{ "type": "Domain", "indicator": "firstaholic.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/firstaholic.com", "alexa": "http://www.alexa.com/siteinfo/firstaholic.com", "indicator": "firstaholic.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2832172752, "indicator": "firstaholic.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "602d94a51d5a1e11cc85feef", "name": "New Ryuk infrastructure February 2021", "description": "New Ryuk infrastructure February 2021 based on domain registration, SSL certificate characteristics and Cobalt Strike patterns.", "modified": "2021-02-19T15:47:18.825000", "created": "2021-02-17T22:11:49.727000", "tags": [ "ryuk", "UNC1878", "Cobalt Strike" ], "references": [], "public": 1, "adversary": "UNC1878", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 316, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 29 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 387204, "modified_text": "1930 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6220a96f7c3dabb66a118a1e", "name": "Russian related IOCs", "description": "", "modified": "2022-04-01T00:01:54.852000", "created": "2022-03-03T11:41:35.379000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vtomljanovic", "id": "78099", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 1, "domain": 1003, "hostname": 11 }, "indicator_count": 1016, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "1524 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "60270132358b8b1ebf382635", "name": "Group of Related Servers Including Several Cobalt Strike C2", "description": "A few of these IPs showed up as destinations in connections from a Cobalt Strike beacon we were investigating. Looking across the same ASN, we noticed a distinct pattern in the SSL certificate subject information that strongly indicated that this list of servers were probably all related infrastructure. The connections out to the CS server we were studying were very frequent (about once every 10 seconds) so if you see a high volume of connections to any of these IPs or high frequency DNS lookups for these domain names, you should investigate for sure. All of these servers appear to be in Russia. We think this is part of a UNC1878 campaign and might result in Ryuk.", "modified": "2021-03-15T18:05:52.292000", "created": "2021-02-12T22:29:06.933000", "tags": [], "references": [], "public": 1, "adversary": "UNC1878", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:Cobalt_beacon_dll", "display_name": "ALF:Cobalt_beacon_dll", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BinaryDefense", "id": "111374", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_111374/resized/80/avatar_ca13c2b840.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 274, "modified_text": "1906 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "602a98f13993fed5bf3635ce", "name": "UNC1878 Suspected CobaltStrike IPs", "description": "A few of these IPs showed up as destinations in connections from a Cobalt Strike beacon we were investigating. Looking across the same ASN, we noticed a distinct pattern in the SSL certificate subject information that strongly indicated that this list of servers were probably all related infrastructure. The connections out to the CS server we were studying were very frequent (about once every 10 seconds) so if you see a high volume of connections to any of these IPs or high frequency DNS lookups for these domain names, you should investigate for sure. All of these servers appear to be in Russia. We think this is part of a UNC1878 campaign and might result in Ryuk.", "modified": "2021-03-15T18:05:52.292000", "created": "2021-02-15T15:53:21.222000", "tags": [ "Ryuk", "CobaltStrike", "UNC1878" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Cobaltstrike", "display_name": "Trojan:Win32/Cobaltstrike", "target": "/malware/Trojan:Win32/Cobaltstrike" } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BinaryDefense", "id": "111374", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_111374/resized/80/avatar_ca13c2b840.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 274, "modified_text": "1906 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [], "related": { "alienvault": { "adversary": [ "UNC1878" ], "malware_families": [ "Cobalt strike" ], "industries": [] }, "other": { "adversary": [ "UNC1878" ], "malware_families": [ "Trojan:win32/cobaltstrike", "Cobalt strike", "Alf:cobalt_beacon_dll" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "602d94a51d5a1e11cc85feef", "name": "New Ryuk infrastructure February 2021", "description": "New Ryuk infrastructure February 2021 based on domain registration, SSL certificate characteristics and Cobalt Strike patterns.", "modified": "2021-02-19T15:47:18.825000", "created": "2021-02-17T22:11:49.727000", "tags": [ "ryuk", "UNC1878", "Cobalt Strike" ], "references": [], "public": 1, "adversary": "UNC1878", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 316, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 29 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 387204, "modified_text": "1930 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6220a96f7c3dabb66a118a1e", "name": "Russian related IOCs", "description": "", "modified": "2022-04-01T00:01:54.852000", "created": "2022-03-03T11:41:35.379000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vtomljanovic", "id": "78099", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 1, "domain": 1003, "hostname": 11 }, "indicator_count": 1016, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "1524 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "60270132358b8b1ebf382635", "name": "Group of Related Servers Including Several Cobalt Strike C2", "description": "A few of these IPs showed up as destinations in connections from a Cobalt Strike beacon we were investigating. Looking across the same ASN, we noticed a distinct pattern in the SSL certificate subject information that strongly indicated that this list of servers were probably all related infrastructure. The connections out to the CS server we were studying were very frequent (about once every 10 seconds) so if you see a high volume of connections to any of these IPs or high frequency DNS lookups for these domain names, you should investigate for sure. All of these servers appear to be in Russia. We think this is part of a UNC1878 campaign and might result in Ryuk.", "modified": "2021-03-15T18:05:52.292000", "created": "2021-02-12T22:29:06.933000", "tags": [], "references": [], "public": 1, "adversary": "UNC1878", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:Cobalt_beacon_dll", "display_name": "ALF:Cobalt_beacon_dll", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BinaryDefense", "id": "111374", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_111374/resized/80/avatar_ca13c2b840.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 274, "modified_text": "1906 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "602a98f13993fed5bf3635ce", "name": "UNC1878 Suspected CobaltStrike IPs", "description": "A few of these IPs showed up as destinations in connections from a Cobalt Strike beacon we were investigating. Looking across the same ASN, we noticed a distinct pattern in the SSL certificate subject information that strongly indicated that this list of servers were probably all related infrastructure. The connections out to the CS server we were studying were very frequent (about once every 10 seconds) so if you see a high volume of connections to any of these IPs or high frequency DNS lookups for these domain names, you should investigate for sure. All of these servers appear to be in Russia. We think this is part of a UNC1878 campaign and might result in Ryuk.", "modified": "2021-03-15T18:05:52.292000", "created": "2021-02-15T15:53:21.222000", "tags": [ "Ryuk", "CobaltStrike", "UNC1878" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Cobaltstrike", "display_name": "Trojan:Win32/Cobaltstrike", "target": "/malware/Trojan:Win32/Cobaltstrike" } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BinaryDefense", "id": "111374", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_111374/resized/80/avatar_ca13c2b840.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 274, "modified_text": "1906 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "firstaholic.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "firstaholic.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780526212.0253782 }