{ "type": "URL", "indicator": "https://australiacbdoil.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://australiacbdoil.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3823069816, "indicator": "https://australiacbdoil.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "660b176a98b0c92ba5a962bc", "name": "\"No Problems\" - UAlberta TLD (Confirmed TLD - 08.04.24) & Subdomain compromise", "description": "Basically the above\n\n\"No Problems\", \"We are Unhackable\", etc. etc. causing problems.", "modified": "2024-09-04T05:01:56.993000", "created": "2024-04-01T20:22:02.851000", "tags": [ "BEC" ], "references": [ "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 233, "FileHash-SHA1": 230, "FileHash-SHA256": 6703, "URL": 4450, "CIDR": 3, "domain": 6223, "hostname": 2863, "email": 7, "CVE": 53 }, "indicator_count": 20765, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a2f9169d6996c1c928ac0b", "name": "Remote attack: Win32/Enosch.A gtalk connectivity check | High Priority", "description": "W32/Enosch.A!tr is classified as a Trojan. Trojan has the capabilities to remote access connection handling, perform Denial of Service (DoS) attacks. Worms automatically spread to other PCs. This threat can perform a number of actions of a malicious hacker's choice. This hacker is choosing to delete files, accounts, pulses, by graphs while acting as user. An authenticated use in browser bar https://www.google.com/?authuser=0.\n\nAttempts to modify,delete graphs, pulses, accounts, passwords. Acting as user.", "modified": "2024-02-12T20:02:49.516000", "created": "2024-01-13T20:56:54.333000", "tags": [ "default", "show", "regsetvalueexa", "search", "regdword", "medium", "settingswpad", "delete", "ids detections", "yara detections", "worm", "malware", "copy", "write", "win32", "first", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "graph community", "productidis", "urls", "mb iesettings", "related file", "cybersecurity", "agency", "csc corporate", "domains", "tucows domains", "nameweb bvba", "tucows", "google", "amazon02", "twitter", "ovh sas", "facebook", "incapsula", "optimizer", "activator", "kb program", "mb super", "kb acrotray", "1tzv", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "checks_debugger", "network_icmp", "network_smtp", "persistence_autorun", "modifies_proxy_wpad", "antivm_queries_computername", "dumped_buffer", "network_http", "antivm_network_adapters", "smtp_gmail", "attacking", "browser", "object", "deleted", "deleting", "deleted virustotal graphs", "corruption", "legal", "gvt", "adams co", "colorado", "law", "illegal practices", "hacking", "enter rexxfield", "roberts", "smith", "script urls", "as20940", "united", "a domains", "certificate", "showing", "entries", "entrust", "scan endpoints", "district", "as16625 akamai", "aaaa", "passive dns", "united kingdom", "whitelisted", "modification", "silence", "state", "hostname", "samples", "cover up", "silencing", "Iowa.gov", "dga", "fcc", "unsigned", "remote", "wiper", "nosy pega", "trojan", "unknown", "access denied", "servers", "creation date", "date", "next", "apple", "ssl certificate", "threat roundup", "march", "october", "july", "april", "whois record", "june", "roundup", "september", "august", "plugx", "goldfinder", "sibot", "hacktool", "february", "regsz", "english", "nsisinetc", "mozilla", "adobe air", "java", "http", "post http", "updater", "meta", "suspicious", "persistence", "execution", "referrer", "communicating", "skynet", "malicious", "gen.o", "dynamicloader", "cape", "enosch malware", "enosch", "music", "contacted", "pe resource", "resolutions", "siblings", "urls http" ], "references": [ "https://otx.alienvault.com/indicator/file/c98108ca8f4e0dd8a3f63d4ac490e115", "https://www.google.com/?authuser=0", "Wiper to Ransomware: The Evolution of Agrius - Sourced: ArcSight Threat Intelligence", "AS15133 MCI Communications Services Inc d b a Verizon Business, Loudon County, Va", "207 Iowa.gov domains and hosts acting as