{ "type": "Domain", "indicator": "hero-files.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/hero-files.com", "alexa": "http://www.alexa.com/siteinfo/hero-files.com", "indicator": "hero-files.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3501709404, "indicator": "hero-files.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "63ac1260c691ea11f9881483", "name": "New RisePro Stealer distributed by the prominent PrivateLoader", "description": "A new type of information stealer, known as RisePro, has been delivered by a well-known loader family, but is not part of the usual RedLine or Raccoon malware family.", "modified": "2023-01-16T15:36:49.709000", "created": "2022-12-28T09:54:38.323000", "tags": [ "RisePro", "Stealer", "PrivateLoader" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RisePro", "display_name": "RisePro", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1555.004", "name": "Windows Credential Manager", "display_name": "T1555.004 - Windows Credential Manager" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 488, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "YARA": 1, "domain": 25 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 386502, "modified_text": "1230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656dedb9d857be544e7d4a04", "name": "Tracking down the cybercriminal infrastructure of infostealer RisePro", "description": "List of IoCs related to RisePro infostealer and EasyLead PPI\n\nSource EN : https://projetfox.com/en/2023/11/tracking-down-the-cybercriminal-infrastructure-of-infostealer-risepro/\nSource FR : https://projetfox.com/2023/11/traque-de-linfrastructure-cybercriminelle-de-linfostealer-risepro/\n\nMore details:\nfrom Crep1x (SEKOIA.IO) https://x.com/crep1x/status/1729908394230686033\nfrom Intrinsec https://x.com/Intrinsec/status/1730212294452260976?s=20", "modified": "2024-08-20T11:25:20.493000", "created": "2023-12-04T15:18:17.977000", "tags": [ "RisePro", "EasyLead PPI", "C2", "Infostealer" ], "references": [ "https://projetfox.com/en/2023/11/tracking-down-the-cybercriminal-infrastructure-of-infostealer-risepro/", "https://projetfox.com/2023/11/traque-de-linfrastructure-cybercriminelle-de-linfostealer-risepro/" ], "public": 1, "adversary": "RisePro", "targeted_countries": [], "malware_families": [ { "id": "RisePro", "display_name": "RisePro", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "FOX_Alb310", "id": "233506", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_233506/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "domain": 27, "email": 4, "hostname": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "648 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655875976e053dcf96260bde", "name": "Seychelles, Seychelles, on the C(2) Shore", "description": "A bulletproof hosting provider registered in the Republic of Seychelles is associated with multiple malicious campaigns, including ransomware and crypto miners, according to research carried out by the S2 Research Team.", "modified": "2023-12-18T08:03:59.446000", "created": "2023-11-18T08:28:07.134000", "tags": [ "eliteteam", "seychelles", "c2 server", "as51381", "redline stealer", "amadey c2", "august", "mrssoprano666", "fidelity", "limited", "february", "amadey", "june", "virustotal", "smokeloader", "alex", "april", "recordbreaker", "telecom", "djvu", "v2", "threatfox", "et", "stage download", "traffic inbound" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Seychelles", "Brazil", "India", "South Africa" ], "malware_families": [ { "id": "Smokeloader", "display_name": "Smokeloader", "target": null }, { "id": "Djvu", "display_name": "Djvu", "target": null }, { "id": "V2", "display_name": "V2", "target": null }, { "id": "ThreatFox", "display_name": "ThreatFox", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Stage Download", "display_name": "Stage Download", "target": null }, { "id": "Traffic Inbound", "display_name": "Traffic Inbound", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null } ], "attack_ids": [ { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 6, "FileHash-SHA256": 19, "URL": 4, "domain": 15, "hostname": 1 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63cfbc96323c3904a9cba17e", "name": "RisePro Stealer Distributed By PrivateLoader", "description": "The PrivateLoader Pay-per-install (PPI) malware service was used to drop the RisePro information stealer. The initial infection vector consisted of cracked software distributed through multiple websites. The stealer can exfiltrate a range of data including system information, screenshots, web browser cookies, passwords, credit card numbers, and crypto-wallets.", "modified": "2023-02-23T11:03:31.745000", "created": "2023-01-24T11:10:14.163000", "tags": [ "RisePro", "Stealer", "PrivateLoader" ], "references": [ "https://www.trellix.com/en-us/advanced-research-center/insights-preview.