{ "type": "URL", "indicator": "https://sluitionsbad.tech/live/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://sluitionsbad.tech/live/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3845424434, "indicator": "https://sluitionsbad.tech/live/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "660efeeff522f4fd488a22ec", "name": "This Spider Bytes Like Ice", "description": "Proofpoint first observed new malware named Latrodectus in late November 2023, employed in email campaigns. While Latrodectus usage declined in December 2023 and January 2024, it resurged in February and March 2024 campaigns. Initially distributed by threat actor TA577 but later adopted by TA578, Latrodectus is an emerging downloader with sandbox evasion capabilities. Although sharing similarities with IcedID, researchers confirmed Latrodectus as a new malware likely created by IcedID's developers, exhibiting infrastructure overlap with historic IcedID operations.", "modified": "2024-05-04T19:01:04.411000", "created": "2024-04-04T19:26:39.218000", "tags": [ "bumblebee", "danabot", "downloader", "pikabot", "campaigns", "icedid", "latrodectus", "malspam" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" ], "public": 1, "adversary": "TA578", "targeted_countries": [], "malware_families": [ { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "IcedID - S0483", "display_name": "IcedID - S0483", "target": null }, { "id": "Pikabot", "display_name": "Pikabot", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Bumblebee - S1039", "display_name": "Bumblebee - S1039", "target": null } ], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1126", "name": "Network Share Connection Removal", "display_name": "T1126 - Network Share Connection Removal" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 382, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 5, "FileHash-SHA256": 33, "URL": 39, "domain": 28 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 387018, "modified_text": "759 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6615bbd834d097f7869d5b1a", "name": "Watch Out for Latrodectus - This Malware Could Be In Your Inbox", "description": "A new type of malware has been distributed as part of email phishing campaigns since at least late November 2023, according to researchers from Proofpoint and Team Cymru, who have identified the threat actors behind QakBot and PikaBot.", "modified": "2024-05-09T22:01:15.094000", "created": "2024-04-09T22:06:16.288000", "tags": [ "cyber security news", "cyber news", "cyber security news today", "cyber security updates", "cyber updates", "hacker news", "hacking news", "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "how to hack", "network security", "information security", "the hacker news", "computer security", "latrodectus", "icedid", "ta578", "proofpoint", "team cymru", "iabs", "qakbot", "pikabot", "august", "november", "ursnif", "kpot stealer", "bazaloader", "cobalt strike", "bumblebee", "darkgate", "twitter", "kpot", "february", "sha256", "march", "latrodectus c2", "et malware", "dll payload", "example", "leverage", "protect", "small", "april", "nail", "download", "dword", "major", "shutdown", "zergrush", "austin", "delta", "juliet", "jupiter", "kappa", "kilo", "mars", "mike", "wikiloader", "first" ], "references": [ "https://thehackernews.com/2024/04/watch-out-for-latrodectus-this-malware.html", "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "KPOT", "display_name": "KPOT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "text_account", "id": "221593", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 22, "FileHash-SHA256": 34, "URL": 39, "domain": 28 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 51, "modified_text": "754 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6614b304c45a43be1de08a81", "name": "meethub.gg", "description": "", "modified": "2024-05-09T03:03:34.604000", "created": "2024-04-09T03:16:20.964000", "tags": [ "virustotal" ], "references": [ "https://www.virustotal.com/graph/g8092339cafc34286bde2badcf413cc29c7cbd21950af45298e2ea39a87423306" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "FileHash-MD5": 37, "FileHash-SHA1": 33, "FileHash-SHA256": 75, "domain": 126, "hostname": 21 }, "indicator_count": 350, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6614792f8b0119f9e89c7fb7", "name": "Weekly OSINT Highlights, 8 April 2024", "description": "", "modified": "2024-05-08T23:03:43.786000", "created": "2024-04-08T23:09:35.206000", "tags": [ "OSINT", "Latrodectus", "Phishing", "Agent Tesla", "RAT", "Earth Freybug", "Brass Typhoon", "APT-41", "UNAPIMON", "Linux", "Rhadamanthys", "Malvertising" ], "references": [ "https://community.riskiq.com/article/974639f2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 36, "FileHash-SHA256": 45, "FileHash-MD5": 9, "domain": 14, "email": 41, "URL": 51 }, "indicator_count": 196, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6611a6200d9ffe4498cf8152", "name": "IcedID Malware Replaced by Latrodectus", "description": "", "modified": "2024-05-06T19:03:29.315000", "created": "2024-04-06T19:44:32.165000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 20, "FileHash-SHA256": 33, "URL": 37, "domain": 32 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "757 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660fd8ca8165a32bf1d4d93b", "name": "New Latrodectus malware replaces IcedID in network breaches", "description": "A relatively new malware called Latrodectus is believed to be an evolution of the IcedID loader, seen in malicious email campaigns since November 2023.