{ "type": "URL", "indicator": "https://cpcontacts.dgpanama.net", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cpcontacts.dgpanama.net", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2944880890, "indicator": "https://cpcontacts.dgpanama.net", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "68bbf3e40e3ce8a74aa89545", "name": "HCPF \u2022 The intricate relationships between the FIN7 group and members of the Conti gang", "description": "", "modified": "2025-10-06T08:03:23.285000", "created": "2025-09-06T08:42:12.787000", "tags": [ "present feb", "united", "a domains", "present dec", "passive dns", "moved", "script domains", "script urls", "search", "title", "date", "http traffic", "http get", "match info", "downloads", "info", "https http", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "get http", "dns resolutions", "number", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "corporation cus", "algorithm", "cnamazon rsa", "m03 oamazon", "thumbprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "ascii text", "ogoogle trust", "cngts ca", "execution", "next", "dock", "write", "capture", "persistence", "malware", "roboto", "android", "known exploited", "google", "salesloft drift", "sap s4hana", "cve202542957", "cisa", "sitecore", "linux", "france", "meta", "rokrat", "lizar", "project nemesis", "carbanak", "cobalt strike", "domino", "yara detections", "contacted", "av detections", "ids detections", "alerts", "analysis date", "file score", "malicious ids", "detections tls", "indicator role", "title added", "active related", "entries", "role title", "added active", "filehashmd5", "ipv4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lizar", "display_name": "Lizar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null }, { "id": "RokRAT", "display_name": "RokRAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Hospitality", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 539, "FileHash-SHA1": 389, "FileHash-SHA256": 3386, "domain": 862, "hostname": 1155, "URL": 4091, "CVE": 3, "SSLCertFingerprint": 5 }, "indicator_count": 10430, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68aff672de7f1b65a97c00b1", "name": "WarzoneRAT impacts Social Media of users with compromised systems", "description": "Injection affects compromised user/s social media accounts including YouTube. Uploads to social media accounts from infected systems divert to adversary\u2019s alt YouTube media center labeled \u2018watch\u2019 instead of YouTube . Remote access observed. Threat actor has full access , cnc , devices, personal information, images, contacts, network, private information including all financial information. \n \nAlt / adversarial Pinterest, Tumblr, YouTube, Facebook, Twitter / X, Instagram , LinkedIn", "modified": "2025-09-27T05:00:09.125000", "created": "2025-08-28T06:25:54.794000", "tags": [ "d10927", "mp41", "mp41 connection", "r connection", "ip address", "dynamicloader", "write c", "globalc", "medium", "high", "write", "dll read", "trojan", "delphi", "win32", "dialer", "tracking", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "t1590 gather", "mitre att", "ck matrix", "null", "click", "title", "span", "meta", "general", "local", "path", "strings", "refresh", "tools", "virgin islands", "united", "unknown ns", "a domains", "montserrat", "passive dns", "ipv4", "urls", "files", "hosting", "trojandropper", "location virgin", "msie", "windows nt", "wow64", "slcc2", "media center", "item", "has description", "unknown", "explorer", "error", "powershell", "yara rule", "windows", "t1055", "warzonerat", "avemaria", "virtool", "netwire", "malware", "hostile", "autoit", "defender", "date", "bq aug", "next associated", "ipv4 add", "resolved ips", "get http", "request", "win64", "khtml", "gecko", "resolutions", "number", "ja3s", "algorithm", "cnr12 cus", "cname", "accept", "port", "gmt ifnonematch", "screenshots no", "involved dns", "name response", "nxdomain", "tcp connections", "involved direct", "country name", "moved", "alone email", "body doctype", "gmt server", "content type", "service privacy", "cve" ], "references": [ "http://remote.edikamin.com/", "http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C", "http://deposito.hostance.net/dialer/", "Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT", "Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net", "DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net", "Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1", "simswap.in (possible Mirai or relationship to)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Virgin Islands, British" ], "malware_families": [ { "id": "Trojan:Win32/Diamin.F", "display_name": "Trojan:Win32/Diamin.F", "target": "/malware/Trojan:Win32/Diamin.F" }, { "id": "Dialer", "display_name": "Dialer", "target": null }, { "id": "Win32:CabMod\\ [Drp]", "display_name": "Win32:CabMod\\ [Drp]", "target": null }, { "id": "TrojanDropper:Win32/Hupigon.gen!A", "display_name": "TrojanDropper:Win32/Hupigon.gen!A", "target": "/malware/TrojanDropper:Win32/Hupigon.gen!A" }, { "id": "ALF:HeraklezEval:PUA:Win32/Keygen", "display_name": "ALF:HeraklezEval:PUA:Win32/Keygen", "target": null }, { "id": "Trojan:Win32/Startpage.AEA", "display_name": "Trojan:Win32/Startpage.AEA", "target": "/malware/Trojan:Win32/Startpage.AEA" }, { "id": "Banload", "display_name": "Banload", "target": null }, { "id": "TrojanDownloader:Win32/Banload.D", "display_name": "TrojanDownloader:Win32/Banload.D", "target": "/malware/TrojanDownloader:Win32/Banload.D" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "!#AddsCopy-ToStartup", "display_name": "!#AddsCopy-ToStartup", "target": null }, { "id": "VirTool:Win32/AutInject.CZ!bit", "display_name": "VirTool:Win32/AutInject.CZ!bit", "target": "/malware/VirTool:Win32/AutInject.CZ!bit" }, { "id": "Win.Trojan.Agent-316098", "display_name": "Win.Trojan.Agent-316098", "target": null }, { "id": "virtool:Win32/Injector.gen!BQ", "display_name": "virtool:Win32/Injector.gen!BQ", "target": "/malware/virtool:Win32/Injector.gen!BQ" }, { "id": "WarzoneRAT - S0670", "display_name": "WarzoneRAT - S0670", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4194, "hostname": 1563, "FileHash-SHA256": 2494, "domain": 624, "FileHash-MD5": 274, "FileHash-SHA1": 226, "email": 1, "CVE": 1 }, "indicator_count": 9377, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570959fb2297900eabc7fc9", "name": "dns.google - 8.8.8.8 - oh how google is not in control of their DNS", "description": "", "modified": "2023-12-06T15:39:11.260000", "created": "2023-12-06T15:39:11.260000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 756, "FileHash-MD5": 14, "FileHash-SHA1": 14, "domain": 224, "URL": 598, "hostname": 222 }, "indicator_count": 1828, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63a857bf585af25350972d0c", "name": "dns.google - 8.8.8.8 - oh how google is not in control of their DNS", "description": "", "modified": "2023-01-24T12:00:24.101000", "created": "2022-12-25T14:01:35.401000", "tags": [ "vb.cu", "dns.google", "no.ip", "gvt1.com", "whitelisted ip's = big problems when DNS is controlled by threat" ], "references": [ "Chrstmas morning when you cant even look at your kids" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "nUFS_svfohigh", "display_name": "nUFS_svfohigh", "target": null }, { "id": "nUFS_7z", "display_name": "nUFS_7z", "target": null }, { "id": "KnownMaliciousObfuscation", "display_name": "KnownMaliciousObfuscation", "target": null }, { "id": "ConventionEngine_Term_Users", "display_name": "ConventionEngine_Term_Users", "target": null }, { "id": "Virus:Win32/Neverdie", "display_name": "Virus:Win32/Neverdie", "target": "/malware/Virus:Win32/Neverdie" }, { "id": "Virus:Win32/Nabucur", "display_name": "Virus:Win32/Nabucur", "target": "/malware/Virus:Win32/Nabucur" }, { "id": "APT Ransomware v.2", "display_name": "APT Ransomware v.2", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 224, "URL": 598, "hostname": 222, "FileHash-SHA256": 756, "FileHash-MD5": 14, "FileHash-SHA1": 14 }, "indicator_count": 1828, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1223 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://remote.edikamin.com/", "Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net", "Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1", "http://deposito.hostance.net/dialer/", "Chrstmas morning when you cant even look at your kids", "http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C", "simswap.in (possible Mirai or relationship to)", "DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net", "Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win32:cabmod\\ [drp]", "Virus:win32/nabucur", "Nufs_svfohigh", "Warzonerat - s0670", "Nufs_7z", "Knownmaliciousobfuscation", "Conventionengine_term_users", "Cve-2023-22518", "Rokrat", "Banload", "Project nemesis", "Virtool:win32/injector.gen!bq", "Alf:heraklezeval:pua:win32/keygen", "Carbanak", "Apt ransomware v.2", "!