T15:57:30.763000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 399, "URL": 1842, "hostname": 919, "domain": 694, "FileHash-MD5": 55, "FileHash-SHA1": 41 }, "indicator_count": 3950, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657099e050d6f13c0fe4bf5d", "name": "InQuest - 29-04-2023", "description": "", "modified": "2023-12-06T15:57:20.556000", "created": "2023-12-06T15:57:20.556000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 399, "URL": 1842, "hostname": 919, "domain": 694, "FileHash-MD5": 55, "FileHash-SHA1": 41 }, "indicator_count": 3950, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64543de5371b85332405dc01", "name": "InQuest - 04-05-2023", "description": "", "modified": "2023-05-04T23:21:09.455000", "created": "2023-05-04T23:21:09.455000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 469, "domain": 718, "URL": 1770, "FileHash-MD5": 78, "hostname": 821, "IPv4": 75, "FileHash-SHA1": 69 }, "indicator_count": 4000, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1122 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6452ec4398064bbe35f12ffa", "name": "InQuest - 03-05-2023", "description": "", "modified": "2023-05-03T23:20:35.475000", "created": "2023-05-03T23:20:35.475000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 724, "URL": 1797, "FileHash-SHA1": 69, "IPv4": 73, "FileHash-SHA256": 454, "hostname": 843, "FileHash-MD5": 55 }, "indicator_count": 4015, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1123 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64519b5f16e353d4bebbbdd9", "name": "InQuest - 02-05-2023", "description": "", "modified": "2023-05-02T23:23:11.858000", "created": "2023-05-02T23:23:11.858000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 701, "URL": 1822, "hostname": 891, "FileHash-SHA256": 419, "FileHash-MD5": 55, "IPv4": 72, "FileHash-SHA1": 41 }, "indicator_count": 4001, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "faceappinc.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "faceappinc.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780269459.8047857 }