{ "type": "URL", "indicator": "https://eeatgoodx.com/gSyTvKB9", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://eeatgoodx.com/gSyTvKB9", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3850068650, "indicator": "https://eeatgoodx.com/gSyTvKB9", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "65e5f98bcf1c1fb3bb31a70c", "name": "New Wave of Infections Impersonates WordPress Plugins", "description": "A recent wave of SocGholish malware infections has been targeting WordPress websites by compromising administrator accounts and uploading fake versions of legitimate plugins containing malicious code. The malware tricks users into downloading remote access trojans leading to ransomware attacks.", "modified": "2024-03-04T16:49:29.065000", "created": "2024-03-04T16:40:43.985000", "tags": [ "remote access trojan", "compromised credentials", "socgholish", "malicious wordpress plugins" ], "references": [ "https://blog.sucuri.net/2024/03/new-wave-of-socgholish-infections-impersonates-wordpress-plugins.html" ], "public": 1, "adversary": "SocGholish", "targeted_countries": [], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 344, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 4, "domain": 3 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 386970, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "679ab327b4f3de496118df4d", "name": "http://185.81.68.156/bin/bot64.bin", "description": "https://www.virustotal.com/gui/url/05ab194727e8a1832ec7ff494462427a2f16525f79960996cebdb56d743adef6/details", "modified": "2025-01-29T23:00:55.497000", "created": "2025-01-29T23:00:55.497000", "tags": [ "detects", "roth", "program", "files", "xored keyword", "xor key", "sentinel labs", "filter", "norton", "security", "win32", "kopiuj md5", "kopiuj sha1", "skopiuj sha256", "rozmiar", "opis plik", "pe32", "ms windows", "sha256", "sha1", "proces", "ssdeep", "r1 zrzut", "zapytanie", "zasilane przez" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 59, "URL": 1769, "FileHash-SHA256": 218, "YARA": 1, "hostname": 820, "FileHash-MD5": 70, "FileHash-SHA1": 69, "domain": 706, "email": 2 }, "indicator_count": 3714, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "488 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://blog.sucuri.net/2024/03/new-wave-of-socgholish-infections-impersonates-wordpress-plugins.html" ], "related": { "alienvault": { "adversary": [ "SocGholish" ], "malware_families": [ "Socgholish" ], "industries": [], "unique_indicators": 8 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 3714 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/eeatgoodx.com", "whois": "http://whois.domaintools.com/eeatgoodx.com", "domain": "eeatgoodx.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "65e5f98bcf1c1fb3bb31a70c", "name": "New Wave of Infections Impersonates WordPress Plugins", "description": "A recent wave of SocGholish malware infections has been targeting WordPress websites by compromising administrator accounts and uploading fake versions of legitimate plugins containing malicious code. The malware tricks users into downloading remote access trojans leading to ransomware attacks.", "modified": "2024-03-04T16:49:29.065000", "created": "2024-03-04T16:40:43.985000", "tags": [ "remote access trojan", "compromised credentials", "socgholish", "malicious wordpress plugins" ], "references": [ "https://blog.sucuri.net/2024/03/new-wave-of-socgholish-infections-impersonates-wordpress-plugins.html" ], "public": 1, "adversary": "SocGholish", "targeted_countries": [], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 344, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 4, "domain": 3 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 386970, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "679ab327b4f3de496118df4d", "name": "http://185.81.68.156/bin/bot64.bin", "description": "https://www.virustotal.com/gui/url/05ab194727e8a1832ec7ff494462427a2f16525f79960996cebdb56d743adef6/details", "modified": "2025-01-29T23:00:55.497000", "created": "2025-01-29T23:00:55.497000", "tags": [ "detects", "roth", "program", "files", "xored keyword", "xor key", "sentinel labs", "filter", "norton", "security", "win32", "kopiuj md5", "kopiuj sha1", "skopiuj sha256", "rozmiar", "opis plik", "pe32", "ms windows", "sha256", "sha1", "proces", "ssdeep", "r1 zrzut", "zapytanie", "zasilane przez" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 59, "URL": 1769, "FileHash-SHA256": 218, "YARA": 1, "hostname": 820, "FileHash-MD5": 70, "FileHash-SHA1": 69, "domain": 706, "email": 2 }, "indicator_count": 3714, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "488 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://eeatgoodx.com/gSyTvKB9", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://eeatgoodx.com/gSyTvKB9", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780441238.0275145 }