{ "type": "URL", "indicator": "https://bluelotus.mail-gdrive.com/Services.msi", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://bluelotus.mail-gdrive.com/Services.msi", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3650114160, "indicator": "https://bluelotus.mail-gdrive.com/Services.msi", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "643714b8ab5d85283dc29132", "name": "Bitter Group distributes CHM malware to Chinese institutions", "description": "Bitter (T-APT-17) is an attack group that mainly targets South Asian government agencies and has used Office documents such as Word and Excel to distribute malware. The AhnLab Security Emergency Response Center (ASEC) recently confirmed that the Bitter Group distributed CHM malware to specific organizations in China. CHM files have been used in APT attacks by various attack groups since the beginning of this year and have been introduced several times on the ASEC blog.", "modified": "2023-04-12T20:29:42.392000", "created": "2023-04-12T20:29:42.392000", "tags": [ "bitter group", "dll sideloading", "chm malware", "compressed", "apt", "phishing", "microsoft office" ], "references": [ "https://asec.ahnlab.com/ko/50851/" ], "public": 1, "adversary": "Bitter Group", "targeted_countries": [ "China" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 364, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "hostname": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 386542, "modified_text": "1144 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64cccd4b2e1e63629d542eac", "name": "aaaaaaaaaaaa", "description": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "modified": "2023-08-04T10:04:59.144000", "created": "2023-08-04T10:04:59.144000", "tags": [ "url http" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "12yO4tkRL2eElwFXMvFw", "id": "197248", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 20, "FileHash-SHA256": 20, "URL": 2, "domain": 12, "hostname": 5 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "1031 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642376d69766b6feb6e46df6", "name": "InQuest - 28-03-2023", "description": "", "modified": "2023-04-27T23:00:42.616000", "created": "2023-03-28T23:23:02.048000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 889, "URL": 1468, "hostname": 297, "FileHash-SHA256": 199, "FileHash-MD5": 54, "FileHash-SHA1": 11 }, "indicator_count": 2918, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "1129 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6420d63c6fef4cd533126f12", "name": "InQuest - 26-03-2023", "description": "", "modified": "2023-04-25T23:00:38.583000", "created": "2023-03-26T23:33:16.580000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 143, "URL": 1745, "hostname": 220, "domain": 1266, "FileHash-MD5": 13, "FileHash-SHA1": 8 }, "indicator_count": 3395, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1131 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "641f9134764d8ffe7b7dc2c2", "name": "InQuest - 25-03-2023", "description": "", "modified": "2023-04-25T00:05:37.678000", "created": "2023-03-26T00:26:28.383000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 309, "domain": 1166, "URL": 1794, "hostname": 244, "FileHash-MD5": 11, "FileHash-SHA1": 7 }, "indicator_count": 3531, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1132 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "641e3e1fb27dd0e61de60f24", "name": "InQuest - 24-03-2023", "description": "", "modified": "2023-04-24T00:04:14.074000", "created": "2023-03-25T00:19:43.421000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1250, "URL": 1833, "FileHash-SHA256": 297, "hostname": 278, "FileHash-MD5": 27, "FileHash-SHA1": 11 }, "indicator_count": 3696, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1133 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "643ce7928296761bc22cbcdf", "name": "Bitter Group distributes CHM malware to Chinese institutions", "description": "", "modified": "2023-04-17T06:30:42.421000", "created": "2023-04-17T06:30:42.421000", "tags": [ "bitter group", "dll sideloading", "chm malware", "compressed", "apt", "phishing", "microsoft office" ], "references": [ "https://asec.ahnlab.com/ko/50851/" ], "public": 1, "adversary": "Bitter Group", "targeted_countries": [ "China" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": "6438e4a2eef1895ef0c12be9", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "hostname": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1140 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64391cd2a9a3b3be9f8d869d", "name": "Bitter Group Distributes CHM Malware to Chinese Organizations - ASEC BLOG", "description": "A North Korean security agency (ASEC) has identified a new strain of malicious computer malware (CHM) that was being distributed in emails from a group known as T-APT-17.", "modified": "2023-04-14T09:28:50.377000", "created": "2023-04-14T09:28:50.377000", "tags": [ "chm file", "msi file", "dll sideloading", "c dir", "ahnlab", "bitter", "tapt17", "south", "word", "excel", "screen" ], "references": [ "https://asec.ahnlab.com/en/51043/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "domain": 1, "hostname": 2 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1143 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6438e4a2eef1895ef0c12be9", "name": "Bitter Group distributes CHM malware to Chinese institutions", "description": "", "modified": "2023-04-14T05:29:06.604000", "created": "2023-04-14T05:29:06.604000", "tags": [ "bitter group", "dll sideloading", "chm malware", "compressed", "apt", "phishing", "microsoft office" ], "references": [ "https://asec.ahnlab.com/ko/50851/" ], "public": 1, "adversary": "Bitter Group", "targeted_countries": [ "China" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": "643714b8ab5d85283dc29132", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "hostname": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1143 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://labs.inquest.net/iocdb", "https://asec.ahnlab.com/en/51043/", "https://asec.ahnlab.com/ko/50851/" ], "related": { "alienvault": { "adversary": [ "Bitter Group" ], "malware_families": [], "industries": [], "unique_indicators": 11 }, "other": { "adversary": [ "Bitter Group" ], "malware_families": [], "industries": [], "unique_indicators": 10234 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/mail-gdrive.com", "whois": "http://whois.domaintools.com/mail-gdrive.com", "domain": "mail-gdrive.com", "hostname": "bluelotus.mail-gdrive.