{ "type": "URL", "indicator": "https://intel471.com/blog/privateloader-malware", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://intel471.com/blog/privateloader-malware", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3374724189, "indicator": "https://intel471.com/blog/privateloader-malware", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "63aa79605cf34c5c7de853f3", "name": "PrivateLoader PPI Service Found Distributing Info-Stealing RisePro Malware", "description": "", "modified": "2023-01-26T08:01:27.782000", "created": "2022-12-27T04:49:36.764000", "tags": [ "vidar", "risepro", "market", "december", "flashpoint", "privateloader", "arkei", "genesis", "risepro stealer", "telegram", "mars", "saturnwallet", "dlls", "getprocaddress", "zip file", "command", "success", "iocs", "file", "redline", "raccoon", "stealer", "malware", "netbox", "amigo", "atom", "phantom", "bitcoin", "desktop", "download", "code", "screen", "execution" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/", "https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/", "https://thehackernews.com/2022/12/privateloader-ppi-service-found.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RisePro", "display_name": "RisePro", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "SaturnWallet", "display_name": "SaturnWallet", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Pharmaceuticals", "Healthcare" ], "TLP": "white", "cloned_from": "63a9c5fe7a5e60c35c27a5fd", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 31, "FileHash-SHA256": 26, "URL": 1, "YARA": 1, "domain": 55, "hostname": 2 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1221 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63aaad75c49aa08e6a70587b", "name": "PrivateLoader PPI Service Found Distributing Info-Stealing RisePro Malware", "description": "", "modified": "2023-01-26T08:01:27.782000", "created": "2022-12-27T08:31:49.277000", "tags": [ "vidar", "risepro", "market", "december", "flashpoint", "privateloader", "arkei", "genesis", "risepro stealer", "telegram", "mars", "saturnwallet", "dlls", "getprocaddress", "zip file", "command", "success", "iocs", "file", "redline", "raccoon", "stealer", "malware", "netbox", "amigo", "atom", "phantom", "bitcoin", "desktop", "download", "code", "screen", "execution" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/", "https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/", "https://thehackernews.com/2022/12/privateloader-ppi-service-found.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RisePro", "display_name": "RisePro", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "SaturnWallet", "display_name": "SaturnWallet", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Pharmaceuticals", "Healthcare" ], "TLP": "white", "cloned_from": "63aa79605cf34c5c7de853f3", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 31, "FileHash-SHA256": 26, "URL": 1, "YARA": 1, "domain": 55, "hostname": 2 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1221 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63ac0922b9bb35883048770a", "name": "New RisePro Stealer distributed by the prominent PrivateLoader - SEKOIA.IO Blog", "description": "A new type of information stealer, known as RisePro, has been delivered by a well-known loader family, but is not part of the usual RedLine or Raccoon malware family.", "modified": "2022-12-28T09:15:14.073000", "created": "2022-12-28T09:15:14.073000", "tags": [ "risepro", "saturnwallet", "vidar", "privateloader", "dlls", "risepro stealer", "getprocaddress", "zip file", "command", "success", "iocs", "file", "redline", "raccoon", "stealer", "malware", "netbox", "amigo", "atom", "phantom", "bitcoin", "desktop", "download", "code", "screen", "execution" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/#h-iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "SaturnWallet", "display_name": "SaturnWallet", "target": null }, { "id": "RisePro", "display_name": "RisePro", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "URL": 1, "YARA": 1, "domain": 2, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1250 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63aad6b8b6dfa5d5406e3b0d", "name": "New RisePro Stealer distributed by the prominent PrivateLoader - SEKOIA.IO Blog", "description": "A new type of information stealer, known as RisePro, has been delivered by a well-known loader family, but is not part of the usual RedLine or Raccoon malware family.", "modified": "2022-12-27T11:27:52.234000", "created": "2022-12-27T11:27:52.234000", "tags": [ "vidar", "risepro", "market", "december", "flashpoint", "privateloader", "arkei", "genesis", "risepro