{ "type": "URL", "indicator": "https://DIASGALLERY.COM/ABOUT/R/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://DIASGALLERY.COM/ABOUT/R/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3647632045, "indicator": "https://DIASGALLERY.COM/ABOUT/R/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "64186efb728d1ea3633c3dc6", "name": "Emotet Sending Malicious Emails After Three-Month Hiatus", "description": "New Emotet malicious email activity suggest the Emotet Group has restarted activities after taking a few months long hiatus. The detected email activity shows it inserting itself into existing email chains with a malicious unprotected zip attachment, with a financial invoice theme to lure victims. Inside the zip file, there is an Office Word document with macros. Office requests the user to enable content, to which, if accepted, macros run in the background to download and execute the Emotet DLL. It is not known how long this round of email activity will take but from previous rounds, it can be expected to last a few weeks and then disappear for months. Trellix ENS detection: W97M/Downloader.dwu trojan For the current Emotet campaign, Trellix has added a policy rule for the zip attachments that can be enabled on the Email appliances.", "modified": "2023-04-19T14:04:39.791000", "created": "2023-03-20T14:34:35.037000", "tags": [ "https", "http", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "twitter", "emotet", "figure", "tuesday", "march", "office", "emotet botnet", "emotet email", "office document", "enable content", "november" ], "references": [ "https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/", "https://twitter.com/Cryptolaemus1/status/1633099154623803394?s=20" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1009", "name": "Binary Padding", "display_name": "T1009 - Binary Padding" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1117", "name": "Regsvr32", "display_name": "T1117 - Regsvr32" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 40, "URL": 108, "hostname": 10, "FileHash-MD5": 325, "FileHash-SHA1": 277, "FileHash-SHA256": 279 }, "indicator_count": 1039, "is_author": false, "is_subscribing": null, "subscriber_count": 242, "modified_text": "1140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/", "https://twitter.com/Cryptolaemus1/status/1633099154623803394?s=20" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Emotet" ], "industries": [], "unique_indicators": 1097 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/DIASGALLERY.COM", "whois": "http://whois.domaintools.com/DIASGALLERY.COM", "domain": "DIASGALLERY.COM", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "64186efb728d1ea3633c3dc6", "name": "Emotet Sending Malicious Emails After Three-Month Hiatus", "description": "New Emotet malicious email activity suggest the Emotet Group has restarted activities after taking a few months long hiatus. The detected email activity shows it inserting itself into existing email chains with a malicious unprotected zip attachment, with a financial invoice theme to lure victims. Inside the zip file, there is an Office Word document with macros. Office requests the user to enable content, to which, if accepted, macros run in the background to download and execute the Emotet DLL. It is not known how long this round of email activity will take but from previous rounds, it can be expected to last a few weeks and then disappear for months. Trellix ENS detection: W97M/Downloader.dwu trojan For the current Emotet campaign, Trellix has added a policy rule for the zip attachments that can be enabled on the Email appliances.", "modified": "2023-04-19T14:04:39.791000", "created": "2023-03-20T14:34:35.037000", "tags": [ "https", "http", "javascript", "help center", "please", "service privacy", "policy cookie", "policy imprint", "ads info", "twitter", "emotet", "figure", "tuesday", "march", "office", "emotet botnet", "emotet email", "office document", "enable content", "november" ], "references": [ "https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/", "https://twitter.com/Cryptolaemus1/status/1633099154623803394?s=20" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1009", "name": "Binary Padding", "display_name": "T1009 - Binary Padding" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1117", "name": "Regsvr32", "display_name": "T1117 - Regsvr32" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 40, "URL": 108, "hostname": 10, "FileHash-MD5": 325, "FileHash-SHA1": 277, "FileHash-SHA256": 279 }, "indicator_count": 1039, "is_author": false, "is_subscribing": null, "subscriber_count": 242, "modified_text": "1140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://DIASGALLERY.COM/ABOUT/R/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://DIASGALLERY.COM/ABOUT/R/", "type": "URL", "found": true, "verdict": "malicious", "url_status": "offline", "threat": "malware_download", "tags": [ "dll", "emotet", "zip" ], "date_added": "2023-03-07", "last_online": "", "reporter": "Cryptolaemus1", "host": "diasgallery.com", "payloads": [], "error": null }, "from_cache": true, "_cached_at": 1780487515.9815392 }