{ "type": "URL", "indicator": "http://infntio.com/save/user.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://infntio.com/save/user.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3521564921, "indicator": "http://infntio.com/save/user.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "62da79e8ce00d5eb8497f01c", "name": "EvilNum Targets Cryptocurrency, Forex, Commodities", "description": "Since late 2021 through the present, Proofpoint Threat Research observed the group Proofpoint calls TA4563 targeting various European financial and investment entities with the malware known as EvilNum. The actor exclusively targeted entities in the Decentralized Finance (DeFi) industry in recently observed campaigns. The identified campaigns delivered an updated version of the EvilNum backdoor using a varied mix of ISO, Microsoft Word and Shortcut (LNK) files in late 2021 and early 2022, presumably as a method of testing the efficacy of the delivery methods. This malware can be used for reconnaissance, data theft, and to deploy additional payloads.", "modified": "2022-07-22T10:20:23.613000", "created": "2022-07-22T10:20:23.613000", "tags": [ "evilnum", "ta4563", "apt" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "TA4563", "targeted_countries": [], "malware_families": [ { "id": "EvilNum", "display_name": "EvilNum", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [ "Finance", "Investment" ], "TLP": "white", "cloned_from": null, "export_count": 371, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 5, "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 15 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 386588, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62daf40054474d0014485ef5", "name": "EvilNum", "description": "IOCs associated with EvilNum", "modified": "2022-07-22T19:01:20.504000", "created": "2022-07-22T19:01:20.504000", "tags": [], "references": [ "IOCs_7.22.22.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "lsong@perimeterwatch.com", "id": "191915", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "domain": 11 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62da8e4c993b2bbfe3a74d25", "name": "EvilNum IOCs", "description": "Indicator-based results for all of the key indicators used by the BBC in the 2016/17 TV and radio seasons. and for the 2017/18 TV season, as well as the 2015/16 season.", "modified": "2022-07-22T11:47:24.158000", "created": "2022-07-22T11:47:24.158000", "tags": [ "command", "march", "december", "control domain", "control url", "sender email", "word doc", "payload domain", "june", "sha256 sample", "april" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 14, "email": 4 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62da839f9c68eaa4ae361633", "name": "EvilNum IOCs", "description": "Indicator-based results for all of the key indicators used by the BBC in the 2016/17 TV and radio seasons. and for the 2017/18 TV season, as well as the 2015/16 season.", "modified": "2022-07-22T11:01:51.311000", "created": "2022-07-22T11:01:51.311000", "tags": [ "command", "march", "december", "control domain", "control url", "sender email", "word doc", "payload domain", "june", "sha256 sample", "april" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 14, "email": 4 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62da57b9c047da0555eb3985", "name": "Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and brand from the latest security threats and the deep and dark web. the company's products and services are on sale across the world.", "modified": "2022-07-22T07:54:33.504000", "created": "2022-07-22T07:54:33.504000", "tags": [ "evilnum", "proofpoint", "javascript", "golden chickens", "ta4563", "command", "march", "december", "learn", "control domain", "sell", "steal", "june", "powershell", "ransomware", "stop ransomware", "protect", "small", "tools", "april", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "EvilNum", "targeted_countries": [], "malware_families": [ { "id": "EvilNum", "display_name": "EvilNum", "target": null }, { "id": "Golden Chickens", "display_name": "Golden Chickens", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "Proofpoint", "display_name": "Proofpoint", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Investment", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 5, "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 15 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62d9a05ffd1e72495f03f7e6", "name": "Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and brand from the latest security threats and the deep and dark web. the company's products and services are on sale across the world.", "modified": "2022-07-21T18:52:15.315000", "created": "2022-07-21T18:52:15.315000", "tags": [ "evilnum", "proofpoint", "javascript", "golden chickens", "ta4563", "command", "march", "december", "learn", "control domain", "sell", "steal", "june", "powershell", "ransomware", "stop ransomware", "protect", "small", "tools", "april", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "EvilNum", "targeted_countries": [], "malware_families": [ { "id": "EvilNum", "display_name": "EvilNum", "target": null }, { "id": "Golden Chickens", "display_name": "Golden Chickens", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "Proofpoint", "display_name": "Proofpoint", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Investment", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 15, "email": 4 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 356, "modified_text": "1410 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities", "IOCs_7.22.22.txt" ], "related": { "alienvault": { "adversary": [ "TA4563" ], "malware_families": [ "Evilnum" ], "industries": [ "Finance", "Investment" ], "unique_indicators": 37 }, "other": { "adversary": [ "EvilNum" ], "malware_families": [ "Evilnum", "Golden chickens", "Proofpoint", "Javascript" ], "industries": [ "Financial", "Finance", "Investment" ], "unique_indicators": 37 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/infntio.com", "whois": "http://whois.domaintools.com/infntio.com", "domain": "infntio.