stealer", "telegram", "mars", "saturnwallet", "dlls", "getprocaddress", "zip file", "command", "success", "iocs", "file", "redline", "raccoon", "stealer", "malware", "netbox", "amigo", "atom", "phantom", "bitcoin", "desktop", "download", "code", "screen", "execution" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/", "https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RisePro", "display_name": "RisePro", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "SaturnWallet", "display_name": "SaturnWallet", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Pharmaceuticals", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jackl3-3", "id": "40027", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 31, "FileHash-SHA256": 26, "URL": 1, "YARA": 1, "domain": 4, "hostname": 1 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 86, "modified_text": "1250 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63aad5ae85f7d712967a50e4", "name": "New RisePro Stealer distributed by the prominent PrivateLoader - SEKOIA.IO Blog", "description": "A new type of information stealer, known as RisePro, has been delivered by a well-known loader family, but is not part of the usual RedLine or Raccoon malware family.", "modified": "2022-12-27T11:23:26.405000", "created": "2022-12-27T11:23:26.405000", "tags": [ "risepro", "saturnwallet", "vidar", "privateloader", "dlls", "risepro stealer", "getprocaddress", "zip file", "command", "success", "iocs", "file", "redline", "raccoon", "stealer", "malware", "netbox", "amigo", "atom", "phantom", "bitcoin", "desktop", "download", "code", "screen", "execution" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "SaturnWallet", "display_name": "SaturnWallet", "target": null }, { "id": "RisePro", "display_name": "RisePro", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jackl3-3", "id": "40027", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "URL": 1, "YARA": 1, "domain": 2, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 86, "modified_text": "1250 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63a9c5fe7a5e60c35c27a5fd", "name": "PrivateLoader PPI Service Found Distributing Info-Stealing RisePro Malware", "description": "The pay-per-install (PPI) malware downloader service known as PrivateLoader is being used to distribute a previously documented information-stealing malware dubbed RisePro.\n\nFlashpoint spotted the newly identified stealer on December 13, 2022, after it discovered \"several sets of logs\" exfiltrated using the malware on an illicit cybercrime marketplace called Russian Market.", "modified": "2022-12-26T16:04:14.771000", "created": "2022-12-26T16:04:14.771000", "tags": [ "vidar", "risepro", "market", "december", "flashpoint", "privateloader", "arkei", "genesis", "risepro stealer", "telegram", "mars", "saturnwallet", "dlls", "getprocaddress", "zip file", "command", "success", "iocs", "file", "redline", "raccoon", "stealer", "malware", "netbox", "amigo", "atom", "phantom", "bitcoin", "desktop", "download", "code", "screen", "execution" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/", "https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/", "https://thehackernews.com/2022/12/privateloader-ppi-service-found.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RisePro", "display_name": "RisePro", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "SaturnWallet", "display_name": "SaturnWallet", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Pharmaceuticals", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 294, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 31, "FileHash-SHA256": 26, "URL": 1, "YARA": 1, "domain": 4, "hostname": 1 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "1251 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63a817f6499f27fe3ddbb338", "name": "New RisePro Stealer distributed by the prominent PrivateLoader - SEKOIA.IO Blog", "description": "A new type of information stealer, known as RisePro, has been delivered by a well-known loader family, but is not part of the usual RedLine or Raccoon malware family.", "modified": "2022-12-25T09:29:26.637000", "created": "2022-12-25T09:29:26.637000", "tags": [ "risepro", "saturnwallet", "vidar", "privateloader", "dlls", "risepro stealer", "getprocaddress", "zip file", "command", "success", "iocs", "file", "redline", "raccoon", "stealer", "malware", "netbox", "amigo", "atom", "phantom", "bitcoin", "desktop", "download", "code", "screen", "execution" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "SaturnWallet", "display_name": "SaturnWallet", "target": null }, { "id": "RisePro", "display_name": "RisePro", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Sand-Storm", "id": "94093", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_94093/resized/80/avatar_281f69b768.