{ "type": "URL", "indicator": "https://cloud-documents.com/doc/templates/agent.dotm", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cloud-documents.com/doc/templates/agent.dotm", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3159528138, "indicator": "https://cloud-documents.com/doc/templates/agent.dotm", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6103af154ae2e3373990e70c", "name": "Crimea manifesto deploys VBA Rat using double attack vectors", "description": "On July 21, 2021, Malwarebytes Labs identified a suspicious document named \"Manifest.docx\" that downloads and executes two templates: one is macro-enabled and the other is an html object that contains an Internet Explorer exploit.", "modified": "2021-07-30T08:07:08.498000", "created": "2021-07-30T07:49:40.537000", "tags": [ "VBA Rat", "macro-enabled", "Internet Explorer exploit", "CVE-2021-26411" ], "references": [ "https://blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-deploys-vba-rat-using-double-attack-vectors/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 217, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2, "URL": 3, "domain": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 386514, "modified_text": "1766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6270484ec755b1f25221df5c", "name": "Killing The Bear - Campaign \"RIG Exploit Kit Redline\" (2022-05-02)", "description": "A new malicious attack is targeting systems that are not updated with the latest versions of Microsoft's web browser, according to security researchers from the Bitdefender security firm, who have identified the threat.", "modified": "2022-06-01T00:01:26.074000", "created": "2022-05-02T21:08:30.933000", "tags": [ "redline", "disguise redline", "cve202126411", "microsoft https", "analysis feb", "enki blog", "new redline", "malware march", "axel f", "insight team", "redline stealer", "stealer", "parsst", "stage", "list", "field2", "rig ek", "c2 server", "bitdefender", "bytescount", "dword", "trojan", "null", "main", "malware", "first", "config", "target", "crypto", "phantom", "discord", "paris", "milan", "timisoara", "deploying redline", "exploit kit", "zingostealer", "rig exploit", "kit deploying", "kit campaign", "html file", "microsoft edge", "microsoft", "march" ], "references": [ "https://latesthackingnews.com/2022/05/02/new-rig-exploit-kit-campaign-drops-redline-stealer-malware/", "https://www.bitdefender.com/files/News/CaseStudies/study/415/Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf", "https://killingthebear.jorgetesta.tech/campaigns/rig-exploit-kit-redline" ], "public": 1, "adversary": "Keksec", "targeted_countries": [], "malware_families": [ { "id": "Disguise RedLine", "display_name": "Disguise RedLine", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "ZingoStealer", "display_name": "ZingoStealer", "target": null }, { "id": "Exploit Kit", "display_name": "Exploit Kit", "target": null }, { "id": "Deploying Redline", "display_name": "Deploying Redline", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "JTestaTech", "id": "176400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_176400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 8, "FileHash-MD5": 6, "domain": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "1460 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-deploys-vba-rat-using-double-attack-vectors/", "https://latesthackingnews.com/2022/05/02/new-rig-exploit-kit-campaign-drops-redline-stealer-malware/", "https://killingthebear.jorgetesta.tech/campaigns/rig-exploit-kit-redline", "https://www.bitdefender.com/files/News/CaseStudies/study/415/Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 7 }, "other": { "adversary": [ "Keksec" ], "malware_families": [ "Disguise redline", "Exploit kit", "Zingostealer", "Redline", "Deploying redline" ], "industries": [], "unique_indicators": 29 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cloud-documents.com", "whois": "http://whois.domaintools.com/cloud-documents.com", "domain": "cloud-documents.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6103af154ae2e3373990e70c", "name": "Crimea manifesto deploys VBA Rat using double attack vectors", "description": "On July 21, 2021, Malwarebytes Labs identified a suspicious document named \"Manifest.docx\" that downloads and executes two templates: one is macro-enabled and the other is an html object that contains an Internet Explorer exploit.", "modified": "2021-07-30T08:07:08.498000", "created": "2021-07-30T07:49:40.537000", "tags": [ "VBA Rat", "macro-enabled", "Internet Explorer exploit", "CVE-2021-26411" ], "references": [ "https://blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-deploys-vba-rat-using-double-attack-vectors/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 217, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 2, "URL": 3, "domain": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 386514, "modified_text": "1766 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6270484ec755b1f25221df5c", "name": "Killing The Bear - Campaign \"RIG Exploit Kit Redline\" (2022-05-02)", "description": "A new malicious attack is targeting systems that are not updated with the latest versions of Microsoft's web browser, according to security researchers from the Bitdefender security firm, who have identified the threat.", "modified": "2022-06-01T00:01:26.074000", "created": "2022-05-02T21:08:30.933000", "tags": [ "redline", "disguise redline", "cve202126411", "microsoft https", "analysis feb", "enki blog", "new redline", "malware march", "axel f", "insight team", "redline stealer", "stealer", "parsst", "stage", "list", "field2", "rig ek", "c2 server", "bitdefender", "bytescount", "dword", "trojan", "null", "main", "malware", "first", "config", "target", "crypto", "phantom", "discord", "paris", "milan", "timisoara", "deploying redline", "exploit kit", "zingostealer", "rig exploit", "kit deploying", "kit campaign", "html file", "microsoft edge", "microsoft", "march" ], "references": [ "https://latesthackingnews.com/2022/05/02/new-rig-exploit-kit-campaign-drops-redline-stealer-malware/", "https://www.bitdefender.com/files/News/CaseStudies/study/415/Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf", "https://killingthebear.jorgetesta.tech/campaigns/rig-exploit-kit-redline" ], "public": 1, "adversary": "Keksec", "targeted_countries": [], "malware_families": [ { "id": "Disguise RedLine", "display_name": "Disguise RedLine", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "ZingoStealer", "display_name": "ZingoStealer", "target": null }, { "id": "Exploit Kit", "display_name": "Exploit Kit", "target": null }, { "id": "Deploying Redline", "display_name": "Deploying Redline", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "JTestaTech", "id": "176400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_176400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 8, "FileHash-MD5": 6, "domain": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "1460 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cloud-documents.com/doc/templates/agent.dotm", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cloud-documents.com/doc/templates/agent.dotm", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780224641.8495317 }