{ "type": "URL", "indicator": "https://firstclassbale.com/python/unzip.bat", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://firstclassbale.com/python/unzip.bat", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3653194659, "indicator": "https://firstclassbale.com/python/unzip.bat", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "66dafec6fc6cae465ed44fdf", "name": "URLhaus Country Feed (Canada) enriched", "description": "", "modified": "2025-06-18T23:40:53.759000", "created": "2024-09-06T13:08:22.353000", "tags": [], "references": [ "https://urlhaus.abuse.ch/feeds/country/CA/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 3, "URL": 83203, "domain": 26579, "email": 1, "hostname": 40137, "FileHash-SHA256": 5936, "CVE": 6 }, "indicator_count": 155869, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654b2c6f971085c27db41ca1", "name": "Recorded Future: ALPHV Ransomware Group (BlackCat Ransomware Group)", "description": "", "modified": "2023-12-03T09:42:21.582000", "created": "2023-11-08T06:36:31.780000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "akhanafeer", "id": "195327", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 37, "FileHash-SHA256": 24, "URL": 9, "domain": 105, "hostname": 4 }, "indicator_count": 197, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c3a500ebcae1f70b0edce4", "name": "Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator", "description": "Malvertising, spy boy Terminator and Trojan backdoors are all part of the same code used in the latest spy-hunting campaign, as revealed in a series of tweets by the BBC's Panorama programme.", "modified": "2023-08-27T11:04:21.859000", "created": "2023-07-28T11:22:40.557000", "tags": [ "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "actors", "leverage spyboy", "terminator", "file iocs", "network iocs", "trojanspy" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 5 }, "indicator_count": 194, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c2d7f938ef9c14141e3756", "name": "Malvertising as Entry Vector for BlackCat/AlphV - \"Nitrogen\" - TrendMicro", "description": "Early detection of \"Nitrogen\" malware (Initial access) before it was being called that. This mostly covers the infection chain to BlackCat/AlphV.\nFrom TrendMicro - end of June 2023\nMalvertising, spy boy Terminator and Trojan backdoors\nhttps://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "modified": "2023-08-26T20:00:35.013000", "created": "2023-07-27T20:47:53.681000", "tags": [ "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "leverage spyboy", "terminator", "file iocs", "network iocs", "trojanspy", "nitrogen", "initial access" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "nitrogen", "display_name": "nitrogen", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 5 }, "indicator_count": 193, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "1009 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64abcf295128ce503f9b2205", "name": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "description": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "modified": "2023-08-09T09:03:18.084000", "created": "2023-07-10T09:28:09.621000", "tags": [], "references": [ "IOCs BlackCat Ransowmare.txt" ], "public": 1, "adversary": "BlackCat ransomware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 1, "domain": 14, "hostname": 3 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 64, "modified_text": "1027 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a41923b86541fbd482f357", "name": "Advisory Report for BlackCat Distributing Ransomware Disguised as WinSCP", "description": "The BlackCat ransomware group is running malvertizing campaigns to lure people into fake pages that mimic the official website of the WinSCP file-transfer application for Windows but instead push malware-ridden installers.