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "URL": 1, "YARA": 1, "domain": 2, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 414, "modified_text": "1253 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6333783a4bf9f5f4f3d38071", "name": "PrivateLoader: the loader of the prevalent ruzki PPI service -", "description": "A detailed analysis of the PrivateLoader malware family has been carried out by researchers from the European Security Research Centre (SEKOIA), based in Moscow, Russia, and based on research conducted on the Dark Web.", "modified": "2022-10-27T22:02:48.520000", "created": "2022-09-27T22:24:58.839000", "tags": [ "privateloader", "ppi", "redline", "vidar", "smokeloader", "nymaim", "ruzki", "ppi service", "sekoia", "urls", "ppi malware", "september", "lolz guru", "telegram", "august", "february", "discord", "stack", "malware", "raccoon", "eternity", "socelars", "fabookie", "ytstealer", "agenttesla", "phoenix", "danabot", "dcrat", "glupteba", "service", "chat", "contact" ], "references": [ "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/#h-iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ruzki", "display_name": "Ruzki", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "PPI", "display_name": "PPI", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 21, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 20, "domain": 4 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 560, "modified_text": "1311 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63288a4af33cd51b940a8bbe", "name": "PrivateLoader: the loader of the prevalent ruzki PPI service", "description": "A detailed analysis of the PrivateLoader malware has been carried out by researchers from the European Security Research Centre (SEKOIA), based in Moscow, Russia, and based on research conducted on the Dark Web.", "modified": "2022-10-19T15:02:45.425000", "created": "2022-09-19T15:27:06.241000", "tags": [ "vidar", "smokeloader", "nymaim", "ruzki", "redline", "privateloader", "ppi", "ppi service", "sekoia", "urls", "ppi malware", "september", "lolz guru", "telegram", "august", "february", "discord", "stack", "malware", "raccoon", "eternity", "socelars", "fabookie", "ytstealer", "agenttesla", "phoenix", "danabot", "dcrat", "glupteba", "service", "chat", "contact" ], "references": [ "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PPI", "display_name": "PPI", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Ruzki", "display_name": "Ruzki", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 20, "URL": 19, "domain": 4 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1319 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6323e0c9bb04f33ccd338e2d", "name": "PrivateLoader: the loader of the prevalent ruzki PPI service -", "description": "Pay-Per-Install (PPI) is a malware service widely used in the cybercrime ecosystem that monetises the installation of malicious software. As generally observed, a malware operator provides a Pay-per-Install service operator with a payload, a requested number of installations, and a target geographical location. The service operators are then responsible for distributing the malware sample based on the customer\u2019s request, and for which they will be paid. Actors selling \u201cinstalls\u201d play a key role in the distribution of threats, as well as the underground economy.", "modified": "2022-10-16T02:06:50.075000", "created": "2022-09-16T02:34:49.637000", "tags": [ "privateloader", "ppi service", "sekoia", "urls", "redline", "ppi malware", "september", "ruzki", "lolz guru", "telegram", "august", "february", "discord", "stack", "malware", "vidar", "raccoon", "eternity", "socelars", "fabookie", "ytstealer", "agenttesla", "phoenix", "danabot", "dcrat", "glupteba", "service", "chat", "contact" ], "references": [ "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 20, "URL": 19, "domain": 4 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 354, "modified_text": "1323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62ed041169689518fd94584d", "name": "IcedID leverages PrivateLoader", "description": "IcedID is a service provider which has been seen leading to ransomware, but is also known as the \u201cdark web\u201d service that has also been used to load some of the ransomware itself.", "modified": "2022-09-04T00:01:06.223000", "created": "2022-08-05T11:50:41.818000", "tags": [ "smokeloader", "b0t93d6\\x00pub3\\x00", "trickbot", "dridex", "djvu", "redline", "icedid", "deficulintersun", "icedid