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Chile", "Singapore", "United States of America", "Egypt", "Malaysia", "Peru", "Tunisia", "Brazil", "Colombia", "Algeria", "Spain", "Guatemala", "Sri Lanka", "Nicaragua", "United Arab Emirates", "Argentina", "Australia", "Hong Kong", "Ireland", "Israel", "Iraq", "Jamaica", "Jordan", "Mauritania", "Poland", "T\u00fcrkiye", "Venezuela, Bolivarian Republic of", "Viet Nam", "South Africa" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 22, "FileHash-SHA1": 22, "FileHash-SHA256": 22, "domain": 51, "hostname": 1 }, "indicator_count": 118, "is_author": false, "is_subscribing": null, "subscriber_count": 242, "modified_text": "1192 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63acd8ced68fc15028262679", "name": "New RisePro Stealer Distributed by the Prominent PrivateLoader", "description": "", "modified": "2023-01-28T00:03:01.004000", "created": "2022-12-29T00:01:18.709000", "tags": [ "OSINT", "PrivateLoader", "RisePro Stealer", "Information Stealer", "Crypto", "T1213", "T1113", "T1555.004", "T1129", "T1547.001" ], "references": [ "https://community.riskiq.com/article/2007689c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 19, "FileHash-MD5": 19, "domain": 25 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1219 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63aa79605cf34c5c7de853f3", "name": "PrivateLoader PPI Service Found Distributing Info-Stealing RisePro Malware", "description": "", "modified": "2023-01-26T08:01:27.782000", "created": "2022-12-27T04:49:36.764000", "tags": [ "vidar", "risepro", "market", "december", "flashpoint", "privateloader", "arkei", "genesis", "risepro stealer", "telegram", "mars", "saturnwallet", "dlls", "getprocaddress", "zip file", "command", "success", "iocs", "file", "redline", "raccoon", "stealer", "malware", "netbox", "amigo", "atom", "phantom", "bitcoin", "desktop", "download", "code", "screen", "execution" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/", "https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/", "https://thehackernews.com/2022/12/privateloader-ppi-service-found.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RisePro", "display_name": "RisePro", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "SaturnWallet", "display_name": "SaturnWallet", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Pharmaceuticals", "Healthcare" ], "TLP": "white", "cloned_from": "63a9c5fe7a5e60c35c27a5fd", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 31, "FileHash-SHA256": 26, "URL": 1, "YARA": 1, "domain": 55, "hostname": 2 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1221 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63aaad75c49aa08e6a70587b", "name": "PrivateLoader PPI Service Found Distributing Info-Stealing RisePro Malware", "description": "", "modified": "2023-01-26T08:01:27.782000", "created": "2022-12-27T08:31:49.277000", "tags": [ "vidar", "risepro", "market", "december", "flashpoint", "privateloader", "arkei", "genesis", "risepro stealer", "telegram", "mars", "saturnwallet", "dlls", "getprocaddress", "zip file", "command", "success", "iocs", "file", "redline", "raccoon", "stealer", "malware", "netbox", "amigo", "atom", "phantom", "bitcoin", "desktop", "download", "code", "screen", "execution" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/", "https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/", "https://thehackernews.com/2022/12/privateloader-ppi-service-found.