\nThese are security recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks.", "modified": "2023-08-03T12:02:23.844000", "created": "2023-07-04T13:05:39.851000", "tags": [ "iocs" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 3 }, "indicator_count": 191, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "1032 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a28f2725df6a0834cb9f44", "name": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "description": "Malvertising, spy boy Terminator and Trojan backdoors are all part of the same code used in the latest spy-hunting campaign, as revealed in a series of tweets by the BBC's Panorama programme.", "modified": "2023-08-02T09:04:51.419000", "created": "2023-07-03T09:04:39.961000", "tags": [ "trojanspy", "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "actors", "leverage spyboy", "terminator", "file iocs", "network iocs" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "parvesh4399", "id": "224939", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 3, "FileHash-SHA1": 98, "FileHash-SHA256": 9, "domain": 14, "hostname": 5 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "1034 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64bf65b8f4a350229b91e306", "name": "BlackCAT\u52d2\u7d22\u8f6f\u4ef6\u6b63\u5728\u901a\u8fc7\u865a\u5047\u5e7f\u544a\u8fdb\u884c\u4f20\u64ad", "description": "\u6700\u8fd1\uff0c\u8d8b\u52bf\u79d1\u6280\uff08Trend Micro\uff09\u7684\u4e8b\u4ef6\u54cd\u5e94\u56e2\u961f\u901a\u8fc7\u201cTargeted Attack Detection (TAD)\u201d\u670d\u52a1\u53d1\u73b0\u4e86\u4e00\u4e2a\u6709\u9488\u5bf9\u6027\u7684\u7ec4\u7ec7\uff0c\u5176\u906d\u53d7\u9ad8\u5ea6\u53ef\u7591\u7684\u6d3b\u52a8\u3002\u5728\u8c03\u67e5\u4e2d\uff0c\u9ed1\u5ba2\u4f7f\u7528\u865a\u5047\u7f51\u7ad9\u7684\u6076\u610f\u5e7f\u544a\u6765\u901a\u8fc7\u514b\u9686\u5408\u6cd5\u7ec4\u7ec7\u7684\u9875\u9762\u4f20\u64ad\u6076\u610f\u8f6f\u4ef6\u3002\u5728\u8fd9\u4e2a\u6848\u4f8b\u4e2d\uff0c\u4f20\u64ad\u6d89\u53ca\u4e86\u4e00\u4e2a\u8457\u540d\u5e94\u7528\u7a0b\u5e8fWinSCP\u7684\u9875\u9762\uff0c\u8be5\u5e94\u7528\u7a0b\u5e8f\u662f\u7528\u4e8eWindows\u6587\u4ef6\u4f20\u8f93\u7684\u5f00\u6e90\u8f6f\u4ef6\u3002\u50cf\u8c37\u6b4c\u5e7f\u544a\u7b49\u5e7f\u544a\u5e73\u53f0\u4f7f\u4f01\u4e1a\u53ef\u4ee5\u5411\u76ee\u6807\u53d7\u4f17\u5c55\u793a\u5e7f\u544a\uff0c\u4ee5\u589e\u52a0\u6d41\u91cf\u548c\u9500\u552e\u3002\u6076\u610f\u8f6f\u4ef6\u5206\u53d1\u8005\u5229\u7528\u76f8\u540c\u7684\u529f\u80fd\u8fdb\u884c\u6076\u610f\u5e7f\u544a\u4f20\u64ad\uff0c\u8fd9\u79cd\u6280\u672f\u88ab\u79f0\u4e3a\u6076\u610f\u5e7f\u544a\uff08malvertising\uff09\uff0c\u5728\u5176\u4e2d\u9009\u62e9\u7684\u5173\u952e\u5b57\u88ab\u52ab\u6301\u7528\u4e8e\u663e\u793a\u5f15\u8bf1\u4e0d\u77e5\u60c5\u7684\u641c\u7d22\u5f15\u64ce\u7528\u6237\u4e0b\u8f7d\u67d0\u79cd\u7c7b\u578b\u7684\u6076\u610f\u8f6f\u4ef6\u7684\u5e7f\u544a\u3002", "modified": "2023-07-25T06:03:36.712000", "created": "2023-07-25T06:03:36.712000", "tags": [ "HotSpot" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "BlackCAT", "display_name": "BlackCAT", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "junchuanyang1", "id": "157561", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157561/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 51, "hostname": 1, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 4 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "1042 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6424c7bd67afc87a189ab8e8", "name": "URLHaus data - 29-03-2023", "description": "", "modified": "2023-04-28T23:07:42.072000", "created": "2023-03-29T23:20:29.502000", "tags": [ "32-bit", "arm", "elf", "Mozi", "mips", "hajime", "mirai", "gafgyt", "ASPXAESWebShell", "PowerShellSMTPKeyLogger", "exe", "njRAT", "dropped-by-amadey", "PowerShellDiscordKeyLogger", "ascii", "powershell", "ps", "opendir", "SnakeKeylogger", "hta", "BRA", "geo", "Grandoreiro", "zip", "RemcosRAT", "Formbook", "Malvertising", "RedLineStealer", "dll", "Stealc", "32", "1212", "Password-protected", "rar", "draw", "1234", "7z", "2022", "PowerShellDiscordScreenStealer", "BatchDropperMEMZ", "agenziaentrate", "geofenced", "Gozi", "ISFB", "ITA", "plugin", "ursnif", "MEF", "MISE", "encrypted", "rat", "AgentTesla", "LummaStealer", "pw-2022", "pw-2023", "ransomware", "cobalstrike", "CobaltStrike", "AuroraStealer", "pw-123" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "domain": 9, "hostname": 7 }, "indicator_count": 1016, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1129 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6421bba262d3223b6ee2fad2", "name": "Cobalt Strike Payload", "description": "Cobalt Strike payload delivery.", "modified": "2023-03-28T23:08:44.056000", "created": "2023-03-27T15:52:02.150000", "tags": [ "x00x00x00s", "xdcx9axd1" ], "references": [ "https://firstclassbale.com/python/pp3.py" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "serviceitsecurity", "id": "166084", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "1160 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://firstclassbale.com/python/pp3.py", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "IOCs BlackCat Ransowmare.txt", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://urlhaus.abuse.ch/feeds/country/CA/", "https://urlhaus.abuse.ch/browse/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "BlackCat ransomware" ], "malware_families": [ "Trojanspy", "Nitrogen", "Cobalt strike", "Blackcat" ], "industries": [], "unique_indicators": 162268 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/firstclassbale.com", "whois": "http://whois.domaintools.com/firstclassbale.com", "domain": "firstclassbale.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "66dafec6fc6cae465ed44fdf", "name": "URLhaus Country Feed (Canada) enriched", "description": "", "modified": "2025-06-18T23:40:53.759000", "created": "2024-09-06T13:08:22.353000", "tags": [], "references": [ "https://urlhaus.abuse.ch/feeds/country/CA/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 3, "URL": 83203, "domain": 26579, "email": 1, "hostname": 40137, "FileHash-SHA256": 5936, "CVE": 6 }, "indicator_count": 155869, "is_author": false, "is_subscribing": null, "subscriber_count": 198, "modified_text": "347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "654b2c6f971085c27db41ca1", "name": "Recorded Future: ALPHV Ransomware Group (BlackCat Ransomware Group)", "description": "", "modified": "2023-12-03T09:42:21.582000", "created": "2023-11-08T06:36:31.780000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "akhanafeer", "id": "195327", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 37, "FileHash-SHA256": 24, "URL": 9, "domain": 105, "hostname": 4 }, "indicator_count": 197, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "911 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c3a500ebcae1f70b0edce4", "name": "Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator", "description": "Malvertising, spy boy Terminator and Trojan backdoors are all part of the same code used in the latest spy-hunting campaign, as revealed in a series of tweets by the BBC's Panorama programme.", "modified": "2023-08-27T11:04:21.859000", "created": "2023-07-28T11:22:40.557000", "tags": [ "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "actors", "leverage spyboy", "terminator", "file iocs", "network iocs", "trojanspy" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 5 }, "indicator_count": 194, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64c2d7f938ef9c14141e3756", "name": "Malvertising as Entry Vector for BlackCat/AlphV - \"Nitrogen\" - TrendMicro", "description": "Early detection of \"Nitrogen\" malware (Initial access) before it was being called that. This mostly covers the infection chain to BlackCat/AlphV.