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "643714b8ab5d85283dc29132", "name": "Bitter Group distributes CHM malware to Chinese institutions", "description": "Bitter (T-APT-17) is an attack group that mainly targets South Asian government agencies and has used Office documents such as Word and Excel to distribute malware. The AhnLab Security Emergency Response Center (ASEC) recently confirmed that the Bitter Group distributed CHM malware to specific organizations in China. CHM files have been used in APT attacks by various attack groups since the beginning of this year and have been introduced several times on the ASEC blog.", "modified": "2023-04-12T20:29:42.392000", "created": "2023-04-12T20:29:42.392000", "tags": [ "bitter group", "dll sideloading", "chm malware", "compressed", "apt", "phishing", "microsoft office" ], "references": [ "https://asec.ahnlab.com/ko/50851/" ], "public": 1, "adversary": "Bitter Group", "targeted_countries": [ "China" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 364, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "hostname": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 386542, "modified_text": "1144 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64cccd4b2e1e63629d542eac", "name": "aaaaaaaaaaaa", "description": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "modified": "2023-08-04T10:04:59.144000", "created": "2023-08-04T10:04:59.144000", "tags": [ "url http" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "12yO4tkRL2eElwFXMvFw", "id": "197248", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 20, "FileHash-SHA256": 20, "URL": 2, "domain": 12, "hostname": 5 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "1031 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642376d69766b6feb6e46df6", "name": "InQuest - 28-03-2023", "description": "", "modified": "2023-04-27T23:00:42.616000", "created": "2023-03-28T23:23:02.048000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 889, "URL": 1468, "hostname": 297, "FileHash-SHA256": 199, "FileHash-MD5": 54, "FileHash-SHA1": 11 }, "indicator_count": 2918, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "1129 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6420d63c6fef4cd533126f12", "name": "InQuest - 26-03-2023", "description": "", "modified": "2023-04-25T23:00:38.583000", "created": "2023-03-26T23:33:16.580000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 143, "URL": 1745, "hostname": 220, "domain": 1266, "FileHash-MD5": 13, "FileHash-SHA1": 8 }, "indicator_count": 3395, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1131 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "641f9134764d8ffe7b7dc2c2", "name": "InQuest - 25-03-2023", "description": "", "modified": "2023-04-25T00:05:37.678000", "created": "2023-03-26T00:26:28.383000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 309, "domain": 1166, "URL": 1794, "hostname": 244, "FileHash-MD5": 11, "FileHash-SHA1": 7 }, "indicator_count": 3531, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1132 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "641e3e1fb27dd0e61de60f24", "name": "InQuest - 24-03-2023", "description": "", "modified": "2023-04-24T00:04:14.074000", "created": "2023-03-25T00:19:43.421000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1250, "URL": 1833, "FileHash-SHA256": 297, "hostname": 278, "FileHash-MD5": 27, "FileHash-SHA1": 11 }, "indicator_count": 3696, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1133 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "643ce7928296761bc22cbcdf", "name": "Bitter Group distributes CHM malware to Chinese institutions", "description": "", "modified": "2023-04-17T06:30:42.421000", "created": "2023-04-17T06:30:42.421000", "tags": [ "bitter group", "dll sideloading", "chm malware", "compressed", "apt", "phishing", "microsoft office" ], "references": [ "https://asec.ahnlab.com/ko/50851/" ], "public": 1, "adversary": "Bitter Group", "targeted_countries": [ "China" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": "6438e4a2eef1895ef0c12be9", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "hostname": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1140 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64391cd2a9a3b3be9f8d869d", "name": "Bitter Group Distributes CHM Malware to Chinese Organizations - ASEC BLOG", "description": "A North Korean security agency (ASEC) has identified a new strain of malicious computer malware (CHM) that was being distributed in emails from a group known as T-APT-17.", "modified": "2023-04-14T09:28:50.377000", "created": "2023-04-14T09:28:50.377000", "tags": [ "chm file", "msi file", "dll sideloading", "c dir", "ahnlab", "bitter", "tapt17", "south", "word", "excel", "screen" ], "references": [ "https://asec.ahnlab.com/en/51043/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "domain": 1, "hostname": 2 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1143 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6438e4a2eef1895ef0c12be9", "name": "Bitter Group distributes CHM malware to Chinese institutions", "description": "", "modified": "2023-04-14T05:29:06.604000", "created": "2023-04-14T05:29:06.604000", "tags": [ "bitter group", "dll sideloading", "chm malware", "compressed", "apt", "phishing", "microsoft office" ], "references": [ "https://asec.ahnlab.com/ko/50851/" ], "public": 1, "adversary": "Bitter Group", "targeted_countries": [ "China" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": "643714b8ab5d85283dc29132", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "hostname": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1143 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://bluelotus.mail-gdrive.com/Services.msi", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://bluelotus.mail-gdrive.com/Services.msi", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780237837.8973885 }