{ "type": "Domain", "indicator": "firstclassbale.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/firstclassbale.com", "alexa": "http://www.alexa.com/siteinfo/firstclassbale.com", "indicator": "firstclassbale.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3650113967, "indicator": "firstclassbale.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "66dafec6fc6cae465ed44fdf", "name": "URLhaus Country Feed (Canada) enriched", "description": "", "modified": "2025-06-18T23:40:53.759000", "created": "2024-09-06T13:08:22.353000", "tags": [], "references": [ "https://urlhaus.abuse.ch/feeds/country/CA/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 3, "URL": 83203, "domain": 26579, "email": 1, "hostname": 40137, "FileHash-SHA256": 5936, "CVE": 6 }, "indicator_count": 155869, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "346 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570990a42c369f6019ba96e", "name": "Threat Intel Report - W14-2023", "description": "", "modified": "2023-12-06T15:53:46.637000", "created": "2023-12-06T15:53:46.637000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 126, "FileHash-MD5": 36, "FileHash-SHA1": 36, "domain": 70, "hostname": 55, "URL": 89 }, "indicator_count": 412, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654b2c6f971085c27db41ca1", "name": "Recorded Future: ALPHV Ransomware Group (BlackCat Ransomware Group)", "description": "", "modified": "2023-12-03T09:42:21.582000", "created": "2023-11-08T06:36:31.780000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "akhanafeer", "id": "195327", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 37, "FileHash-SHA256": 24, "URL": 9, "domain": 105, "hostname": 4 }, "indicator_count": 197, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "910 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c3a500ebcae1f70b0edce4", "name": "Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator", "description": "Malvertising, spy boy Terminator and Trojan backdoors are all part of the same code used in the latest spy-hunting campaign, as revealed in a series of tweets by the BBC's Panorama programme.", "modified": "2023-08-27T11:04:21.859000", "created": "2023-07-28T11:22:40.557000", "tags": [ "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "actors", "leverage spyboy", "terminator", "file iocs", "network iocs", "trojanspy" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 5 }, "indicator_count": 194, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c2d7f938ef9c14141e3756", "name": "Malvertising as Entry Vector for BlackCat/AlphV - \"Nitrogen\" - TrendMicro", "description": "Early detection of \"Nitrogen\" malware (Initial access) before it was being called that. This mostly covers the infection chain to BlackCat/AlphV.\nFrom TrendMicro - end of June 2023\nMalvertising, spy boy Terminator and Trojan backdoors\nhttps://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "modified": "2023-08-26T20:00:35.013000", "created": "2023-07-27T20:47:53.681000", "tags": [ "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "leverage spyboy", "terminator", "file iocs", "network iocs", "trojanspy", "nitrogen", "initial access" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "nitrogen", "display_name": "nitrogen", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 5 }, "indicator_count": 193, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "1008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64abcf295128ce503f9b2205", "name": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "description": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "modified": "2023-08-09T09:03:18.084000", "created": "2023-07-10T09:28:09.621000", "tags": [], "references": [ "IOCs BlackCat Ransowmare.txt" ], "public": 1, "adversary": "BlackCat ransomware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 1, "domain": 14, "hostname": 3 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 64, "modified_text": "1026 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64a41923b86541fbd482f357", "name": "Advisory Report for BlackCat Distributing Ransomware Disguised as WinSCP", "description": "The BlackCat ransomware group is running malvertizing campaigns to lure people into fake pages that mimic the official website of the WinSCP file-transfer application for Windows but instead push malware-ridden installers.\nThese are security recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks.", "modified": "2023-08-03T12:02:23.844000", "created": "2023-07-04T13:05:39.851000", "tags": [ "iocs" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 3 }, "indicator_count": 191, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "1032 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64a28f2725df6a0834cb9f44", "name": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "description": "Malvertising, spy boy Terminator and Trojan backdoors are all part of the same code used in the latest spy-hunting campaign, as revealed in a series of tweets by the BBC's Panorama programme.", "modified": "2023-08-02T09:04:51.419000", "created": "2023-07-03T09:04:39.961000", "tags": [ "trojanspy", "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "actors", "leverage spyboy", "terminator", "file iocs", "network iocs" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "parvesh4399", "id": "224939", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 3, "FileHash-SHA1": 98, "FileHash-SHA256": 9, "domain": 14, "hostname": 5 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "1033 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642aadadb1435afa568a930d", "name": "Threat Intel Report - W14-2023", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2023-05-03T10:00:17.991000", "created": "2023-04-03T10:42:53.101000", "tags": [ "windows", "cvss", "cvss base", "linux", "microsoft", "thunderbird", "samba", "march", "cacti", "realtek", "android", "mozilla", "patch", "february", "hashes domains", "japan", "ip address", "blacklist host", "ip country", "latest spambot", "visit", "activity", "serbia", "russia", "united kingdom" ], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://www.dnsbl.info/", "https://psbl.org/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 36, "FileHash-SHA1": 36, "FileHash-SHA256": 126, "domain": 70, "hostname": 55, "URL": 89 }, "indicator_count": 412, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "1124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6424c7bd67afc87a189ab8e8", "name": "URLHaus data - 29-03-2023", "description": "", "modified": "2023-04-28T23:07:42.072000", "created": "2023-03-29T23:20:29.502000", "tags": [ "32-bit", "arm", "elf", "Mozi", "mips", "hajime", "mirai", "gafgyt", "ASPXAESWebShell", "PowerShellSMTPKeyLogger", "exe", "njRAT", "dropped-by-amadey", "PowerShellDiscordKeyLogger", "ascii", "powershell", "ps", "opendir", "SnakeKeylogger", "hta", "BRA", "geo", "Grandoreiro", "zip", "RemcosRAT", "Formbook", "Malvertising", "RedLineStealer", "dll", "Stealc", "32", "1212", "Password-protected", "rar", "draw", "1234", "7z", "2022", "PowerShellDiscordScreenStealer", "BatchDropperMEMZ", "agenziaentrate", "geofenced", "Gozi", "ISFB", "ITA", "plugin", "ursnif", "MEF", "MISE", "encrypted", "rat", "AgentTesla", "LummaStealer", "pw-2022", "pw-2023", "ransomware", "cobalstrike", "CobaltStrike", "AuroraStealer", "pw-123" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "domain": 9, "hostname": 7 }, "indicator_count": 1016, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641f9134764d8ffe7b7dc2c2", "name": "InQuest - 25-03-2023", "description": "", "modified": "2023-04-25T00:05:37.678000", "created": "2023-03-26T00:26:28.383000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 309, "domain": 1166, "URL": 1794, "hostname": 244, "FileHash-MD5": 11, "FileHash-SHA1": 7 }, "indicator_count": 3531, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1132 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "641e3e1fb27dd0e61de60f24", "name": "InQuest - 24-03-2023", "description": "", "modified": "2023-04-24T00:04:14.074000", "created": "2023-03-25T00:19:43.421000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1250, "URL": 1833, "FileHash-SHA256": 297, "hostname": 278, "FileHash-MD5": 27, "FileHash-SHA1": 11 }, "indicator_count": 3696, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1133 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.dnsbl.info/", "https://urlhaus.abuse.ch/feeds/country/CA/", "https://urlhaus.abuse.ch/browse/", "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://labs.inquest.net/iocdb", "IOCs BlackCat Ransowmare.txt", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "https://psbl.org/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "BlackCat ransomware" ], "malware_families": [ "Trojanspy", "Nitrogen" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "66dafec6fc6cae465ed44fdf", "name": "URLhaus Country Feed (Canada) enriched", "description": "", "modified": "2025-06-18T23:40:53.759000", "created": "2024-09-06T13:08:22.353000", "tags": [], "references": [ "https://urlhaus.abuse.ch/feeds/country/CA/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 3, "URL": 83203, "domain": 26579, "email": 1, "hostname": 40137, "FileHash-SHA256": 5936, "CVE": 6 }, "indicator_count": 155869, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "346 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570990a42c369f6019ba96e", "name": "Threat Intel Report - W14-2023", "description": "", "modified": "2023-12-06T15:53:46.637000", "created": "2023-12-06T15:53:46.637000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 126, "FileHash-MD5": 36, "FileHash-SHA1": 36, "domain": 70, "hostname": 55, "URL": 89 }, "indicator_count": 412, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654b2c6f971085c27db41ca1", "name": "Recorded Future: ALPHV Ransomware Group (BlackCat Ransomware Group)", "description": "", "modified": "2023-12-03T09:42:21.582000", "created": "2023-11-08T06:36:31.780000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "akhanafeer", "id": "195327", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 37, "FileHash-SHA256": 24, "URL": 9, "domain": 105, "hostname": 4 }, "indicator_count": 197, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "910 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c3a500ebcae1f70b0edce4", "name": "Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator", "description": "Malvertising, spy boy Terminator and Trojan backdoors are all part of the same code used in the latest spy-hunting campaign, as revealed in a series of tweets by the BBC's Panorama programme.", "modified": "2023-08-27T11:04:21.859000", "created": "2023-07-28T11:22:40.557000", "tags": [ "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "actors", "leverage spyboy", "terminator", "file iocs", "network iocs", "trojanspy" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 5 }, "indicator_count": 194, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c2d7f938ef9c14141e3756", "name": "Malvertising as Entry Vector for BlackCat/AlphV - \"Nitrogen\" - TrendMicro", "description": "Early detection of \"Nitrogen\" malware (Initial access) before it was being called that. This mostly covers the infection chain to BlackCat/AlphV.