cyber security [cyberreason]", "iowa.gov, accidentreports.iowa.gov, beready.iowa.gov, affordableconnectivity.gov", "appanoosecounty.iowa.gov, bigben.iowa.gov [Ben Smith?]", "lacity.gov, auditortest.iowa.gov, broadband.iowa.gov, admin.auditor.iowa.gov,", "https://lacity.gov/san/index.htm, https://personnel.lacity.gov, https://lacity.gov/SAN,", "Domains Contacted: smtp.gmail.com www.google.com", "DGA Domain [affordableconnectivity.gov & GetInternet.gov] Home ACP Universal Service Administrative Company", "www.fcc.gov? DGA Domains : Certificate Subject\tUS 443 Certificate Subject\tDistrict of Columbia 443 Certificate Subject\tWashington 443 Certificate Subject\tFederal Communications Commission 443 Certificate Subject\tGovernment Entity 443 Certificate Subject\t1934-06-19 443 Certificate Subject\taffordableconnectivity.gov 443 Certificate Issuer\tEntrust, Inc. 443 Certificate Issuer\tSee www.entrust.net/legal-terms 443 Certificate Issuer", "(c) 2014 Entrust, Inc. - for authorized use only 443 Certificate Issuer\tEntrust Certification Authority - L1M", "https://www.clear.com.br/site/DirectTalk/Filter?botopenned=3Dtrue [???]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "Netherlands", "Spain", "Australia", "Korea, Republic of", "Hong Kong" ], "malware_families": [ { "id": "Nullsoft_NSIS", "display_name": "Nullsoft_NSIS", "target": null }, { "id": "Win32:Agent-ASTI\\ [Trj]", "display_name": "Win32:Agent-ASTI\\ [Trj]", "target": null }, { "id": "Worm:Win32/Enosch!atmn", "display_name": "Worm:Win32/Enosch!atmn", "target": "/malware/Worm:Win32/Enosch!atmn" }, { "id": "Win.Trojan.Agent-357800", "display_name": "Win.Trojan.Agent-357800", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2701, "FileHash-SHA1": 1512, "FileHash-SHA256": 5351, "SSLCertFingerprint": 1, "URL": 1774, "email": 7, "hostname": 1170, "domain": 1209 }, "indicator_count": 13725, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a2f9200337f0d1fa195ada", "name": "Remote attack: Win32/Enosch.A gtalk connectivity check | High Priority", "description": "W32/Enosch.A!tr is classified as a Trojan. Trojan has the capabilities to remote access connection handling, perform Denial of Service (DoS) attacks. Worms automatically spread to other PCs. This threat can perform a number of actions of a malicious hacker's choice. This hacker is choosing to delete files, accounts, pulses, by graphs while acting as user. An authenticated use in browser bar https://www.google.com/?authuser=0.\n\nAttempts to modify,delete graphs, pulses, accounts, passwords. Acting as user.", "modified": "2024-02-12T20:02:49.516000", "created": "2024-01-13T20:57:04.197000", "tags": [ "default", "show", "regsetvalueexa", "search", "regdword", "medium", "settingswpad", "delete", "ids detections", "yara detections", "worm", "malware", "copy", "write", "win32", "first", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "graph community", "productidis", "urls", "mb iesettings", "related file", "cybersecurity", "agency", "csc corporate", "domains", "tucows domains", "nameweb bvba", "tucows", "google", "amazon02", "twitter", "ovh sas", "facebook", "incapsula", "optimizer", "activator", "kb program", "mb super", "kb acrotray", "1tzv", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "checks_debugger", "network_icmp", "network_smtp", "persistence_autorun", "modifies_proxy_wpad", "antivm_queries_computername", "dumped_buffer", "network_http", "antivm_network_adapters", "smtp_gmail", "attacking", "browser", "object", "deleted", "deleting", "deleted virustotal graphs", "corruption", "legal", "gvt", "adams co", "colorado", "law", "illegal practices", "hacking", "enter rexxfield", "roberts", "smith", "script urls", "as20940", "united", "a domains", "certificate", "showing", "entries", "entrust", "scan endpoints", "district", "as16625 akamai", "aaaa", "passive dns", "united kingdom", "whitelisted", "modification", "silence", "state", "hostname", "samples", "cover