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RisePro", "display_name": "RisePro", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "SaturnWallet", "display_name": "SaturnWallet", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Pharmaceuticals", "Healthcare" ], "TLP": "white", "cloned_from": "63aa79605cf34c5c7de853f3", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 31, "FileHash-SHA256": 26, "URL": 1, "YARA": 1, "domain": 55, "hostname": 2 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1221 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "633ee7153a2c5ad74ce94138", "name": "EliteTeam Bulletproof Hosting - malicious sites and CIDR block", "description": "IOCs from https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\nELITETEAM\n\u201c1337TEAM LIMITED\u201d: AS39770, AS60424, AS56873, and AS51381, but mainly operates from AS51381, which is associated with netblock 185.215.113.0/24.", "modified": "2022-11-05T14:03:58.709000", "created": "2022-10-06T14:32:53.663000", "tags": [ "BulletProof Hosting", "ELITETEAM", "Redline", "Smokeloader", "Amadey", "Phishing", "Raccoon Stealer" ], "references": [ "EliteTeam bulletproof hosting.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 15, "CIDR": 1, "hostname": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "1302 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c2a296d3cea258c9f1c2ad", "name": "Malicious Sites, PUPs, Malware, Brower Hijackers, Phishing Sites", "description": "", "modified": "2022-07-04T08:19:34.791000", "created": "2022-07-04T08:19:34.791000", "tags": [ "malware", "info", "pups", "phishing sites", "am cst", "shadowwhisperer", "curl", "wget" ], "references": [ "https://raw.githubusercontent.com/ShadowWhisperer/BlockLists/master/Lists/Malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 47, "domain": 34626, "hostname": 19 }, "indicator_count": 34702, "is_author": false, "is_subscribing": null, "subscriber_count": 890, "modified_text": "1427 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://thehackernews.com/2022/12/privateloader-ppi-service-found.html", "https://projetfox.com/2023/11/traque-de-linfrastructure-cybercriminelle-de-linfostealer-risepro/", "https://projetfox.com/en/2023/11/tracking-down-the-cybercriminal-infrastructure-of-infostealer-risepro/", "EliteTeam bulletproof hosting.csv", "https://www.trellix.com/en-us/advanced-research-center/insights-preview.html", "https://raw.githubusercontent.com/ShadowWhisperer/BlockLists/master/Lists/Malware", "https://community.riskiq.com/article/2007689c", "https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/", "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Risepro", "Privateloader" ], "industries": [] }, "other": { "adversary": [ "RisePro" ], "malware_families": [ "Vidar", "V2", "Saturnwallet", "Amadey", "Threatfox", "Stage download", "Traffic inbound", "Risepro", "Djvu", "Et", "Smokeloader" ], "industries": [ "Pharmaceuticals", "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "63ac1260c691ea11f9881483", "name": "New RisePro Stealer distributed by the prominent PrivateLoader", "description": "A new type of information stealer, known as RisePro, has been delivered by a well-known loader family, but is not part of the usual RedLine or Raccoon malware family.", "modified": "2023-01-16T15:36:49.709000", "created": "2022-12-28T09:54:38.323000", "tags": [ "RisePro", "Stealer", "PrivateLoader" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RisePro", "display_name": "RisePro", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1555.004", "name": "Windows Credential Manager", "display_name": "T1555.004 - Windows Credential Manager" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 488, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "YARA": 1, "domain": 25 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 386502, "modified_text": "1230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "656dedb9d857be544e7d4a04", "name": "Tracking down the cybercriminal infrastructure of infostealer RisePro", "description": "List of IoCs related to RisePro infostealer and EasyLead PPI\n\nSource EN : https://projetfox.com/en/2023/11/tracking-down-the-cybercriminal-infrastructure-of-infostealer-risepro/\nSource FR : https://projetfox.com/2023/11/traque-de-linfrastructure-cybercriminelle-de-linfostealer-risepro/\n\nMore details:\nfrom Crep1x (SEKOIA.IO) https://x.com/crep1x/status/1729908394230686033\nfrom Intrinsec https://x.com/Intrinsec/status/1730212294452260976?s=20", "modified": "2024-08-20T11:25:20.493000", "created": "2023-12-04T15:18:17.977000", "tags": [ "RisePro", "EasyLead PPI", "C2", "Infostealer" ], "references": [ "https://projetfox.com/en/2023/11/tracking-down-the-cybercriminal-infrastructure-of-infostealer-risepro/", "https://projetfox.com/2023/11/traque-de-linfrastructure-cybercriminelle-de-linfostealer-risepro/" ], "public": 1, "adversary": "RisePro", "targeted_countries": [], "malware_families": [ { "id": "RisePro", "display_name": "RisePro", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "FOX_Alb310", "id": "233506", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_233506/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "domain": 27, "email": 4, "hostname": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "648 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655875976e053dcf96260bde", "name": "Seychelles, Seychelles, on the C(2) Shore", "description": "A bulletproof hosting provider registered in the Republic of Seychelles is associated with multiple malicious campaigns, including ransomware and crypto miners, according to research carried out by the S2 Research Team.", "modified": "2023-12-18T08:03:59.446000", "created": "2023-11-18T08:28:07.134000", "tags": [ "eliteteam", "seychelles", "c2 server", "as51381", "redline stealer", "amadey c2", "august", "mrssoprano666", "fidelity", "limited", "february", "amadey", "june", "virustotal", "smokeloader", "alex", "april", "recordbreaker", "telecom", "djvu", "v2", "threatfox", "et", "stage download", "traffic inbound" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Seychelles", "Brazil", "India", "South Africa" ], "malware_families": [ { "id": "Smokeloader", "display_name": "Smokeloader", "target": null }, { "id": "Djvu", "display_name": "Djvu", "target": null }, { "id": "V2", "display_name": "V2", "target": null }, { "id": "ThreatFox", "display_name": "ThreatFox", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Stage Download", "display_name": "Stage Download", "target": null }, { "id": "Traffic Inbound", "display_name": "Traffic Inbound", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null } ], "attack_ids": [ { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 6, "FileHash-SHA256": 19, "URL": 4, "domain": 15, "hostname": 1 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "895 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63cfbc96323c3904a9cba17e", "name": "RisePro Stealer Distributed By PrivateLoader", "description": "The PrivateLoader Pay-per-install (PPI) malware service was used to drop the RisePro information stealer. The initial infection vector consisted of cracked software distributed through multiple websites. The stealer can exfiltrate a range of data including system information, screenshots, web browser cookies, passwords, credit card numbers, and crypto-wallets.", "modified": "2023-02-23T11:03:31.745000", "created": "2023-01-24T11:10:14.163000", "tags": [ "RisePro", "Stealer", "PrivateLoader" ], "references": [ "https://www.trellix.com/en-us/advanced-research-center/insights-preview.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Chile", "Singapore", "United States of America", "Egypt", "Malaysia", "Peru", "Tunisia", "Brazil", "Colombia", "Algeria", "Spain", "Guatemala", "Sri Lanka", "Nicaragua", "United Arab Emirates", "Argentina", "Australia", "Hong Kong", "Ireland", "Israel", "Iraq", "Jamaica", "Jordan", "Mauritania", "Poland", "T\u00fcrkiye", "Venezuela, Bolivarian Republic of", "Viet Nam", "South Africa" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 22, "FileHash-SHA1": 22, "FileHash-SHA256": 22, "domain": 51, "hostname": 1 }, "indicator_count": 118, "is_author": false, "is_subscribing": null, "subscriber_count": 242, "modified_text": "1192 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63acd8ced68fc15028262679", "name": "New RisePro Stealer Distributed by the Prominent PrivateLoader", "description": "", "modified": "2023-01-28T00:03:01.004000", "created": "2022-12-29T00:01:18.709000", "tags": [ "OSINT", "PrivateLoader", "RisePro Stealer", "Information Stealer", "Crypto", "T1213", "T1113", "T1555.004", "T1129", "T1547.001" ], "references": [ "https://community.riskiq.com/article/2007689c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 19, "FileHash-MD5": 19, "domain": 25 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1219 