\nFrom TrendMicro - end of June 2023\nMalvertising, spy boy Terminator and Trojan backdoors\nhttps://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "modified": "2023-08-26T20:00:35.013000", "created": "2023-07-27T20:47:53.681000", "tags": [ "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "leverage spyboy", "terminator", "file iocs", "network iocs", "trojanspy", "nitrogen", "initial access" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt", "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "nitrogen", "display_name": "nitrogen", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 5 }, "indicator_count": 193, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "1009 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64abcf295128ce503f9b2205", "name": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "description": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "modified": "2023-08-09T09:03:18.084000", "created": "2023-07-10T09:28:09.621000", "tags": [], "references": [ "IOCs BlackCat Ransowmare.txt" ], "public": 1, "adversary": "BlackCat ransomware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 1, "domain": 14, "hostname": 3 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 64, "modified_text": "1027 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a41923b86541fbd482f357", "name": "Advisory Report for BlackCat Distributing Ransomware Disguised as WinSCP", "description": "The BlackCat ransomware group is running malvertizing campaigns to lure people into fake pages that mimic the official website of the WinSCP file-transfer application for Windows but instead push malware-ridden installers.\nThese are security recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks.", "modified": "2023-08-03T12:02:23.844000", "created": "2023-07-04T13:05:39.851000", "tags": [ "iocs" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 14, "hostname": 3 }, "indicator_count": 191, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "1032 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a28f2725df6a0834cb9f44", "name": "BlackCat ransomware pushes Cobalt Strike via WinSCP search ads", "description": "Malvertising, spy boy Terminator and Trojan backdoors are all part of the same code used in the latest spy-hunting campaign, as revealed in a series of tweets by the BBC's Panorama programme.", "modified": "2023-08-02T09:04:51.419000", "created": "2023-07-03T09:04:39.961000", "tags": [ "trojanspy", "c server", "disease vector", "cobeacon c2", "entry vector", "blackcat", "actors", "leverage spyboy", "terminator", "file iocs", "network iocs" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "parvesh4399", "id": "224939", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 38, "FileHash-MD5": 3, "FileHash-SHA1": 98, "FileHash-SHA256": 9, "domain": 14, "hostname": 5 }, "indicator_count": 167, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "1034 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64bf65b8f4a350229b91e306", "name": "BlackCAT\u52d2\u7d22\u8f6f\u4ef6\u6b63\u5728\u901a\u8fc7\u865a\u5047\u5e7f\u544a\u8fdb\u884c\u4f20\u64ad", "description": "\u6700\u8fd1\uff0c\u8d8b\u52bf\u79d1\u6280\uff08Trend Micro\uff09\u7684\u4e8b\u4ef6\u54cd\u5e94\u56e2\u961f\u901a\u8fc7\u201cTargeted Attack Detection (TAD)\u201d\u670d\u52a1\u53d1\u73b0\u4e86\u4e00\u4e2a\u6709\u9488\u5bf9\u6027\u7684\u7ec4\u7ec7\uff0c\u5176\u906d\u53d7\u9ad8\u5ea6\u53ef\u7591\u7684\u6d3b\u52a8\u3002\u5728\u8c03\u67e5\u4e2d\uff0c\u9ed1\u5ba2\u4f7f\u7528\u865a\u5047\u7f51\u7ad9\u7684\u6076\u610f\u5e7f\u544a\u6765\u901a\u8fc7\u514b\u9686\u5408\u6cd5\u7ec4\u7ec7\u7684\u9875\u9762\u4f20\u64ad\u6076\u610f\u8f6f\u4ef6\u3002\u5728\u8fd9\u4e2a\u6848\u4f8b\u4e2d\uff0c\u4f20\u64ad\u6d89\u53ca\u4e86\u4e00\u4e2a\u8457\u540d\u5e94\u7528\u7a0b\u5e8fWinSCP\u7684\u9875\u9762\uff0c\u8be5\u5e94\u7528\u7a0b\u5e8f\u662f\u7528\u4e8eWindows\u6587\u4ef6\u4f20\u8f93\u7684\u5f00\u6e90\u8f6f\u4ef6\u3002\u50cf\u8c37\u6b4c\u5e7f\u544a\u7b49\u5e7f\u544a\u5e73\u53f0\u4f7f\u4f01\u4e1a\u53ef\u4ee5\u5411\u76ee\u6807\u53d7\u4f17\u5c55\u793a\u5e7f\u544a\uff0c\u4ee5\u589e\u52a0\u6d41\u91cf\u548c\u9500\u552e\u3002\u6076\u610f\u8f6f\u4ef6\u5206\u53d1\u8005\u5229\u7528\u76f8\u540c\u7684\u529f\u80fd\u8fdb\u884c\u6076\u610f\u5e7f\u544a\u4f20\u64ad\uff0c\u8fd9\u79cd\u6280\u672f\u88ab\u79f0\u4e3a\u6076\u610f\u5e7f\u544a\uff08malvertising\uff09\uff0c\u5728\u5176\u4e2d\u9009\u62e9\u7684\u5173\u952e\u5b57\u88ab\u52ab\u6301\u7528\u4e8e\u663e\u793a\u5f15\u8bf1\u4e0d\u77e5\u60c5\u7684\u641c\u7d22\u5f15\u64ce\u7528\u6237\u4e0b\u8f7d\u67d0\u79cd\u7c7b\u578b\u7684\u6076\u610f\u8f6f\u4ef6\u7684\u5e7f\u544a\u3002", "modified": "2023-07-25T06:03:36.712000", "created": "2023-07-25T06:03:36.712000", "tags": [ "HotSpot" ], "references": [ "https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-leverage-spyboy-terminator-/Malvertising_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "BlackCAT", "display_name": "BlackCAT", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "junchuanyang1", "id": "157561", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157561/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 51, "hostname": 1, "FileHash-MD5": 16, "FileHash-SHA1": 105, "FileHash-SHA256": 15, "domain": 4 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "1042 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6424c7bd67afc87a189ab8e8", "name": "URLHaus data - 29-03-2023", "description": "", "modified": "2023-04-28T23:07:42.072000", "created": "2023-03-29T23:20:29.502000", "tags": [ "32-bit", "arm", "elf", "Mozi", "mips", "hajime", "mirai", "gafgyt", "ASPXAESWebShell", "PowerShellSMTPKeyLogger", "exe", "njRAT", "dropped-by-amadey", "PowerShellDiscordKeyLogger", "ascii", "powershell", "ps", "opendir", "SnakeKeylogger", "hta", "BRA", "geo", "Grandoreiro", "zip", "RemcosRAT", "Formbook", "Malvertising", "RedLineStealer", "dll", "Stealc", "32", "1212", "Password-protected", "rar", "draw", "1234", "7z", "2022", "PowerShellDiscordScreenStealer", "BatchDropperMEMZ", "agenziaentrate", "geofenced", "Gozi", "ISFB", "ITA", "plugin", "ursnif", "MEF", "MISE", "encrypted", "rat", "AgentTesla", "LummaStealer", "pw-2022", "pw-2023", "ransomware", "cobalstrike", "CobaltStrike", "AuroraStealer", "pw-123" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "domain": 9, "hostname": 7 }, "indicator_count": 1016, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1129 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6421bba262d3223b6ee2fad2", "name": "Cobalt Strike Payload", "description": "Cobalt Strike payload delivery.", "modified": "2023-03-28T23:08:44.056000", "created": "2023-03-27T15:52:02.150000", "tags": [ "x00x00x00s", "xdcx9axd1" ], "references": [ "https://firstclassbale.com/python/pp3.py" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "serviceitsecurity", "id": "166084", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "1160 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://firstclassbale.com/python/unzip.bat", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://firstclassbale.com/python/unzip.bat", "type": "URL", "found": true, "verdict": "malicious", "url_status": "offline", "threat": "malware_download", "tags": [ " ransomware", "cobalstrike" ], "date_added": "2023-03-29", "last_online": "2023-05-22", "reporter": "fernandokarl", "host": "firstclassbale.com", "payloads": [ { "filename": null, "file_type": "unknown", "md5": "ba28cbee7b50a1e003ff696cefcc3196", "sha256": "8e5e82ee2b96085b913fcadd661bb6135468fef846ecc6328093e6c9c5c9a959", "signature": null, "first_seen": "2023-03-29" } ], "error": null }, "from_cache": true, "_cached_at": 1780308951.1758637 }