up", "silencing", "Iowa.gov", "dga", "fcc", "unsigned", "remote", "wiper", "nosy pega", "trojan", "unknown", "access denied", "servers", "creation date", "date", "next", "apple", "ssl certificate", "threat roundup", "march", "october", "july", "april", "whois record", "june", "roundup", "september", "august", "plugx", "goldfinder", "sibot", "hacktool", "february", "regsz", "english", "nsisinetc", "mozilla", "adobe air", "java", "http", "post http", "updater", "meta", "suspicious", "persistence", "execution", "referrer", "communicating", "skynet", "malicious", "gen.o", "dynamicloader", "cape", "enosch malware", "enosch", "music", "contacted", "pe resource", "resolutions", "siblings", "urls http" ], "references": [ "https://otx.alienvault.com/indicator/file/c98108ca8f4e0dd8a3f63d4ac490e115", "https://www.google.com/?authuser=0", "Wiper to Ransomware: The Evolution of Agrius - Sourced: ArcSight Threat Intelligence", "AS15133 MCI Communications Services Inc d b a Verizon Business, Loudon County, Va", "207 Iowa.gov domains and hosts acting as cyber security [cyberreason]", "iowa.gov, accidentreports.iowa.gov, beready.iowa.gov, affordableconnectivity.gov", "appanoosecounty.iowa.gov, bigben.iowa.gov [Ben Smith?]", "lacity.gov, auditortest.iowa.gov, broadband.iowa.gov, admin.auditor.iowa.gov,", "https://lacity.gov/san/index.htm, https://personnel.lacity.gov, https://lacity.gov/SAN,", "Domains Contacted: smtp.gmail.com www.google.com", "DGA Domain [affordableconnectivity.gov & GetInternet.gov] Home ACP Universal Service Administrative Company", "www.fcc.gov? DGA Domains : Certificate Subject\tUS 443 Certificate Subject\tDistrict of Columbia 443 Certificate Subject\tWashington 443 Certificate Subject\tFederal Communications Commission 443 Certificate Subject\tGovernment Entity 443 Certificate Subject\t1934-06-19 443 Certificate Subject\taffordableconnectivity.gov 443 Certificate Issuer\tEntrust, Inc. 443 Certificate Issuer\tSee www.entrust.net/legal-terms 443 Certificate Issuer", "(c) 2014 Entrust, Inc. - for authorized use only 443 Certificate Issuer\tEntrust Certification Authority - L1M", "https://www.clear.com.br/site/DirectTalk/Filter?botopenned=3Dtrue [???]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "Netherlands", "Spain", "Australia", "Korea, Republic of", "Hong Kong" ], "malware_families": [ { "id": "Nullsoft_NSIS", "display_name": "Nullsoft_NSIS", "target": null }, { "id": "Win32:Agent-ASTI\\ [Trj]", "display_name": "Win32:Agent-ASTI\\ [Trj]", "target": null }, { "id": "Worm:Win32/Enosch!atmn", "display_name": "Worm:Win32/Enosch!atmn", "target": "/malware/Worm:Win32/Enosch!atmn" }, { "id": "Win.Trojan.Agent-357800", "display_name": "Win.Trojan.Agent-357800", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2701, "FileHash-SHA1": 1512, "FileHash-SHA256": 5351, "SSLCertFingerprint": 1, "URL": 1774, "email": 7, "hostname": 1170, "domain": 1209 }, "indicator_count": 13725, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "207 Iowa.gov domains and hosts acting as cyber security [cyberreason]", "https://www.google.com/?authuser=0", "iowa.gov, accidentreports.iowa.gov, beready.iowa.gov, affordableconnectivity.gov", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "Wiper to Ransomware: The Evolution of Agrius - Sourced: ArcSight Threat Intelligence", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate", "AS15133 MCI Communications Services Inc d b a Verizon Business, Loudon County, Va", "(c) 2014 Entrust, Inc. - for authorized use only 443 Certificate Issuer\tEntrust Certification Authority - L1M", "lacity.gov, auditortest.iowa.gov, broadband.iowa.gov, admin.auditor.iowa.gov,", "https://www.clear.com.br/site/DirectTalk/Filter?botopenned=3Dtrue [???]", "https://otx.alienvault.com/indicator/file/c98108ca8f4e0dd8a3f63d4ac490e115", "www.fcc.gov? DGA Domains : Certificate Subject\tUS 443 Certificate Subject\tDistrict of Columbia 443 Certificate Subject\tWashington 443 Certificate Subject\tFederal Communications Commission 