loader", "zenbox", "virustotal", "pcap", "tasksthe file", "djvu ransomware", "file", "privateloader", "qakbot", "danabot" ], "references": [ "https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Djvu", "display_name": "Djvu", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null }, { "id": "B0T93D6\\x00pub3\\x00", "display_name": "B0T93D6\\x00pub3\\x00", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8, "hostname": 1, "FileHash-SHA256": 2, "URL": 13, "email": 2 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "1365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62e2735c21200c3c34fff30b", "name": "Threat Profile: RedLine Infostealer", "description": "information stealer, named RedLine Stealer by the author, was identified being delivered through spam email campaigns, the malware is offered for sale on Russian dark web forums and as a tiered subscription allowing threat actors to use the information stealer, subscribe at different costs and purchase different access levels. In addition to being a password stealer, RedLine has the capabilities to steal login information, autocomplete data, passwords, and credit cards information from browsers.", "modified": "2022-08-27T00:02:51.006000", "created": "2022-07-28T11:30:36.121000", "tags": [ "redline", "redline stealer", "insikt group", "stolen", "future identity", "intelligence", "recorded future", "platform", "yara", "snort", "sigma", "folding", "proofpoint", "learn", "stealer malware", "figure", "march", "c panel", "trojan redline", "united", "download", "ransomware", "stop ransomware", "protect", "small", "tools", "mozilla", "path", "steam", "winscp", "code", "malware", "demo", "change redline", "group", "stealer", "lapsus", "team", "please", "microsoft", "asec", "minerva labs", "nanocore rat", "kela", "ave maria", "netwire rc", "jackal", "mars stealer", "vidar", "discord", "quasar rat", "bill", "xavier", "melissa", "blaze", "taurus", "gcleaner", "panda", "oilrig", "mask", "crew", "machete", "back", "arkei stealer", "ginzo stealer", "malicious", "adobot", "orcus rat", "hido", "look", "upgrade", "privateloader", "atomic", "matryoshka", "redlinestealer", "open", "natalie", "oski stealer", "underminerek", "blacknet rat", "michael", "agent tesla", "taurus stealer", "zloader", "phishing", "stealth mango", "cozybear", "cozer", "oceanlotus", "holmium", "scarcruft", "venus", "aluminum", "star", "matanbuchus", "comnie", "termite", "emdivi", "greenbug", "careto", "cobalt", "cyber", "dnspionage", "darkhotel", "luder", "nemim", "tapaoux", "pioneer", "havex", "evilnum", "gcman", "ghostnet", "bitter", "icefog", "trident", "infy", "kinsing", "leviathan", "esile", "elise", "sykipot", "microcin", "mirage", "muddywater", "mercury", "naikon", "nettraveler", "travnet", "nitro", "strongpity", "keyboy", "powerpool", "indra", "sauron", "msupdater", "sidewinder", "redalpha", "mantis", "rocke", "blackenergy", "mimic", "silence", "guardian", "sednit", "teamspy", "teamtnt", "teamxrat", "tick", "turla", "snake", "wraith", "pfinet", "krypton", "zoopark" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://www.proofpoint.com/us/blog/threat-insight/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign", "https://www.recordedfuture.com/shining-light-on-redline-stealer-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Change RedLine", "display_name": "Change RedLine", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1130", "name": "Install Root Certificate", "display_name": "T1130 - Install Root Certificate" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1170", "name": "Mshta", "display_name": "T1170 - Mshta" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" } ], "industries": [ "Manufacturing", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "domain": 7, "hostname": 10, "FileHash-MD5": 308, "FileHash-SHA1": 308, "FileHash-SHA256": 307, "email": 1 }, "indicator_count": 995, "is_author": false, "is_subscribing": null, "subscriber_count": 248, "modified_text": "1373 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62e2735f7c9245c4972d946d", "name": "Threat Profile: RedLine Infostealer", "description": "information stealer, named RedLine Stealer by the author, was identified being delivered through spam email campaigns, the malware is offered for sale on Russian dark web forums and as a tiered subscription allowing threat actors to use the information stealer, subscribe at different costs and purchase different access levels. In addition to being a password stealer, RedLine has the capabilities to steal login information, autocomplete data, passwords, and credit cards information from browsers.", "modified": "2022-08-27T00:02:51.006000", "created": "2022-07-28T11:30:39.169000", "tags": [ "redline", "redline stealer", "insikt group", "stolen", "future identity", "intelligence", "recorded future", "platform", "yara", "snort", "sigma", "folding", "proofpoint", "learn", "stealer malware", "figure", "march", "c panel", "trojan redline", "united", "download", "ransomware", "stop ransomware", "protect", "small", "tools", "mozilla", "path", "steam", "winscp", "code", "malware", "demo", "change redline", "group", "stealer", "lapsus", "team", "please", "microsoft", "asec", "minerva labs", "nanocore rat", "kela", "ave maria", "netwire rc", "jackal", "mars stealer", "vidar", "discord", "quasar rat", "bill", "xavier", "melissa", "blaze", "taurus", "gcleaner", "panda", "oilrig", "mask", "crew", "machete", "back", "arkei stealer", "ginzo stealer", "malicious", "adobot", "orcus rat", "hido", "look", "upgrade", "privateloader", "atomic", "matryoshka", "redlinestealer", "open", "natalie", "oski stealer", "underminerek", "blacknet rat", "michael", "agent tesla", "taurus stealer", "zloader", "phishing", "stealth mango", "cozybear", "cozer", "oceanlotus", "holmium", "scarcruft", "venus", "aluminum", "star", "matanbuchus", "comnie", "termite", "emdivi", "greenbug", "careto", "cobalt", "cyber", "dnspionage", "darkhotel", "luder", "nemim", "tapaoux", "pioneer", "havex", "evilnum", "gcman", "ghostnet", "bitter", "icefog", "trident", "infy", "kinsing", "leviathan", "esile", "elise", "sykipot", "microcin", "mirage", "muddywater", "mercury", "naikon", "nettraveler", "travnet", "nitro", "strongpity", "keyboy", "powerpool", "indra", "sauron", "msupdater", "sidewinder", "redalpha", "mantis", "rocke", "blackenergy", "mimic", "silence", "guardian", "sednit", "teamspy", "teamtnt", "teamxrat", "tick", "turla", "snake", "wraith", "pfinet", "krypton", "zoopark" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://www.proofpoint.com/us/blog/threat-insight/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign", "https://www.recordedfuture.com/shining-light-on-redline-stealer-malware/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Change RedLine", "display_name": "Change RedLine", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1130", "name": "Install Root Certificate", "display_name": "T1130 - Install Root Certificate" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1170", "name": "Mshta", "display_name": "T1170 - Mshta" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1114.001", "name": "Local Email Collection", "display_name": "T1114.001 - Local Email Collection" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" } ], "industries": [ "Manufacturing", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "domain": 7, "hostname": 10, "FileHash-MD5": 308, "FileHash-SHA1": 308, "FileHash-SHA256": 307, "email": 1 }, "indicator_count": 995, "is_author": false, "is_subscribing": null, "subscriber_count": 250, "modified_text": "1373 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62454eff50cc4f88bff49b25", "name": "Quick Update: Kraken Completes Its Rebrand to Anubis | ZeroFox", "description": "A previously unknown botnet targeting Windows has been experimenting with new features, and is attempting to find a brand for itself, according to ZeroFox Intelligence, a security firm based in New York City.", "modified": "2022-04-30T00:00:33.024000", "created": "2022-03-31T06:49:35.626000", "tags": [ "smokeloader", "anubis", "c whoami", "walmart cyber", "intel team", "ezcubepanel", "adminlte", "ui process", "xor routine", "privacy", "january", "february", "kraken", "october", "zerofox", "pepega", "alert", "intelligence as", "figure", "pepe", "redline", "execution" ], "references": [ "https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/", "https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "domain": 14, "FileHash-MD5": 2, "FileHash-SHA1": 2, "URL": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 355, "modified_text": "1492 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/", "https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e", "https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f", "https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/", "https://www.recordedfuture.com/shining-light-on-redline-stealer-malware/", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/#h-iocs", "https://www.proofpoint.com/us/blog/threat-insight/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/#h-iocs", "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/", "https://thehackernews.com/2022/12/privateloader-ppi-service-found.