#addscopy-tostartup", "Trojan:win32/diamin.f", "Virtool:win32/autinject.cz!bit", "Win.trojan.agent-316098", "Win32:evo-gen", "Virus:win32/neverdie", "Trojandropper:win32/hupigon.gen!a", "Trojan:win32/startpage.aea", "Dialer", "Lizar", "Domino", "Cobalt strike", "Trojandownloader:win32/banload.d" ], "industries": [ "Financial", "Telecommunications", "Hospitality", "Technology", "Media" ], "unique_indicators": 21352 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/dgpanama.net", "whois": "http://whois.domaintools.com/dgpanama.net", "domain": "dgpanama.net", "hostname": "cpcontacts.dgpanama.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "68bbf3e40e3ce8a74aa89545", "name": "HCPF \u2022 The intricate relationships between the FIN7 group and members of the Conti gang", "description": "", "modified": "2025-10-06T08:03:23.285000", "created": "2025-09-06T08:42:12.787000", "tags": [ "present feb", "united", "a domains", "present dec", "passive dns", "moved", "script domains", "script urls", "search", "title", "date", "http traffic", "http get", "match info", "downloads", "info", "https http", "mitre att", "control ta0011", "protocol t1071", "protocol t1095", "get http", "dns resolutions", "number", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "corporation cus", "algorithm", "cnamazon rsa", "m03 oamazon", "thumbprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "ascii text", "ogoogle trust", "cngts ca", "execution", "next", "dock", "write", "capture", "persistence", "malware", "roboto", "android", "known exploited", "google", "salesloft drift", "sap s4hana", "cve202542957", "cisa", "sitecore", "linux", "france", "meta", "rokrat", "lizar", "project nemesis", "carbanak", "cobalt strike", "domino", "yara detections", "contacted", "av detections", "ids detections", "alerts", "analysis date", "file score", "malicious ids", "detections tls", "indicator role", "title added", "active related", "entries", "role title", "added active", "filehashmd5", "ipv4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lizar", "display_name": "Lizar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null }, { "id": "RokRAT", "display_name": "RokRAT", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Hospitality", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 539, "FileHash-SHA1": 389, "FileHash-SHA256": 3386, "domain": 862, "hostname": 1155, "URL": 4091, "CVE": 3, "SSLCertFingerprint": 5 }, "indicator_count": 10430, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68aff672de7f1b65a97c00b1", "name": "WarzoneRAT impacts Social Media of users with compromised systems", "description": "Injection affects compromised user/s social media accounts including YouTube. Uploads to social media accounts from infected systems divert to adversary\u2019s alt YouTube media center labeled \u2018watch\u2019 instead of YouTube . Remote access observed. Threat actor has full access , cnc , devices, personal information, images, contacts, network, private information including all financial information. \n \nAlt / adversarial Pinterest, Tumblr, YouTube, Facebook, Twitter / X, Instagram , LinkedIn", "modified": "2025-09-27T05:00:09.125000", "created": "2025-08-28T06:25:54.794000", "tags": [ "d10927", "mp41", "mp41 connection", "r connection", "ip address", "dynamicloader", "write c", "globalc", "medium", "high", "write", "dll read", "trojan", "delphi", "win32", "dialer", "tracking", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "t1590 gather", "mitre att", "ck matrix", "null", "click", "title", "span", "meta", "general", "local", "path", "strings", "refresh", "tools", "virgin islands", "united", "unknown ns", "a domains", "montserrat", "passive dns", "ipv4", "urls", "files", "hosting", "trojandropper", "location virgin", "msie", "windows nt", "wow64", "slcc2", "media center", "item", "has description", "unknown", "explorer", "error", "powershell", "yara rule", "windows", "t1055", "warzonerat", "avemaria", "virtool", "netwire", "malware", "hostile", "autoit", "defender", "date", "bq aug", "next associated", "ipv4 add", "resolved ips", "get http", "request", "win64", "khtml", "gecko", "resolutions", "number", "ja3s", "algorithm", "cnr12 cus", "cname", "accept", "port", "gmt ifnonematch", "screenshots no", "involved dns", "name