{ "type": "URL", "indicator": "https://github.com/0x09AL/RdpThief", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://github.com/0x09AL/RdpThief", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #87", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #560", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain github.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain github.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3582903190, "indicator": "https://github.com/0x09AL/RdpThief", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "63653bcec80ebd4a22494682", "name": "OPERA1ER: Playing God without permission", "description": "", "modified": "2022-12-04T16:04:57.030000", "created": "2022-11-04T16:20:30.465000", "tags": [ "cobalt strike", "wsh", "nanocore", "netbouncer uk1", "god without", "permission", "opera1er", "mtnci descr", "indicators of", "netbouncer se1", "mtnci", "date ip", "whois", "date", "swift", "rats", "metasploit", "hworm", "malware", "adwind", "mimikatz", "bloodhound", "sherlock", "remcos", "venom rat", "sharpweb", "info", "anydesk", "powershell", "backend", "execution", "pass", "code", "persistence", "tips", "capture", "team", "payment", "paraguay", "houdini", "netwire", "powersploit", "erebus", "agenttesla", "neutrino", "venomrat", "tools", "rdpwrap", "april", "discord", "service", "webdav", "safetykatz", "psexec", "nanocore rat", "keylogger", "teamviewer", "packer", "autoit", "restrict", "crackmapexec", "attack", "fraud", "threat report", "playing god" ], "references": [ "https://explore.group-ib.com/opera1er-eng/report-opera1er-eng" ], "public": 1, "adversary": "", "targeted_countries": [ "Argentina", "Togo", "Uganda", "Sierra Leone", "Senegal", "Paraguay", "Nigeria", "Niger", "Gabon", "Bangladesh", "Cameroon", "Burkina Faso", "Mali" ], "malware_families": [ { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "WSH", "display_name": "WSH", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1006", "name": "Direct Volume Access", "display_name": "T1006 - Direct Volume Access" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1052", "name": "Exfiltration Over Physical Medium", "display_name": "T1052 - Exfiltration Over Physical Medium" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1092", "name": "Communication Through Removable Media", "display_name": "T1092 - Communication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1097", "name": "Pass the Ticket", "display_name": "T1097 - Pass the Ticket" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1200", "name": "Hardware Additions", "display_name": "T1200 - Hardware Additions" }, { "id": "T1201", "name": "Password Policy Discovery", "display_name": "T1201 - Password Policy Discovery" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1216", "name": "Signed Script Proxy Execution", "display_name": "T1216 - Signed Script Proxy Execution" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1220", "name": "XSL Script Processing", "display_name": "T1220 - XSL Script Processing" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1484", "name": "Domain Policy Modification", "display_name": "T1484 - Domain Policy Modification" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1535", "name": "Unused/Unsupported Cloud Regions", "display_name": "T1535 - Unused/Unsupported Cloud Regions" }, { "id": "T1537", "name": "Transfer Data to Cloud Account", "display_name": "T1537 - Transfer Data to Cloud Account" }, { "id": "T1538", "name": "Cloud Service Dashboard", "display_name": "T1538 - Cloud Service Dashboard" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1578", "name": "Modify Cloud Compute Infrastructure", "display_name": "T1578 - Modify Cloud Compute Infrastructure" }, { "id": "T1580", "name": "Cloud Infrastructure Discovery", "display_name": "T1580 - Cloud Infrastructure Discovery" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1597", "name": "Search Closed Sources", "display_name": "T1597 - Search Closed Sources" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1599", "name": "Network Boundary Bridging", "display_name": "T1599 - Network Boundary Bridging" }, { "id": "T1600", "name": "Weaken Encryption", "display_name": "T1600 - Weaken Encryption" }, { "id": "T1601", "name": "Modify System Image", "display_name": "T1601 - Modify System Image" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1606", "name": "Forge Web Credentials", "display_name": "T1606 - Forge Web Credentials" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" }, { "id": "T1611", "name": "Escape to Host", "display_name": "T1611 - Escape to Host" }, { "id": "T1612", "name": "Build Image on Host", "display_name": "T1612 - Build Image on Host" }, { "id": "T1613", "name": "Container and Resource Discovery", "display_name": "T1613 - Container and Resource Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Telecom", "Financial", "Banking", "Banks" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "FileHash-MD5": 151, "FileHash-SHA1": 19, "FileHash-SHA256": 19, "CVE": 3, "domain": 18, "email": 4, "hostname": 80 }, "indicator_count": 310, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://explore.group-ib.com/opera1er-eng/report-opera1er-eng" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Wsh", "Cobalt strike", "Nanocore" ], "industries": [ "Banks", "Banking", "Telecom", "Financial" ], "unique_indicators": 460 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/github.com", "whois": "http://whois.domaintools.com/github.com", "domain": "github.