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Risepro", "Ppi", "Dridex", "Privateloader", "Smokeloader", "B0t93d6\\x00pub3\\x00", "Vidar", "Redline", "Djvu", "Saturnwallet", "Ruzki", "Change redline", "Nymaim", "Trickbot" ], "industries": [ "Pharmaceuticals", "Manufacturing", "Healthcare" ], "unique_indicators": 1297 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/intel471.com", "whois": "http://whois.domaintools.com/intel471.com", "domain": "intel471.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "63aa79605cf34c5c7de853f3", "name": "PrivateLoader PPI Service Found Distributing Info-Stealing RisePro Malware", "description": "", "modified": "2023-01-26T08:01:27.782000", "created": "2022-12-27T04:49:36.764000", "tags": [ "vidar", "risepro", "market", "december", "flashpoint", "privateloader", "arkei", "genesis", "risepro stealer", "telegram", "mars", "saturnwallet", "dlls", "getprocaddress", "zip file", "command", "success", "iocs", "file", "redline", "raccoon", "stealer", "malware", "netbox", "amigo", "atom", "phantom", "bitcoin", "desktop", "download", "code", "screen", "execution" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/", "https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/", "https://thehackernews.com/2022/12/privateloader-ppi-service-found.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RisePro", "display_name": "RisePro", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "SaturnWallet", "display_name": "SaturnWallet", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Pharmaceuticals", "Healthcare" ], "TLP": "white", "cloned_from": "63a9c5fe7a5e60c35c27a5fd", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 31, "FileHash-SHA256": 26, "URL": 1, "YARA": 1, "domain": 55, "hostname": 2 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1221 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63aaad75c49aa08e6a70587b", "name": "PrivateLoader PPI Service Found Distributing Info-Stealing RisePro Malware", "description": "", "modified": "2023-01-26T08:01:27.782000", "created": "2022-12-27T08:31:49.277000", "tags": [ "vidar", "risepro", "market", "december", "flashpoint", "privateloader", "arkei", "genesis", "risepro stealer", "telegram", "mars", "saturnwallet", "dlls", "getprocaddress", "zip file", "command", "success", "iocs", "file", "redline", "raccoon", "stealer", "malware", "netbox", "amigo", "atom", "phantom", "bitcoin", "desktop", "download", "code", "screen", "execution" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/", "https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/", "https://thehackernews.com/2022/12/privateloader-ppi-service-found.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RisePro", "display_name": "RisePro", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "SaturnWallet", "display_name": "SaturnWallet", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Pharmaceuticals", "Healthcare" ], "TLP": "white", "cloned_from": "63aa79605cf34c5c7de853f3", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 31, "FileHash-SHA256": 26, "URL": 1, "YARA": 1, "domain": 55, "hostname": 2 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1221 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63ac0922b9bb35883048770a", "name": "New RisePro Stealer distributed by the prominent PrivateLoader - SEKOIA.IO Blog", "description": "A new type of information stealer, known as RisePro, has been delivered by a well-known loader family, but is not part of the usual RedLine or Raccoon malware family.", "modified": "2022-12-28T09:15:14.073000", "created": "2022-12-28T09:15:14.073000", "tags": [ "risepro", "saturnwallet", "vidar", "privateloader", "dlls", "risepro stealer", "getprocaddress", "zip file", "command", "success", "iocs", "file", "redline", "raccoon", "stealer", "malware", "netbox", "amigo", "atom", "phantom", "bitcoin", "desktop", "download", "code", "screen", "execution" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/#h-iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "SaturnWallet", "display_name": "SaturnWallet", "target": null }, { "id": "RisePro", "display_name": "RisePro", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "URL": 1, "YARA": 1, "domain": 2, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1250 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63aad6b8b6dfa5d5406e3b0d", "name": "New RisePro Stealer distributed by the prominent PrivateLoader - SEKOIA.IO Blog", "description": "A new type of information stealer, known as RisePro, has been delivered by a well-known loader family, but is not part of the usual RedLine or Raccoon malware family.", "modified": "2022-12-27T11:27:52.234000", "created": "2022-12-27T11:27:52.234000", "tags": [ "vidar", "risepro", "market", "december", "flashpoint", "privateloader", "arkei", "genesis", "risepro