{ "type": "URL", "indicator": "https://921hapudyqwdvy.com/vvmd54/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://921hapudyqwdvy.com/vvmd54/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3751733849, "indicator": "https://921hapudyqwdvy.com/vvmd54/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "652d4dc5766032878f58d88c", "name": "\u201cEtherHiding\u201d \u2014 Hiding Web2 Malicious Code in Web3 Smart Contracts", "description": "\u201cEtherHiding\u201d presents a novel twist on serving malicious code by utilizing Binance\u2019s Smart Chain contracts to host parts of a malicious code chain in what is the next level of Bullet-Proof Hosting.\n\nOver the last two months, leveraging a vast array of hijacked WordPress sites, this threat actor has misled users into downloading malicious fake \u201cbrowser updates\u201d.", "modified": "2023-11-15T14:01:10.094000", "created": "2023-10-16T14:50:45.096000", "tags": [ "etherhiding", "clearfake", "binance smart chain", "bsc blockchain" ], "references": [ "https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 386, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 1, "domain": 29 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 386592, "modified_text": "928 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65fe20d1635c58fd2be328bc", "name": "FAKEUPDATES by ThreatFox", "description": "", "modified": "2024-05-12T20:27:02.873000", "created": "2024-03-23T00:22:41.667000", "tags": [ "virustotal" ], "references": [ "https://www.virustotal.com/gui/collection/threatfox_js_fakeupdates", "https://twitter.com/500mk500/status/1771235578274607201" ], "public": 1, "adversary": "TA569", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1001, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 5, "domain": 426, "hostname": 272 }, "indicator_count": 1708, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "749 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652cea1ea4d132759b92b269", "name": "ClearFake Malware Analysis | malware-analysis", "description": "Here\u2019s a look at some of the Javascript injections being used in a fake update campaign for Google Chrome, known as SocGholish, which appears to be running from a compromised website.", "modified": "2023-11-15T07:05:53.201000", "created": "2023-10-16T07:45:34.149000", "tags": [ "binance", "wordpress", "clearfake", "wordpress site", "blockchain", "etherhiding", "code", "javascript code", "array", "script", "redline", "amadey", "mask", "june", "possible", "malicious", "javascript", "payload", "july", "analysis", "randy mceoin", "publicwww", "socgholish", "chrome", "fiddler", "download" ], "references": [ "https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16", "https://rmceoin.github.io/malware-analysis/clearfake/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null } ], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 14, "URL": 7, "domain": 43, "hostname": 1 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "928 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/gui/collection/threatfox_js_fakeupdates", "https://rmceoin.github.io/malware-analysis/clearfake/", "https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16", "https://twitter.com/500mk500/status/1771235578274607201" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Clearfake" ], "industries": [], "unique_indicators": 52 }, "other": { "adversary": [ "TA569" ], "malware_families": [ "Clearfake", "Amadey" ], "industries": [], "unique_indicators": 1950 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/921hapudyqwdvy.com", "whois": "http://whois.domaintools.com/921hapudyqwdvy.com", "domain": "921hapudyqwdvy.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "652d4dc5766032878f58d88c", "name": "\u201cEtherHiding\u201d \u2014 Hiding Web2 Malicious Code in Web3 Smart Contracts", "description": "\u201cEtherHiding\u201d presents a novel twist on serving malicious code by utilizing Binance\u2019s Smart Chain contracts to host parts of a malicious code chain in what is the next level of Bullet-Proof Hosting.\n\nOver the last two months, leveraging a vast array of hijacked WordPress sites, this threat actor has misled users into downloading malicious fake \u201cbrowser updates\u201d.", "modified": "2023-11-15T14:01:10.094000", "created": "2023-10-16T14:50:45.096000", "tags": [ "etherhiding", "clearfake", "binance smart chain", "bsc blockchain" ], "references": [ "https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 386, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 13, "URL": 1, "domain": 29 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 386592, "modified_text": "928 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65fe20d1635c58fd2be328bc", "name": "FAKEUPDATES by ThreatFox", "description": "", "modified": "2024-05-12T20:27:02.873000", "created": "2024-03-23T00:22:41.667000", "tags": [ "virustotal" ], "references": [ "https://www.virustotal.com/gui/collection/threatfox_js_fakeupdates", "https://twitter.com/500mk500/status/1771235578274607201" ], "public": 1, "adversary": "TA569", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1001, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 5, "domain": 426, "hostname": 272 }, "indicator_count": 1708, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "749 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652cea1ea4d132759b92b269", "name": "ClearFake Malware Analysis | malware-analysis", "description": "Here\u2019s a look at some of the Javascript injections being used in a fake update campaign for Google Chrome, known as SocGholish, which appears to be running from a compromised website.", "modified": "2023-11-15T07:05:53.201000", "created": "2023-10-16T07:45:34.149000", "tags": [ "binance", "wordpress", "clearfake", "wordpress site", "blockchain", "etherhiding", "code", "javascript code", "array", "script", "redline", "amadey", "mask", "june", "possible", "malicious", "javascript", "payload", "july", "analysis", "randy mceoin", "publicwww", "socgholish", "chrome", "fiddler", "download" ], "references": [ "https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16", "https://rmceoin.github.io/malware-analysis/clearfake/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null } ], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 14, "URL": 7, "domain": 43, "hostname": 1 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "928 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://921hapudyqwdvy.com/vvmd54/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://921hapudyqwdvy.com/vvmd54/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780274610.6206303 }