{ "type": "URL", "indicator": "https://103.236.149.100/api/info", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://103.236.149.100/api/info", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 1593732598, "indicator": "https://103.236.149.100/api/info", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "5c1d5328e8b75815dbcdeeab", "name": "OVERRULED: Containing a Potentially Destructive Adversary", "description": "FireEye assesses APT33 may be behind a series of intrusions and attempted intrusions within the engineering industry. Public reporting indicates this activity may be related to recent destructive attacks. FireEye's Managed Defense has responded to and contained numerous intrusions that we assess are related. The actor is leveraging publicly available tools in early phases of the intrusion; however, we have observed them transition to custom implants in later stage activity in an attempt to circumvent our detection.", "modified": "2019-01-17T17:56:16.352000", "created": "2018-12-21T20:55:04.147000", "tags": [ "poshc2", "outlook", "apt33", "powerton", "powershell", "office", "office365", "energy", "mimikatz", "aerospace", "fireeye" ], "references": [ "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" ], "public": 1, "adversary": "APT33", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "energy" ], "TLP": "white", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "YARA": 1, "domain": 2, "URL": 10, "FileHash-MD5": 32, "CVE": 2 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 387031, "modified_text": "2693 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "5c10d62e97d4215c088dfa2e", "name": "Recent Shamoon Wipers", "description": "We came across external reports that the notorious, disk-wiping worm Shamoon, also known as Disttrack, has reemerged with an updated version. We were also able to source several samples of this version of Shamoon that Trend Micro detects as Trojan.Win32.DISTTRACK.AA and Trojan.Win64.DISTTRACK.AA. While there are no obvious indications that this new version is currently in the wild, we are further analyzing the malware to verify its functions and capabilities given its destructive impact.", "modified": "2018-12-24T22:16:57.171000", "created": "2018-12-12T09:34:38.758000", "tags": [], "references": [ "https://twitter.com/ThreatHunting/status/1072771496479735809", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/new-version-of-disk-wiping-shamoon-disttrack-spotted-what-you-need-to-know", "https://www.axios.com/infamous-shamoon-malware-re-emerges-14911c5b-11e0-4bea-8549-1dc8a6f93848.html", "https://researchcenter.paloaltonetworks.com/2018/12/shamoon-3-targets-oil-gas-organization/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/", "https://www.symantec.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", "https://unit42.paloaltonetworks.com/shamoon-3-modified-open-source-wiper-contains-verse-from-the-quran/", "https://www.anomali.com/blog/destructive-shamoon-malware-continues-its-return-with-a-new-anti-american-message" ], "public": 1, "adversary": "Shamoon", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-SHA256": 24, "URL": 5, "hostname": 1, "FileHash-SHA1": 5 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 386994, "modified_text": "2716 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.axios.com/infamous-shamoon-malware-re-emerges-14911c5b-11e0-4bea-8549-1dc8a6f93848.html", "https://www.symantec.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/new-version-of-disk-wiping-shamoon-disttrack-spotted-what-you-need-to-know", "https://researchcenter.paloaltonetworks.com/2018/12/shamoon-3-targets-oil-gas-organization/", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://www.anomali.com/blog/destructive-shamoon-malware-continues-its-return-with-a-new-anti-american-message", "https://unit42.paloaltonetworks.com/shamoon-3-modified-open-source-wiper-contains-verse-from-the-quran/", "https://twitter.com/ThreatHunting/status/1072771496479735809", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" ], "related": { "alienvault": { "adversary": [ "Shamoon", "APT33" ], "malware_families": [], "industries": [ "Energy" ], "unique_indicators": 86 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/103.236.149.100", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "5c1d5328e8b75815dbcdeeab", "name": "OVERRULED: Containing a Potentially Destructive Adversary", "description": "FireEye assesses APT33 may be behind a series of intrusions and attempted intrusions within the engineering industry. Public reporting indicates this activity may be related to recent destructive attacks. FireEye's Managed Defense has responded to and contained numerous intrusions that we assess are related. The actor is leveraging publicly available tools in early phases of the intrusion; however, we have observed them transition to custom implants in later stage activity in an attempt to circumvent our detection.", "modified": "2019-01-17T17:56:16.352000", "created": "2018-12-21T20:55:04.147000", "tags": [ "poshc2", "outlook", "apt33", "powerton", "powershell", "office", "office365", "energy", "mimikatz", "aerospace", "fireeye" ], "references": [ "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" ], "public": 1, "adversary": "APT33", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "energy" ], "TLP": "white", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "YARA": 1, "domain": 2, "URL": 10, "FileHash-MD5": 32, "CVE": 2 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 387031, "modified_text": "2693 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "5c10d62e97d4215c088dfa2e", "name": "Recent Shamoon Wipers", "description": "We came across external reports that the notorious, disk-wiping worm Shamoon, also known as Disttrack, has reemerged with an updated version. We were also able to source several samples of this version of Shamoon that Trend Micro detects as Trojan.Win32.DISTTRACK.AA and Trojan.Win64.DISTTRACK.AA. While there are no obvious indications that this new version is currently in the wild, we are further analyzing the malware to verify its functions and capabilities given its destructive impact.", "modified": "2018-12-24T22:16:57.171000", "created": "2018-12-12T09:34:38.758000", "tags": [], "references": [ "https://twitter.com/ThreatHunting/status/1072771496479735809", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/new-version-of-disk-wiping-shamoon-disttrack-spotted-what-you-need-to-know", "https://www.axios.com/infamous-shamoon-malware-re-emerges-14911c5b-11e0-4bea-8549-1dc8a6f93848.html", "https://researchcenter.paloaltonetworks.com/2018/12/shamoon-3-targets-oil-gas-organization/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/", "https://www.symantec.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", "https://unit42.paloaltonetworks.com/shamoon-3-modified-open-source-wiper-contains-verse-from-the-quran/", "https://www.anomali.com/blog/destructive-shamoon-malware-continues-its-return-with-a-new-anti-american-message" ], "public": 1, "adversary": "Shamoon", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 5, "FileHash-SHA256": 24, "URL": 5, "hostname": 1, "FileHash-SHA1": 5 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 386994, "modified_text": "2716 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://103.236.149.100/api/info", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://103.236.149.100/api/info", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780423104.983095 }