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "62da79e8ce00d5eb8497f01c", "name": "EvilNum Targets Cryptocurrency, Forex, Commodities", "description": "Since late 2021 through the present, Proofpoint Threat Research observed the group Proofpoint calls TA4563 targeting various European financial and investment entities with the malware known as EvilNum. The actor exclusively targeted entities in the Decentralized Finance (DeFi) industry in recently observed campaigns. The identified campaigns delivered an updated version of the EvilNum backdoor using a varied mix of ISO, Microsoft Word and Shortcut (LNK) files in late 2021 and early 2022, presumably as a method of testing the efficacy of the delivery methods. This malware can be used for reconnaissance, data theft, and to deploy additional payloads.", "modified": "2022-07-22T10:20:23.613000", "created": "2022-07-22T10:20:23.613000", "tags": [ "evilnum", "ta4563", "apt" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "TA4563", "targeted_countries": [], "malware_families": [ { "id": "EvilNum", "display_name": "EvilNum", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [ "Finance", "Investment" ], "TLP": "white", "cloned_from": null, "export_count": 371, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 5, "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 15 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 386588, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62daf40054474d0014485ef5", "name": "EvilNum", "description": "IOCs associated with EvilNum", "modified": "2022-07-22T19:01:20.504000", "created": "2022-07-22T19:01:20.504000", "tags": [], "references": [ "IOCs_7.22.22.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "lsong@perimeterwatch.com", "id": "191915", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "domain": 11 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62da8e4c993b2bbfe3a74d25", "name": "EvilNum IOCs", "description": "Indicator-based results for all of the key indicators used by the BBC in the 2016/17 TV and radio seasons. and for the 2017/18 TV season, as well as the 2015/16 season.", "modified": "2022-07-22T11:47:24.158000", "created": "2022-07-22T11:47:24.158000", "tags": [ "command", "march", "december", "control domain", "control url", "sender email", "word doc", "payload domain", "june", "sha256 sample", "april" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 14, "email": 4 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62da839f9c68eaa4ae361633", "name": "EvilNum IOCs", "description": "Indicator-based results for all of the key indicators used by the BBC in the 2016/17 TV and radio seasons. and for the 2017/18 TV season, as well as the 2015/16 season.", "modified": "2022-07-22T11:01:51.311000", "created": "2022-07-22T11:01:51.311000", "tags": [ "command", "march", "december", "control domain", "control url", "sender email", "word doc", "payload domain", "june", "sha256 sample", "april" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 14, "email": 4 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62da57b9c047da0555eb3985", "name": "Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and brand from the latest security threats and the deep and dark web. the company's products and services are on sale across the world.", "modified": "2022-07-22T07:54:33.504000", "created": "2022-07-22T07:54:33.504000", "tags": [ "evilnum", "proofpoint", "javascript", "golden chickens", "ta4563", "command", "march", "december", "learn", "control domain", "sell", "steal", "june", "powershell", "ransomware", "stop ransomware", "protect", "small", "tools", "april", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "EvilNum", "targeted_countries": [], "malware_families": [ { "id": "EvilNum", "display_name": "EvilNum", "target": null }, { "id": "Golden Chickens", "display_name": "Golden Chickens", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "Proofpoint", "display_name": "Proofpoint", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Investment", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 5, "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 15 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62d9a05ffd1e72495f03f7e6", "name": "Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and brand from the latest security threats and the deep and dark web. the company's products and services are on sale across the world.", "modified": "2022-07-21T18:52:15.315000", "created": "2022-07-21T18:52:15.315000", "tags": [ "evilnum", "proofpoint", "javascript", "golden chickens", "ta4563", "command", "march", "december", "learn", "control domain", "sell", "steal", "june", "powershell", "ransomware", "stop ransomware", "protect", "small", "tools", "april", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "EvilNum", "targeted_countries": [], "malware_families": [ { "id": "EvilNum", "display_name": "EvilNum", "target": null }, { "id": "Golden Chickens", "display_name": "Golden Chickens", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "Proofpoint", "display_name": "Proofpoint", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Investment", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 15, "email": 4 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 356, "modified_text": "1410 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://infntio.com/save/user.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://infntio.com/save/user.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780269863.6469755 }