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "63653bcec80ebd4a22494682", "name": "OPERA1ER: Playing God without permission", "description": "", "modified": "2022-12-04T16:04:57.030000", "created": "2022-11-04T16:20:30.465000", "tags": [ "cobalt strike", "wsh", "nanocore", "netbouncer uk1", "god without", "permission", "opera1er", "mtnci descr", "indicators of", "netbouncer se1", "mtnci", "date ip", "whois", "date", "swift", "rats", "metasploit", "hworm", "malware", "adwind", "mimikatz", "bloodhound", "sherlock", "remcos", "venom rat", "sharpweb", "info", "anydesk", "powershell", "backend", "execution", "pass", "code", "persistence", "tips", "capture", "team", "payment", "paraguay", "houdini", "netwire", "powersploit", "erebus", "agenttesla", "neutrino", "venomrat", "tools", "rdpwrap", "april", "discord", "service", "webdav", "safetykatz", "psexec", "nanocore rat", "keylogger", "teamviewer", "packer", "autoit", "restrict", "crackmapexec", "attack", "fraud", "threat report", "playing god" ], "references": [ "https://explore.group-ib.com/opera1er-eng/report-opera1er-eng" ], "public": 1, "adversary": "", "targeted_countries": [ "Argentina", "Togo", "Uganda", "Sierra Leone", "Senegal", "Paraguay", "Nigeria", "Niger", "Gabon", "Bangladesh", "Cameroon", "Burkina Faso", "Mali" ], "malware_families": [ { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "WSH", "display_name": "WSH", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1006", "name": "Direct Volume Access", "display_name": "T1006 - Direct Volume Access" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1025", "name": "Data from Removable Media", "display_name": "T1025 - Data from Removable Media" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1052", "name": "Exfiltration Over Physical Medium", "display_name": "T1052 - Exfiltration Over Physical Medium" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1092", "name": "Communication Through Removable Media", "display_name": "T1092 - Communication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1097", "name": "Pass the Ticket", "display_name": "T1097 - Pass the Ticket" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1200", "name": "Hardware Additions", "display_name": "T1200 - Hardware Additions" }, { "id": "T1201", "name": "Password Policy Discovery", "display_name": "T1201 - Password Policy Discovery" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1216", "name": "Signed Script Proxy Execution", "display_name": "T1216 - Signed Script Proxy Execution" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1220", "name": "XSL Script Processing", "display_name": "T1220 - XSL Script Processing" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1484", "name": "Domain Policy Modification", "display_name": "T1484 - Domain Policy Modification" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1531", "name": "Account Access Removal", "display_name": "T1531 - Account Access Removal" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1535", "name": "Unused/Unsupported Cloud Regions", "display_name": "T1535 - Unused/Unsupported Cloud Regions" }, { "id": "T1537", "name": "Transfer Data to Cloud Account", "display_name": "T1537 - Transfer Data to Cloud Account" }, { "id": "T1538", "name": "Cloud Service Dashboard", "display_name": "T1538 - Cloud Service Dashboard" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1578", "name": "Modify Cloud Compute Infrastructure", "display_name": "T1578 - Modify Cloud Compute Infrastructure" }, { "id": "T1580", "name": "Cloud Infrastructure Discovery", "display_name": "T1580 - Cloud Infrastructure Discovery" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1593", "name": "Search Open Websites/Domains", "display_name": "T1593 - Search Open Websites/Domains" }, { "id": "T1594", "name": "Search Victim-Owned Websites", "display_name": "T1594 - Search Victim-Owned Websites" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1597", "name": "Search Closed Sources", "display_name": "T1597 - Search Closed Sources" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1599", "name": "Network Boundary Bridging", "display_name": "T1599 - Network Boundary Bridging" }, { "id": "T1600", "name": "Weaken Encryption", "display_name": "T1600 - Weaken Encryption" }, { "id": "T1601", "name": "Modify System Image", "display_name": "T1601 - Modify System Image" }, { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1606", "name": "Forge Web Credentials", "display_name": "T1606 - Forge Web Credentials" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1610", "name": "Deploy Container", "display_name": "T1610 - Deploy Container" }, { "id": "T1611", "name": "Escape to Host", "display_name": "T1611 - Escape to Host" }, { "id": "T1612", "name": "Build Image on Host", "display_name": "T1612 - Build Image on Host" }, { "id": "T1613", "name": "Container and Resource Discovery", "display_name": "T1613 - Container and Resource Discovery" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Telecom", "Financial", "Banking", "Banks" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 16, "FileHash-MD5": 151, "FileHash-SHA1": 19, "FileHash-SHA256": 19, "CVE": 3, "domain": 18, "email": 4, "hostname": 80 }, "indicator_count": 310, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://github.com/0x09AL/RdpThief", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://github.com/0x09AL/RdpThief", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780242957.2300313 }