{ "type": "URL", "indicator": "https://insights.sb1.autonomic.ai", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://insights.sb1.autonomic.ai", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3393640283, "indicator": "https://insights.sb1.autonomic.ai", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "663b59a5514fcb2c423206b8", "name": "bountyrummy.net", "description": "Fount in RagnarLocker ransomware pulse.\nBounty on targeted individual. Identified as malicious via other security vendors. OTX tool not identifying malware, ransomware, encrypted files. \nI have not become familiar with LevelBlue/Labs. I can't give much commentary except: esurance.com, add target command, frontrangek9academy.com seem concerning. Name of target and removed during extraction. Needs further research", "modified": "2024-06-07T10:00:39.731000", "created": "2024-05-08T10:53:25.278000", "tags": [ "united", "search", "entries", "as62597", "creation date", "record value", "dnssec", "showing", "aaaa", "unknown", "meta", "ffcdcb", "france unknown", "xmlns http", "date", "referrer", "historical ssl", "apt ip", "address list", "ip block", "formbook", "dns replication", "technology", "subdomains", "whois lookups", "certificates", "first", "graph summary", "google", "record type", "ttl value", "data", "v3 serial", "number", "cus ogoogle", "trust" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "domain": 993, "email": 1, "hostname": 780, "URL": 1383, "FileHash-SHA256": 674, "FileHash-SHA1": 55, "CVE": 1 }, "indicator_count": 3944, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62280bb2008d7dee8fe905f3", "name": "#039;productfirefox-latest-ssloswin64langen-US&", "description": "", "modified": "2022-04-07T00:04:02.553000", "created": "2022-03-09T02:06:42.803000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "dropped file", "unicode", "runtime data", "threat level", "raw size", "virtual address", "virtual size", "sha256", "date", "mozilla", "win64", "accept", "suspicious", "updater", "glue", "locale", "install", "hybrid", "general", "malicious", "close", "click", "hosts", "baop", "union", "strings", "stop" ], "references": [ "https://hybrid-analysis.com/sample/131010821b48a065510fe549e686fdf0ddb1119677e6eabdb025ded0c8bfe70f/61e66f38ad324c267042213a", "http://detectportal.firefox.com/vkwf.txt.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 198, "URL": 451, "domain": 66, "FileHash-SHA256": 250, "FileHash-MD5": 273, "FileHash-SHA1": 81, "SSLCertFingerprint": 3, "email": 3 }, "indicator_count": 1325, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1518 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://detectportal.firefox.com/vkwf.txt.exe", "https://hybrid-analysis.com/sample/131010821b48a065510fe549e686fdf0ddb1119677e6eabdb025ded0c8bfe70f/61e66f38ad324c267042213a" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 5324 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/autonomic.ai", "whois": "http://whois.domaintools.com/autonomic.ai", "domain": "autonomic.ai", "hostname": "insights.sb1.autonomic.ai" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "663b59a5514fcb2c423206b8", "name": "bountyrummy.net", "description": "Fount in RagnarLocker ransomware pulse.\nBounty on targeted individual. Identified as malicious via other security vendors. OTX tool not identifying malware, ransomware, encrypted files. \nI have not become familiar with LevelBlue/Labs. I can't give much commentary except: esurance.com, add target command, frontrangek9academy.com seem concerning. Name of target and removed during extraction. Needs further research", "modified": "2024-06-07T10:00:39.731000", "created": "2024-05-08T10:53:25.278000", "tags": [ "united", "search", "entries", "as62597", "creation date", "record value", "dnssec", "showing", "aaaa", "unknown", "meta", "ffcdcb", "france unknown", "xmlns http", "date", "referrer", "historical ssl", "apt ip", "address list", "ip block", "formbook", "dns replication", "technology", "subdomains", "whois lookups", "certificates", "first", "graph summary", "google", "record type", "ttl value", "data", "v3 serial", "number", "cus ogoogle", "trust" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "domain": 993, "email": 1, "hostname": 780, "URL": 1383, "FileHash-SHA256": 674, "FileHash-SHA1": 55, "CVE": 1 }, "indicator_count": 3944, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "726 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62280bb2008d7dee8fe905f3", "name": "#039;productfirefox-latest-ssloswin64langen-US&", "description": "", "modified": "2022-04-07T00:04:02.553000", "created": "2022-03-09T02:06:42.803000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "dropped file", "unicode", "runtime data", "threat level", "raw size", "virtual address", "virtual size", "sha256", "date", "mozilla", "win64", "accept", "suspicious", "updater", "glue", "locale", "install", "hybrid", "general", "malicious", "close", "click", "hosts", "baop", "union", "strings", "stop" ], "references": [ "https://hybrid-analysis.com/sample/131010821b48a065510fe549e686fdf0ddb1119677e6eabdb025ded0c8bfe70f/61e66f38ad324c267042213a", "http://detectportal.firefox.com/vkwf.txt.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 198, "URL": 451, "domain": 66, "FileHash-SHA256": 250, "FileHash-MD5": 273, "FileHash-SHA1": 81, "SSLCertFingerprint": 3, "email": 3 }, "indicator_count": 1325, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1518 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://insights.sb1.autonomic.ai", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://insights.sb1.autonomic.ai", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780504790.317667 }