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63aa79605cf34c5c7de853f3", "name": "PrivateLoader PPI Service Found Distributing Info-Stealing RisePro Malware", "description": "", "modified": "2023-01-26T08:01:27.782000", "created": "2022-12-27T04:49:36.764000", "tags": [ "vidar", "risepro", "market", "december", "flashpoint", "privateloader", "arkei", "genesis", "risepro stealer", "telegram", "mars", "saturnwallet", "dlls", "getprocaddress", "zip file", "command", "success", "iocs", "file", "redline", "raccoon", "stealer", "malware", "netbox", "amigo", "atom", "phantom", "bitcoin", "desktop", "download", "code", "screen", "execution" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/", "https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/", "https://thehackernews.com/2022/12/privateloader-ppi-service-found.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RisePro", "display_name": "RisePro", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "SaturnWallet", "display_name": "SaturnWallet", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Pharmaceuticals", "Healthcare" ], "TLP": "white", "cloned_from": "63a9c5fe7a5e60c35c27a5fd", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 31, "FileHash-SHA256": 26, "URL": 1, "YARA": 1, "domain": 55, "hostname": 2 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1221 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63aaad75c49aa08e6a70587b", "name": "PrivateLoader PPI Service Found Distributing Info-Stealing RisePro Malware", "description": "", "modified": "2023-01-26T08:01:27.782000", "created": "2022-12-27T08:31:49.277000", "tags": [ "vidar", "risepro", "market", "december", "flashpoint", "privateloader", "arkei", "genesis", "risepro stealer", "telegram", "mars", "saturnwallet", "dlls", "getprocaddress", "zip file", "command", "success", "iocs", "file", "redline", "raccoon", "stealer", "malware", "netbox", "amigo", "atom", "phantom", "bitcoin", "desktop", "download", "code", "screen", "execution" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/", "https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/", "https://thehackernews.com/2022/12/privateloader-ppi-service-found.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RisePro", "display_name": "RisePro", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "SaturnWallet", "display_name": "SaturnWallet", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Pharmaceuticals", "Healthcare" ], "TLP": "white", "cloned_from": "63aa79605cf34c5c7de853f3", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 31, "FileHash-SHA256": 26, "URL": 1, "YARA": 1, "domain": 55, "hostname": 2 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1221 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "633ee7153a2c5ad74ce94138", "name": "EliteTeam Bulletproof Hosting - malicious sites and CIDR block", "description": "IOCs from https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore\nELITETEAM\n\u201c1337TEAM LIMITED\u201d: AS39770, AS60424, AS56873, and AS51381, but mainly operates from AS51381, which is associated with netblock 185.215.113.0/24.", "modified": "2022-11-05T14:03:58.709000", "created": "2022-10-06T14:32:53.663000", "tags": [ "BulletProof Hosting", "ELITETEAM", "Redline", "Smokeloader", "Amadey", "Phishing", "Raccoon Stealer" ], "references": [ "EliteTeam bulletproof hosting.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 15, "CIDR": 1, "hostname": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "1302 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c2a296d3cea258c9f1c2ad", "name": "Malicious Sites, PUPs, Malware, Brower Hijackers, Phishing Sites", "description": "", "modified": "2022-07-04T08:19:34.791000", "created": "2022-07-04T08:19:34.791000", "tags": [ "malware", "info", "pups", "phishing sites", "am cst", "shadowwhisperer", "curl", "wget" ], "references": [ "https://raw.githubusercontent.com/ShadowWhisperer/BlockLists/master/Lists/Malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 47, "domain": 34626, "hostname": 19 }, "indicator_count": 34702, "is_author": false, "is_subscribing": null, "subscriber_count": 890, "modified_text": "1427 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "hero-files.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "hero-files.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780216453.1533413 }