443 Certificate Subject\tGovernment Entity 443 Certificate Subject\t1934-06-19 443 Certificate Subject\taffordableconnectivity.gov 443 Certificate Issuer\tEntrust, Inc. 443 Certificate Issuer\tSee www.entrust.net/legal-terms 443 Certificate Issuer", "DGA Domain [affordableconnectivity.gov & GetInternet.gov] Home ACP Universal Service Administrative Company", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "appanoosecounty.iowa.gov, bigben.iowa.gov [Ben Smith?]", "Domains Contacted: smtp.gmail.com www.google.com", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://lacity.gov/san/index.htm, https://personnel.lacity.gov, https://lacity.gov/SAN," ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Nullsoft_nsis", "Win32:agent-asti\\ [trj]", "Worm:win32/enosch!atmn", "Win.trojan.agent-357800" ], "industries": [ "Education", "Government", "Technology" ], "unique_indicators": 20402 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/australiacbdoil.com", "whois": "http://whois.domaintools.com/australiacbdoil.com", "domain": "australiacbdoil.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "660b176a98b0c92ba5a962bc", "name": "\"No Problems\" - UAlberta TLD (Confirmed TLD - 08.04.24) & Subdomain compromise", "description": "Basically the above\n\n\"No Problems\", \"We are Unhackable\", etc. etc. causing problems.", "modified": "2024-09-04T05:01:56.993000", "created": "2024-04-01T20:22:02.851000", "tags": [ "BEC" ], "references": [ "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 233, "FileHash-SHA1": 230, "FileHash-SHA256": 6703, "URL": 4450, "CIDR": 3, "domain": 6223, "hostname": 2863, "email": 7, "CVE": 53 }, "indicator_count": 20765, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a2f9169d6996c1c928ac0b", "name": "Remote attack: Win32/Enosch.A gtalk connectivity check | High Priority", "description": "W32/Enosch.A!tr is classified as a Trojan. Trojan has the capabilities to remote access connection handling, perform Denial of Service (DoS) attacks. Worms automatically spread to other PCs. This threat can perform a number of actions of a malicious hacker's choice. This hacker is choosing to delete files, accounts, pulses, by graphs while acting as user. An authenticated use in browser bar https://www.google.com/?authuser=0.\n\nAttempts to modify,delete graphs, pulses, accounts, passwords. Acting as user.", "modified": "2024-02-12T20:02:49.516000", "created": "2024-01-13T20:56:54.333000", "tags": [ "default", "show", "regsetvalueexa", "search", "regdword", "medium", "settingswpad", "delete", "ids detections", "yara detections", "worm", "malware", "copy", "write", "win32", "first", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "graph community", "productidis", "urls", "mb iesettings", "related file", "cybersecurity", "agency", "csc corporate", "domains", "tucows domains", "nameweb bvba", "tucows", "google", "amazon02", "twitter", "ovh sas", "facebook", "incapsula", "optimizer", "activator", "kb program", "mb super", "kb acrotray", "1tzv", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "checks_debugger", "network_icmp", "network_smtp", "persistence_autorun", "modifies_proxy_wpad", "antivm_queries_computername", "dumped_buffer", "network_http", "antivm_network_adapters", "smtp_gmail", "attacking", "browser", "object", "deleted", "deleting", "deleted virustotal graphs", "corruption", "legal", "gvt", "adams co", "colorado", "law", "illegal practices", "hacking", "enter rexxfield", "roberts", "smith", "script urls", "as20940", "united", "a domains", "certificate", "showing", "entries", "entrust", "scan endpoints", "district", "as16625 akamai", "aaaa", "passive dns", "united kingdom", "whitelisted", "modification", "silence", "state", "hostname", "samples", "cover up", "silencing", "Iowa.gov", "dga", "fcc", "unsigned", "remote", "wiper", "nosy pega", "trojan", "unknown", "access denied", "servers", "creation date", "date", "next", "apple", "ssl certificate", "threat