stealer", "telegram", "mars", "saturnwallet", "dlls", "getprocaddress", "zip file", "command", "success", "iocs", "file", "redline", "raccoon", "stealer", "malware", "netbox", "amigo", "atom", "phantom", "bitcoin", "desktop", "download", "code", "screen", "execution" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/", "https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RisePro", "display_name": "RisePro", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "SaturnWallet", "display_name": "SaturnWallet", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Pharmaceuticals", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jackl3-3", "id": "40027", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 31, "FileHash-SHA256": 26, "URL": 1, "YARA": 1, "domain": 4, "hostname": 1 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 86, "modified_text": "1250 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63aad5ae85f7d712967a50e4", "name": "New RisePro Stealer distributed by the prominent PrivateLoader - SEKOIA.IO Blog", "description": "A new type of information stealer, known as RisePro, has been delivered by a well-known loader family, but is not part of the usual RedLine or Raccoon malware family.", "modified": "2022-12-27T11:23:26.405000", "created": "2022-12-27T11:23:26.405000", "tags": [ "risepro", "saturnwallet", "vidar", "privateloader", "dlls", "risepro stealer", "getprocaddress", "zip file", "command", "success", "iocs", "file", "redline", "raccoon", "stealer", "malware", "netbox", "amigo", "atom", "phantom", "bitcoin", "desktop", "download", "code", "screen", "execution" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "SaturnWallet", "display_name": "SaturnWallet", "target": null }, { "id": "RisePro", "display_name": "RisePro", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jackl3-3", "id": "40027", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "URL": 1, "YARA": 1, "domain": 2, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 86, "modified_text": "1250 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63a9c5fe7a5e60c35c27a5fd", "name": "PrivateLoader PPI Service Found Distributing Info-Stealing RisePro Malware", "description": "The pay-per-install (PPI) malware downloader service known as PrivateLoader is being used to distribute a previously documented information-stealing malware dubbed RisePro.\n\nFlashpoint spotted the newly identified stealer on December 13, 2022, after it discovered \"several sets of logs\" exfiltrated using the malware on an illicit cybercrime marketplace called Russian Market.", "modified": "2022-12-26T16:04:14.771000", "created": "2022-12-26T16:04:14.771000", "tags": [ "vidar", "risepro", "market", "december", "flashpoint", "privateloader", "arkei", "genesis", "risepro stealer", "telegram", "mars", "saturnwallet", "dlls", "getprocaddress", "zip file", "command", "success", "iocs", "file", "redline", "raccoon", "stealer", "malware", "netbox", "amigo", "atom", "phantom", "bitcoin", "desktop", "download", "code", "screen", "execution" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/", "https://flashpoint.io/blog/risepro-stealer-and-pay-per-install-malware-privateloader/", "https://thehackernews.com/2022/12/privateloader-ppi-service-found.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RisePro", "display_name": "RisePro", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "SaturnWallet", "display_name": "SaturnWallet", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Pharmaceuticals", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 294, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 31, "FileHash-SHA256": 26, "URL": 1, "YARA": 1, "domain": 4, "hostname": 1 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "1251 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63a817f6499f27fe3ddbb338", "name": "New RisePro Stealer distributed by the prominent PrivateLoader - SEKOIA.IO Blog", "description": "A new type of information stealer, known as RisePro, has been delivered by a well-known loader family, but is not part of the usual RedLine or Raccoon malware family.", "modified": "2022-12-25T09:29:26.637000", "created": "2022-12-25T09:29:26.637000", "tags": [ "risepro", "saturnwallet", "vidar", "privateloader", "dlls", "risepro stealer", "getprocaddress", "zip file", "command", "success", "iocs", "file", "redline", "raccoon", "stealer", "malware", "netbox", "amigo", "atom", "phantom", "bitcoin", "desktop", "download", "code", "screen", "execution" ], "references": [ "https://blog.sekoia.io/new-risepro-stealer-distributed-by-the-prominent-privateloader/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "SaturnWallet", "display_name": "SaturnWallet", "target": null }, { "id": "RisePro", "display_name": "RisePro", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Sand-Storm", "id": "94093", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_94093/resized/80/avatar_281f69b768.