{ "type": "URL", "indicator": "https://github.com/stefanpejcic/wordpress-malware", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://github.com/stefanpejcic/wordpress-malware", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #87", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #560", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain github.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain github.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3980925929, "indicator": "https://github.com/stefanpejcic/wordpress-malware", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "66fc82dea97f8a975e6ec46a", "name": "InQuest - 01-10-2024", "description": "", "modified": "2024-10-31T23:03:07.473000", "created": "2024-10-01T23:16:46.447000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "URL": 176, "hostname": 26, "domain": 69, "FileHash-SHA256": 116, "FileHash-SHA1": 11 }, "indicator_count": 543, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "534 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66fb300ca9c368b09a283346", "name": "InQuest - 30-09-2024", "description": "", "modified": "2024-10-30T23:01:43.623000", "created": "2024-09-30T23:11:08.550000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 98, "URL": 234, "domain": 86, "FileHash-SHA256": 93, "FileHash-SHA1": 21, "hostname": 46 }, "indicator_count": 578, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "535 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f130c6547f970c56c9ebb7", "name": "Twelve: from initial compromise to ransomware and wipers | Securelist", "description": "The Kaspersky security company has identified the Russian cyberattack group Twelve, which was formed in April 2023 and is believed to be active and capable of carrying out a number of high-profile attacks.", "modified": "2024-10-23T09:07:52.333000", "created": "2024-09-23T09:11:34.960000", "tags": [ "crimeware", "hacktivists", "lockbit", "malware", "malware descriptions", "ransomware", "shamoon", "targeted attacks", "trojan", "ttps", "twelve", "wiper", "redacted", "domain", "user", "powershell", "processname", "logtime", "taskcachetasks", "unified kill", "permissions", "cobalt strike", "bloodhound", "powerview", "psexec", "june", "april", "shadow", "comet", "darkstar", "crackmapexec", "facefish", "pass", "xenarmor", "sandbox", "execution", "encrypt", "stop", "verify", "chaos" ], "references": [ "https://securelist.com/twelve-group-unified-kill-chain/113877/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Wiper", "display_name": "Wiper", "target": null }, { "id": "wiper", "display_name": "wiper", "target": null } ], "attack_ids": [ { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "CVE": 2, "FileHash-MD5": 23, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 3 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://securelist.com/twelve-group-unified-kill-chain/113877/", "https://labs.inquest.net/iocdb" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Wiper", "Cobalt strike" ], "industries": [ "Government" ], "unique_indicators": 818 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/github.com", "whois": "http://whois.domaintools.com/github.com", "domain": "github.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "66fc82dea97f8a975e6ec46a", "name": "InQuest - 01-10-2024", "description": "", "modified": "2024-10-31T23:03:07.473000", "created": "2024-10-01T23:16:46.447000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "URL": 176, "hostname": 26, "domain": 69, "FileHash-SHA256": 116, "FileHash-SHA1": 11 }, "indicator_count": 543, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "534 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66fb300ca9c368b09a283346", "name": "InQuest - 30-09-2024", "description": "", "modified": "2024-10-30T23:01:43.623000", "created": "2024-09-30T23:11:08.550000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 98, "URL": 234, "domain": 86, "FileHash-SHA256": 93, "FileHash-SHA1": 21, "hostname": 46 }, "indicator_count": 578, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "535 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f130c6547f970c56c9ebb7", "name": "Twelve: from initial compromise to ransomware and wipers | Securelist", "description": "The Kaspersky security company has identified the Russian cyberattack group Twelve, which was formed in April 2023 and is believed to be active and capable of carrying out a number of high-profile attacks.", "modified": "2024-10-23T09:07:52.333000", "created": "2024-09-23T09:11:34.960000", "tags": [ "crimeware", "hacktivists", "lockbit", "malware", "malware descriptions", "ransomware", "shamoon", "targeted attacks", "trojan", "ttps", "twelve", "wiper", "redacted", "domain", "user", "powershell", "processname", "logtime", "taskcachetasks", "unified kill", "permissions", "cobalt strike", "bloodhound", "powerview", "psexec", "june", "april", "shadow", "comet", "darkstar", "crackmapexec", "facefish", "pass", "xenarmor", "sandbox", "execution", "encrypt", "stop", "verify", "chaos" ], "references": [ "https://securelist.com/twelve-group-unified-kill-chain/113877/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Wiper", "display_name": "Wiper", "target": null }, { "id": "wiper", "display_name": "wiper", "target": null } ], "attack_ids": [ { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "CVE": 2, "FileHash-MD5": 23, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 3 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://github.com/stefanpejcic/wordpress-malware", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://github.com/stefanpejcic/wordpress-malware", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776616679.1151175 }