roundup", "march", "october", "july", "april", "whois record", "june", "roundup", "september", "august", "plugx", "goldfinder", "sibot", "hacktool", "february", "regsz", "english", "nsisinetc", "mozilla", "adobe air", "java", "http", "post http", "updater", "meta", "suspicious", "persistence", "execution", "referrer", "communicating", "skynet", "malicious", "gen.o", "dynamicloader", "cape", "enosch malware", "enosch", "music", "contacted", "pe resource", "resolutions", "siblings", "urls http" ], "references": [ "https://otx.alienvault.com/indicator/file/c98108ca8f4e0dd8a3f63d4ac490e115", "https://www.google.com/?authuser=0", "Wiper to Ransomware: The Evolution of Agrius - Sourced: ArcSight Threat Intelligence", "AS15133 MCI Communications Services Inc d b a Verizon Business, Loudon County, Va", "207 Iowa.gov domains and hosts acting as cyber security [cyberreason]", "iowa.gov, accidentreports.iowa.gov, beready.iowa.gov, affordableconnectivity.gov", "appanoosecounty.iowa.gov, bigben.iowa.gov [Ben Smith?]", "lacity.gov, auditortest.iowa.gov, broadband.iowa.gov, admin.auditor.iowa.gov,", "https://lacity.gov/san/index.htm, https://personnel.lacity.gov, https://lacity.gov/SAN,", "Domains Contacted: smtp.gmail.com www.google.com", "DGA Domain [affordableconnectivity.gov & GetInternet.gov] Home ACP Universal Service Administrative Company", "www.fcc.gov? DGA Domains : Certificate Subject\tUS 443 Certificate Subject\tDistrict of Columbia 443 Certificate Subject\tWashington 443 Certificate Subject\tFederal Communications Commission 443 Certificate Subject\tGovernment Entity 443 Certificate Subject\t1934-06-19 443 Certificate Subject\taffordableconnectivity.gov 443 Certificate Issuer\tEntrust, Inc. 443 Certificate Issuer\tSee www.entrust.net/legal-terms 443 Certificate Issuer", "(c) 2014 Entrust, Inc. - for authorized use only 443 Certificate Issuer\tEntrust Certification Authority - L1M", "https://www.clear.com.br/site/DirectTalk/Filter?botopenned=3Dtrue [???]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "Netherlands", "Spain", "Australia", "Korea, Republic of", "Hong Kong" ], "malware_families": [ { "id": "Nullsoft_NSIS", "display_name": "Nullsoft_NSIS", "target": null }, { "id": "Win32:Agent-ASTI\\ [Trj]", "display_name": "Win32:Agent-ASTI\\ [Trj]", "target": null }, { "id": "Worm:Win32/Enosch!atmn", "display_name": "Worm:Win32/Enosch!atmn", "target": "/malware/Worm:Win32/Enosch!atmn" }, { "id": "Win.Trojan.Agent-357800", "display_name": "Win.Trojan.Agent-357800", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2701, "FileHash-SHA1": 1512, "FileHash-SHA256": 5351, "SSLCertFingerprint": 1, "URL": 1774, "email": 7, "hostname": 1170, "domain": 1209 }, "indicator_count": 13725, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65a2f9200337f0d1fa195ada", "name": "Remote attack: Win32/Enosch.A gtalk connectivity check | High Priority", "description": "W32/Enosch.A!tr is classified as a Trojan. Trojan has the capabilities to remote access connection handling, perform Denial of Service (DoS) attacks. Worms automatically spread to other PCs. This threat can perform a number of actions of a malicious hacker's choice. This hacker is choosing to delete files, accounts, pulses, by graphs while acting as user. An authenticated use in browser bar https://www.google.com/?authuser=0.\n\nAttempts to modify,delete graphs, pulses, accounts, passwords. Acting as user.", "modified": "2024-02-12T20:02:49.516000", "created": "2024-01-13T20:57:04.197000", "tags": [ "default", "show", "regsetvalueexa", "search", "regdword", "medium", "settingswpad", "delete", "ids detections", "yara detections", "worm", "malware", "copy", "write", "win32", "first", "utc submissions", "submitters", "cloudflarenet", "summary iocs", "graph community", "productidis", "urls", "mb iesettings", "related file", "cybersecurity", "agency", "csc corporate", "domains", "tucows domains", "nameweb bvba", "tucows", "google", "amazon02", "twitter", "ovh