response", "nxdomain", "tcp connections", "involved direct", "country name", "moved", "alone email", "body doctype", "gmt server", "content type", "service privacy", "cve" ], "references": [ "http://remote.edikamin.com/", "http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C", "http://deposito.hostance.net/dialer/", "Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT", "Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net", "DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net", "Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1", "simswap.in (possible Mirai or relationship to)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Virgin Islands, British" ], "malware_families": [ { "id": "Trojan:Win32/Diamin.F", "display_name": "Trojan:Win32/Diamin.F", "target": "/malware/Trojan:Win32/Diamin.F" }, { "id": "Dialer", "display_name": "Dialer", "target": null }, { "id": "Win32:CabMod\\ [Drp]", "display_name": "Win32:CabMod\\ [Drp]", "target": null }, { "id": "TrojanDropper:Win32/Hupigon.gen!A", "display_name": "TrojanDropper:Win32/Hupigon.gen!A", "target": "/malware/TrojanDropper:Win32/Hupigon.gen!A" }, { "id": "ALF:HeraklezEval:PUA:Win32/Keygen", "display_name": "ALF:HeraklezEval:PUA:Win32/Keygen", "target": null }, { "id": "Trojan:Win32/Startpage.AEA", "display_name": "Trojan:Win32/Startpage.AEA", "target": "/malware/Trojan:Win32/Startpage.AEA" }, { "id": "Banload", "display_name": "Banload", "target": null }, { "id": "TrojanDownloader:Win32/Banload.D", "display_name": "TrojanDownloader:Win32/Banload.D", "target": "/malware/TrojanDownloader:Win32/Banload.D" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "!#AddsCopy-ToStartup", "display_name": "!#AddsCopy-ToStartup", "target": null }, { "id": "VirTool:Win32/AutInject.CZ!bit", "display_name": "VirTool:Win32/AutInject.CZ!bit", "target": "/malware/VirTool:Win32/AutInject.CZ!bit" }, { "id": "Win.Trojan.Agent-316098", "display_name": "Win.Trojan.Agent-316098", "target": null }, { "id": "virtool:Win32/Injector.gen!BQ", "display_name": "virtool:Win32/Injector.gen!BQ", "target": "/malware/virtool:Win32/Injector.gen!BQ" }, { "id": "WarzoneRAT - S0670", "display_name": "WarzoneRAT - S0670", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4194, "hostname": 1563, "FileHash-SHA256": 2494, "domain": 624, "FileHash-MD5": 274, "FileHash-SHA1": 226, "email": 1, "CVE": 1 }, "indicator_count": 9377, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570959fb2297900eabc7fc9", "name": "dns.google - 8.8.8.8 - oh how google is not in control of their DNS", "description": "", "modified": "2023-12-06T15:39:11.260000", "created": "2023-12-06T15:39:11.260000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 756, "FileHash-MD5": 14, "FileHash-SHA1": 14, "domain": 224, "URL": 598, "hostname": 222 }, "indicator_count": 1828, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63a857bf585af25350972d0c", "name": "dns.google - 8.8.8.8 - oh how google is not in control of their DNS", "description": "", "modified": "2023-01-24T12:00:24.101000", "created": "2022-12-25T14:01:35.401000", "tags": [ "vb.cu", "dns.google", "no.ip", "gvt1.com", "whitelisted ip's = big problems when DNS is controlled by threat" ], "references": [ "Chrstmas morning when you cant even look at your kids" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "nUFS_svfohigh", "display_name": "nUFS_svfohigh", "target": null }, { "id": "nUFS_7z", "display_name": "nUFS_7z", "target": null }, { "id": "KnownMaliciousObfuscation", "display_name": "KnownMaliciousObfuscation", "target": null }, { "id": "ConventionEngine_Term_Users", "display_name": "ConventionEngine_Term_Users", "target": null }, { "id": "Virus:Win32/Neverdie", "display_name": "Virus:Win32/Neverdie", "target": "/malware/Virus:Win32/Neverdie" }, { "id": "Virus:Win32/Nabucur", "display_name": "Virus:Win32/Nabucur", "target": "/malware/Virus:Win32/Nabucur" }, { "id": "APT Ransomware v.2", "display_name": "APT Ransomware v.2", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 224, "URL": 598, "hostname": 222, "FileHash-SHA256": 756, "FileHash-MD5": 14, "FileHash-SHA1": 14 }, "indicator_count": 1828, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1223 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cpcontacts.dgpanama.net", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cpcontacts.dgpanama.net", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780275247.77681 }