{ "type": "URL", "indicator": "https://intellectproactive.com/dist/out/mn.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://intellectproactive.com/dist/out/mn.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3682457293, "indicator": "https://intellectproactive.com/dist/out/mn.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "655950034e6ae4650a6b02ce", "name": "Python Initiated Connection | Spyware | Remote Attacks | | Part 4", "description": "Apple, Mac, iOS, phishing, frauds services, malware, trojan.allesgreh/trojan.allesgreh/respat, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and possibly others. Python Initiated Connection, WScriptShell_Case_Anomaly.\nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-19T00:00:03.258000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "894 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655aef8a8cc2e0929f2aa5ea", "name": "Python Initiated Connection | Spyware | Remote Attacks |", "description": "", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-20T05:32:58.400000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "655950034e6ae4650a6b02ce", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "894 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a2af81fc9157df238deb3e", "name": "Bumblebee", "description": "", "modified": "2023-07-03T11:22:41.164000", "created": "2023-07-03T11:22:41.164000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-SHA256": 19, "domain": 10, "hostname": 1 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "1063 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "646804b36c7302e36c38d862", "name": "URLHaus data - 19-05-2023", "description": "", "modified": "2023-06-23T22:14:17.716000", "created": "2023-05-19T23:22:27.705000", "tags": [ "32-bit", "arm", "elf", "Mozi", "mips", "mirai", "dropped-by-amadey", "Kaiji", "bumblebee", "geofenced", "USA", "RedLineStealer", "dll", "exe", "njRAT", "encrypted", "RecordBreaker", "hajime", "ascii", "NetSupport", "powershell", "ps", "rat", "zip", "AgentTesla", "zgRAT", "CoinMiner", "dropped-by-PrivateLoader", "Bancos", "1234", "7z", "Password-protected", "Vidar", "RedLine", "Amadey", "Formbook", "opendir", "32", "Gh0stRAT", "Loki", "GuLoader", "ps1", "LummaStealer", "Stealc", "dropped-by-SmokeLoader", "additionalpayloads", "raccoonv2", "RemoteManipulator", "RaccoonStealer", "script", "Lumma", "Gozi", "ISFB", "ITA", "js", "ursnif" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 544, "domain": 15, "hostname": 3 }, "indicator_count": 562, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1073 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64935238294f00e0b9b8ab79", "name": "PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID | Deep Instinct", "description": "PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID", "modified": "2023-06-21T20:01:30.722000", "created": "2023-06-21T19:40:40.128000", "tags": [ "bumblebee", "icedid", "pindos", "javascript", "malware" ], "references": [ "https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "IcedID", "display_name": "IcedID", "target": null }, { "id": "PindOS", "display_name": "PindOS", "target": null }, { "id": "BumbleBee", "display_name": "BumbleBee", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Shaul_VP", "id": "47782", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_47782/resized/80/avatar_14a32d2e73.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-SHA256": 19, "domain": 10, "hostname": 1 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "1075 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://urlhaus.abuse.ch/browse/", "https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Et", "Pindos", "Gc", "Bumblebee", "Icedid" ], "industries": [], "unique_indicators": 27833 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/intellectproactive.com", "whois": "http://whois.domaintools.com/intellectproactive.com", "domain": "intellectproactive.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "655950034e6ae4650a6b02ce", "name": "Python Initiated Connection | Spyware | Remote Attacks | | Part 4", "description": "Apple, Mac, iOS, phishing, frauds services, malware, trojan.allesgreh/trojan.allesgreh/respat, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and possibly others. Python Initiated Connection, WScriptShell_Case_Anomaly.\nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-19T00:00:03.258000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "894 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655aef8a8cc2e0929f2aa5ea", "name": "Python Initiated Connection | Spyware | Remote Attacks |", "description": "", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-20T05:32:58.400000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "655950034e6ae4650a6b02ce", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "894 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64a2af81fc9157df238deb3e", "name": "Bumblebee", "description": "", "modified": "2023-07-03T11:22:41.164000", "created": "2023-07-03T11:22:41.164000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-SHA256": 19, "domain": 10, "hostname": 1 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "1063 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "646804b36c7302e36c38d862", "name": "URLHaus data - 19-05-2023", "description": "", "modified": "2023-06-23T22:14:17.716000", "created": "2023-05-19T23:22:27.705000", "tags": [ "32-bit", "arm", "elf", "Mozi", "mips", "mirai", "dropped-by-amadey", "Kaiji", "bumblebee", "geofenced", "USA", "RedLineStealer", "dll", "exe", "njRAT", "encrypted", "RecordBreaker", "hajime", "ascii", "NetSupport", "powershell", "ps", "rat", "zip", "AgentTesla", "zgRAT", "CoinMiner", "dropped-by-PrivateLoader", "Bancos", "1234", "7z", "Password-protected", "Vidar", "RedLine", "Amadey", "Formbook", "opendir", "32", "Gh0stRAT", "Loki", "GuLoader", "ps1", "LummaStealer", "Stealc", "dropped-by-SmokeLoader", "additionalpayloads", "raccoonv2", "RemoteManipulator", "RaccoonStealer", "script", "Lumma", "Gozi", "ISFB", "ITA", "js", "ursnif" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 544, "domain": 15, "hostname": 3 }, "indicator_count": 562, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1073 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64935238294f00e0b9b8ab79", "name": "PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID | Deep Instinct", "description": "PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID", "modified": "2023-06-21T20:01:30.722000", "created": "2023-06-21T19:40:40.128000", "tags": [ "bumblebee", "icedid", "pindos", "javascript", "malware" ], "references": [ "https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "IcedID", "display_name": "IcedID", "target": null }, { "id": "PindOS", "display_name": "PindOS", "target": null }, { "id": "BumbleBee", "display_name": "BumbleBee", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Shaul_VP", "id": "47782", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_47782/resized/80/avatar_14a32d2e73.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-SHA256": 19, "domain": 10, "hostname": 1 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "1075 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://intellectproactive.com/dist/out/mn.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://intellectproactive.com/dist/out/mn.php", "type": "URL", "found": true, "verdict": "malicious", "url_status": "offline", "threat": "malware_download", "tags": [ "bumblebee", "geofenced", "Mydoom", "USA" ], "date_added": "2023-05-19", "last_online": "2024-03-19", "reporter": "abuse_ch", "host": "intellectproactive.com", "payloads": [ { "filename": "goat.dll", "file_type": "dll", "md5": "87702e9f03a370a1e7219c5e004bb40d", "sha256": "c7a544e4599fc7d39d31a8623520db9d0dc8bae688fdb0b55590ed4682ee7abe", "signature": "BumbleBee", "first_seen": "2024-03-19" }, { "filename": "goat.dll", "file_type": "dll", "md5": "4d348bbdc146b7ca7e3a3bce6c2811d0", "sha256": "89e92da46fb17d8c1e2827e5ab4795bdc669cc2c7ce486d10a6f41247062cf1c", "signature": "BumbleBee", "first_seen": "2024-03-19" }, { "filename": "goat.dll", "file_type": "dll", "md5": "ccee27b0a6cd8940911618c0aedbb9ed", "sha256": "e63f176d92a698b8017c8f8e29d0e17fefe4c1b87c6404b24edf998aef1988ff", "signature": "BumbleBee", "first_seen": "2024-03-18" }, { "filename": "goat.dll", "file_type": "dll", "md5": "86e7a30c94e033a4695a819ea08f4a73", "sha256": "769e98842ffe717240f186775b50c13ff0fa5b87a4416cefc67ddc3d518ac947", "signature": "BumbleBee", "first_seen": "2024-03-18" }, { "filename": "goat.dll", "file_type": "dll", "md5": "57bbdba02d9a43679d28982adf8b1712", "sha256": "9d8936f0608014417fb1a77b6bf176a0307f36d156c051712c18dfe16d44d5f9", "signature": "BumbleBee", "first_seen": "2024-03-18" } ], "error": null }, "from_cache": true, "_cached_at": 1780265902.2939582 }