\nFrom TrendMicro - end of June 2023\nMalvertising, spy boy Terminator and Trojan backdoors\nhttps://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "modified": "2023-08-26T20:00:35.013000", "created": "2023-07-27T20:47:53.681000", "tags": [ "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "leverage spyboy", "terminator", "file iocs", "network iocs", "trojanspy", "nitrogen", "initial access" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "nitrogen", "display_name": "nitrogen", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 5 }, "indicator_count": 193, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "1008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64abcf295128ce503f9b2205", "name": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "description": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "modified": "2023-08-09T09:03:18.084000", "created": "2023-07-10T09:28:09.621000", "tags": [], "references": [ "IOCs BlackCat Ransowmare.txt" ], "public": 1, "adversary": "BlackCat ransomware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 1, "domain": 14, "hostname": 3 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 64, "modified_text": "1026 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64a41923b86541fbd482f357", "name": "Advisory Report for BlackCat Distributing Ransomware Disguised as WinSCP", "description": "The BlackCat ransomware group is running malvertizing campaigns to lure people into fake pages that mimic the official website of the WinSCP file-transfer application for Windows but instead push malware-ridden installers.\nThese are security recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks.", "modified": "2023-08-03T12:02:23.844000", "created": "2023-07-04T13:05:39.851000", "tags": [ "iocs" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 3 }, "indicator_count": 191, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "1032 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64a28f2725df6a0834cb9f44", "name": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "description": "Malvertising, spy boy Terminator and Trojan backdoors are all part of the same code used in the latest spy-hunting campaign, as revealed in a series of tweets by the BBC's Panorama programme.", "modified": "2023-08-02T09:04:51.419000", "created": "2023-07-03T09:04:39.961000", "tags": [ "trojanspy", "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "actors", "leverage spyboy", "terminator", "file iocs", "network iocs" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "parvesh4399", "id": "224939", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 3, "FileHash-SHA1": 98, "FileHash-SHA256": 9, "domain": 14, "hostname": 5 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "1033 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642aadadb1435afa568a930d", "name": "Threat Intel Report - W14-2023", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2023-05-03T10:00:17.991000", "created": "2023-04-03T10:42:53.101000", "tags": [ "windows", "cvss", "cvss base", "linux", "microsoft", "thunderbird", "samba", "march", "cacti", "realtek", "android", "mozilla", "patch", "february", "hashes domains", "japan", "ip address", "blacklist host", "ip country", "latest spambot", "visit", "activity", "serbia", "russia", "united kingdom" ], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://www.dnsbl.info/", "https://psbl.org/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 36, "FileHash-SHA1": 36, "FileHash-SHA256": 126, "domain": 70, "hostname": 55, "URL": 89 }, "indicator_count": 412, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "1124 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6424c7bd67afc87a189ab8e8", "name": "URLHaus data - 29-03-2023", "description": "", "modified": "2023-04-28T23:07:42.072000", "created": "2023-03-29T23:20:29.502000", "tags": [ "32-bit", "arm", "elf", "Mozi", "mips", "hajime", "mirai", "gafgyt", "ASPXAESWebShell", "PowerShellSMTPKeyLogger", "exe", "njRAT", "dropped-by-amadey", "PowerShellDiscordKeyLogger", "ascii", "powershell", "ps", "opendir", "SnakeKeylogger", "hta", "BRA", "geo", "Grandoreiro", "zip", "RemcosRAT", "Formbook", "Malvertising", "RedLineStealer", "dll", "Stealc", "32", "1212", "Password-protected", "rar", "draw", "1234", "7z", "2022", "PowerShellDiscordScreenStealer", "BatchDropperMEMZ", "agenziaentrate", "geofenced", "Gozi", "ISFB", "ITA", "plugin", "ursnif", "MEF", "MISE", "encrypted", "rat", "AgentTesla", "LummaStealer", "pw-2022", "pw-2023", "ransomware", "cobalstrike", "CobaltStrike", "AuroraStealer", "pw-123" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "domain": 9, "hostname": 7 }, "indicator_count": 1016, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "firstclassbale.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "firstclassbale.com", "found": true, "verdict": "malicious", "url_count": 4, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://firstclassbale.com/python/python.bat", "status": "offline", "threat": "malware_download", "date_added": "2023-03-29", "tags": [ " ransomware", "cobalstrike" ] }, { "url": "https://firstclassbale.com/python/unzip.bat", "status": "offline", "threat": "malware_download", "date_added": "2023-03-29", "tags": [ " ransomware", "cobalstrike" ] }, { "url": "https://firstclassbale.com/python/pp", "status": "offline", "threat": "malware_download", "date_added": "2023-03-29", "tags": [ " ransomware", "cobalstrike" ] }, { "url": "https://firstclassbale.com/python/cubalibre2", "status": "offline", "threat": "malware_download", "date_added": "2023-03-29", "tags": [ " ransomware", "cobalstrike", "CobaltStrike" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780236661.420553 }