{ "type": "URL", "indicator": "https://124.71.26.85/load", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://124.71.26.85/load", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3724449858, "indicator": "https://124.71.26.85/load", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "64bfd25008236bd6f079e1f6", "name": "ACTIVIDAD MALICIOSA | Relacionada con Cobalt Strike 25-07-2023", "description": "Cobalt Strike es una herramienta usada para detectar vulnerabilidades de acceso al sistema. La herramienta en s\u00ed se usa normalmente para pruebas de software y para encontrar varios errores y fallos de seguridad. Sin embargo, el problema viene cuando los ciberdelincuentes se aprovechan de tales herramientas y Cobalt Strike no es una excepci\u00f3n Seg\u00fan la investigaci\u00f3n, esas personas env\u00edan cientos de miles de correos basura con adjuntos maliciosos Microsoft Word dise\u00f1ados para inyectar Cobalt Strike en el sistema.", "modified": "2023-08-24T13:04:55.815000", "created": "2023-07-25T13:46:56.393000", "tags": [ "cobalt strike", "cobaltstrike", "tencen", "alibab", "hwcsnet huawei", "cloud service", "limite", "kaopuhk kaopu", "cloud hk", "multaasn1 drbra", "discovery", "ta0005", "ta0003", "ta0009", "ta0004", "ta0007", "ta0008", "ta0001", "t1001", "t1003" ], "references": [ "https://www.pcrisk.es/guias-de-desinfeccion/9042-cobalt-strike-malware", "https://bazaar.abuse.ch/browse.php?search=signature%3ACobalt+Strike", "https://threatfox.abuse.ch/browse/malware/win.cobalt_strike/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 227, "domain": 7, "hostname": 22 }, "indicator_count": 256, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "1013 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.pcrisk.es/guias-de-desinfeccion/9042-cobalt-strike-malware", "https://bazaar.abuse.ch/browse.php?search=signature%3ACobalt+Strike", "https://threatfox.abuse.ch/browse/malware/win.cobalt_strike/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Cobalt strike - s0154" ], "industries": [], "unique_indicators": 403 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/124.71.26.85", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "64bfd25008236bd6f079e1f6", "name": "ACTIVIDAD MALICIOSA | Relacionada con Cobalt Strike 25-07-2023", "description": "Cobalt Strike es una herramienta usada para detectar vulnerabilidades de acceso al sistema. La herramienta en s\u00ed se usa normalmente para pruebas de software y para encontrar varios errores y fallos de seguridad. Sin embargo, el problema viene cuando los ciberdelincuentes se aprovechan de tales herramientas y Cobalt Strike no es una excepci\u00f3n Seg\u00fan la investigaci\u00f3n, esas personas env\u00edan cientos de miles de correos basura con adjuntos maliciosos Microsoft Word dise\u00f1ados para inyectar Cobalt Strike en el sistema.", "modified": "2023-08-24T13:04:55.815000", "created": "2023-07-25T13:46:56.393000", "tags": [ "cobalt strike", "cobaltstrike", "tencen", "alibab", "hwcsnet huawei", "cloud service", "limite", "kaopuhk kaopu", "cloud hk", "multaasn1 drbra", "discovery", "ta0005", "ta0003", "ta0009", "ta0004", "ta0007", "ta0008", "ta0001", "t1001", "t1003" ], "references": [ "https://www.pcrisk.es/guias-de-desinfeccion/9042-cobalt-strike-malware", "https://bazaar.abuse.ch/browse.php?search=signature%3ACobalt+Strike", "https://threatfox.abuse.ch/browse/malware/win.cobalt_strike/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 227, "domain": 7, "hostname": 22 }, "indicator_count": 256, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "1013 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://124.71.26.85/load", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://124.71.26.85/load", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780439286.378413 }