sas", "facebook", "incapsula", "optimizer", "activator", "kb program", "mb super", "kb acrotray", "1tzv", "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "checks_debugger", "network_icmp", "network_smtp", "persistence_autorun", "modifies_proxy_wpad", "antivm_queries_computername", "dumped_buffer", "network_http", "antivm_network_adapters", "smtp_gmail", "attacking", "browser", "object", "deleted", "deleting", "deleted virustotal graphs", "corruption", "legal", "gvt", "adams co", "colorado", "law", "illegal practices", "hacking", "enter rexxfield", "roberts", "smith", "script urls", "as20940", "united", "a domains", "certificate", "showing", "entries", "entrust", "scan endpoints", "district", "as16625 akamai", "aaaa", "passive dns", "united kingdom", "whitelisted", "modification", "silence", "state", "hostname", "samples", "cover up", "silencing", "Iowa.gov", "dga", "fcc", "unsigned", "remote", "wiper", "nosy pega", "trojan", "unknown", "access denied", "servers", "creation date", "date", "next", "apple", "ssl certificate", "threat roundup", "march", "october", "july", "april", "whois record", "june", "roundup", "september", "august", "plugx", "goldfinder", "sibot", "hacktool", "february", "regsz", "english", "nsisinetc", "mozilla", "adobe air", "java", "http", "post http", "updater", "meta", "suspicious", "persistence", "execution", "referrer", "communicating", "skynet", "malicious", "gen.o", "dynamicloader", "cape", "enosch malware", "enosch", "music", "contacted", "pe resource", "resolutions", "siblings", "urls http" ], "references": [ "https://otx.alienvault.com/indicator/file/c98108ca8f4e0dd8a3f63d4ac490e115", "https://www.google.com/?authuser=0", "Wiper to Ransomware: The Evolution of Agrius - Sourced: ArcSight Threat Intelligence", "AS15133 MCI Communications Services Inc d b a Verizon Business, Loudon County, Va", "207 Iowa.gov domains and hosts acting as cyber security [cyberreason]", "iowa.gov, accidentreports.iowa.gov, beready.iowa.gov, affordableconnectivity.gov", "appanoosecounty.iowa.gov, bigben.iowa.gov [Ben Smith?]", "lacity.gov, auditortest.iowa.gov, broadband.iowa.gov, admin.auditor.iowa.gov,", "https://lacity.gov/san/index.htm, https://personnel.lacity.gov, https://lacity.gov/SAN,", "Domains Contacted: smtp.gmail.com www.google.com", "DGA Domain [affordableconnectivity.gov & GetInternet.gov] Home ACP Universal Service Administrative Company", "www.fcc.gov? DGA Domains : Certificate Subject\tUS 443 Certificate Subject\tDistrict of Columbia 443 Certificate Subject\tWashington 443 Certificate Subject\tFederal Communications Commission 443 Certificate Subject\tGovernment Entity 443 Certificate Subject\t1934-06-19 443 Certificate Subject\taffordableconnectivity.gov 443 Certificate Issuer\tEntrust, Inc. 443 Certificate Issuer\tSee www.entrust.net/legal-terms 443 Certificate Issuer", "(c) 2014 Entrust, Inc. - for authorized use only 443 Certificate Issuer\tEntrust Certification Authority - L1M", "https://www.clear.com.br/site/DirectTalk/Filter?botopenned=3Dtrue [???]" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "Netherlands", "Spain", "Australia", "Korea, Republic of", "Hong Kong" ], "malware_families": [ { "id": "Nullsoft_NSIS", "display_name": "Nullsoft_NSIS", "target": null }, { "id": "Win32:Agent-ASTI\\ [Trj]", "display_name": "Win32:Agent-ASTI\\ [Trj]", "target": null }, { "id": "Worm:Win32/Enosch!atmn", "display_name": "Worm:Win32/Enosch!atmn", "target": "/malware/Worm:Win32/Enosch!atmn" }, { "id": "Win.Trojan.Agent-357800", "display_name": "Win.Trojan.Agent-357800", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2701, "FileHash-SHA1": 1512, "FileHash-SHA256": 5351, "SSLCertFingerprint": 1, "URL": 1774, "email": 7, "hostname": 1170, "domain": 1209 }, "indicator_count": 13725, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://australiacbdoil.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://australiacbdoil.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780246244.9635077 }