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 25, "FileHash-SHA256": 20, "URL": 1, "YARA": 1, "domain": 2, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 414, "modified_text": "1253 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6333783a4bf9f5f4f3d38071", "name": "PrivateLoader: the loader of the prevalent ruzki PPI service -", "description": "A detailed analysis of the PrivateLoader malware family has been carried out by researchers from the European Security Research Centre (SEKOIA), based in Moscow, Russia, and based on research conducted on the Dark Web.", "modified": "2022-10-27T22:02:48.520000", "created": "2022-09-27T22:24:58.839000", "tags": [ "privateloader", "ppi", "redline", "vidar", "smokeloader", "nymaim", "ruzki", "ppi service", "sekoia", "urls", "ppi malware", "september", "lolz guru", "telegram", "august", "february", "discord", "stack", "malware", "raccoon", "eternity", "socelars", "fabookie", "ytstealer", "agenttesla", "phoenix", "danabot", "dcrat", "glupteba", "service", "chat", "contact" ], "references": [ "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/#h-iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ruzki", "display_name": "Ruzki", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "PPI", "display_name": "PPI", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 21, "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 20, "domain": 4 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 560, "modified_text": "1311 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63288a4af33cd51b940a8bbe", "name": "PrivateLoader: the loader of the prevalent ruzki PPI service", "description": "A detailed analysis of the PrivateLoader malware has been carried out by researchers from the European Security Research Centre (SEKOIA), based in Moscow, Russia, and based on research conducted on the Dark Web.", "modified": "2022-10-19T15:02:45.425000", "created": "2022-09-19T15:27:06.241000", "tags": [ "vidar", "smokeloader", "nymaim", "ruzki", "redline", "privateloader", "ppi", "ppi service", "sekoia", "urls", "ppi malware", "september", "lolz guru", "telegram", "august", "february", "discord", "stack", "malware", "raccoon", "eternity", "socelars", "fabookie", "ytstealer", "agenttesla", "phoenix", "danabot", "dcrat", "glupteba", "service", "chat", "contact" ], "references": [ "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PPI", "display_name": "PPI", "target": null }, { "id": "PrivateLoader", "display_name": "PrivateLoader", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Ruzki", "display_name": "Ruzki", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 20, "URL": 19, "domain": 4 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1319 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6323e0c9bb04f33ccd338e2d", "name": "PrivateLoader: the loader of the prevalent ruzki PPI service -", "description": "Pay-Per-Install (PPI) is a malware service widely used in the cybercrime ecosystem that monetises the installation of malicious software. As generally observed, a malware operator provides a Pay-per-Install service operator with a payload, a requested number of installations, and a target geographical location. The service operators are then responsible for distributing the malware sample based on the customer\u2019s request, and for which they will be paid. Actors selling \u201cinstalls\u201d play a key role in the distribution of threats, as well as the underground economy.", "modified": "2022-10-16T02:06:50.075000", "created": "2022-09-16T02:34:49.637000", "tags": [ "privateloader", "ppi service", "sekoia", "urls", "redline", "ppi malware", "september", "ruzki", "lolz guru", "telegram", "august", "february", "discord", "stack", "malware", "vidar", "raccoon", "eternity", "socelars", "fabookie", "ytstealer", "agenttesla", "phoenix", "danabot", "dcrat", "glupteba", "service", "chat", "contact" ], "references": [ "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 20, "URL": 19, "domain": 4 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 354, "modified_text": "1323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://intel471.com/blog/privateloader-malware", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://intel471.com/blog/privateloader-malware", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780225282.3717222 }