\nThe malware was spotted by researchers at Proofpoint and Team Cymru, who worked together to document its capabilities, which are still unstable and experimental. Latrodectus was spotted in November 2023, used by threat actors tracked as TA577 and TA578, with a notable increase in observed deployments in February and March 2024.", "modified": "2024-05-05T10:01:19.665000", "created": "2024-04-05T10:56:10.824000", "tags": [ "latrodectus", "february", "sha256", "march", "november", "latrodectus c2", "icedid", "et malware", "dll payload", "proofpoint", "pikabot", "example", "leverage", "protect", "small", "april", "nail", "download", "bumblebee", "dword", "major", "shutdown", "zergrush", "august", "austin", "delta", "juliet", "jupiter", "kappa", "kilo", "mars", "mike", "wikiloader", "first", "ta577", "ta544", "ta581", "qbot", "example ta577", "ta577 latrodectus", "december" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice", "https://www.bleepingcomputer.com/news/security/new-latrodectus-malware-replaces-icedid-in-network-breaches/" ], "public": 1, "adversary": "TA577", "targeted_countries": [], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Example TA577", "display_name": "Example TA577", "target": null }, { "id": "TA577 Latrodectus", "display_name": "TA577 Latrodectus", "target": null }, { "id": "December", "display_name": "December", "target": null }, { "id": "TA577", "display_name": "TA577", "target": null }, { "id": "IcedID", "display_name": "IcedID", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 348, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 22, "FileHash-SHA256": 34, "URL": 39, "domain": 28 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 434, "modified_text": "758 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660fc0698e1e73e86347ab7f", "name": "Latrodectus: This Spider Bytes Like Ice\u00a0 | Proofpoint US", "description": "", "modified": "2024-05-05T09:01:07.896000", "created": "2024-04-05T09:12:09.561000", "tags": [ "latrodectus", "february", "sha256", "march", "november", "latrodectus c2", "icedid", "et malware", "dll payload", "proofpoint", "pikabot", "example", "leverage", "protect", "small", "april", "nail", "download", "bumblebee", "dword", "major", "shutdown", "zergrush", "august", "austin", "delta", "juliet", "jupiter", "kappa", "kilo", "mars", "mike", "wikiloader", "first" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 22, "FileHash-SHA256": 34, "URL": 39, "domain": 28 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "758 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660fb4ea20b816f2ffff9b2e", "name": "Latrodectus: This Spider Bytes Like Ice\u00a0 | Proofpoint US", "description": "Find out more about Proofpoint, the world's leading cybersecurity company, in a daily guide to the best products, services and resources to help companies protect their people, data and brand from cyber attacks.", "modified": "2024-05-05T08:00:52.318000", "created": "2024-04-05T08:23:06.038000", "tags": [ "latrodectus", "february", "sha256", "march", "november", "latrodectus c2", "icedid", "et malware", "dll payload", "proofpoint", "pikabot", "example", "leverage", "protect", "small", "april", "nail", "download", "bumblebee", "dword", "major", "shutdown", "zergrush", "august", "austin", "delta", "juliet", "jupiter", "kappa", "kilo", "mars", "mike", "wikiloader", "first", "ta577", "ta544", "ta581", "qbot", "example ta577", "ta577 latrodectus", "december" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" ], "public": 1, "adversary": "TA577", "targeted_countries": [], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Example TA577", "display_name": "Example TA577", "target": null }, { "id": "TA577 Latrodectus", "display_name": "TA577 Latrodectus", "target": null }, { "id": "December", "display_name": "December", "target": null }, { "id": "TA577", "display_name": "TA577", "target": null }, { "id": "IcedID", "display_name": "IcedID", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 22, "FileHash-SHA256": 34, "URL": 39, "domain": 28 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "758 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660f33df0b28f8ab71602d46", "name": "Latrodectus: This Spider Bytes Like Ice", "description": "", "modified": "2024-05-04T23:00:18.200000", "created": "2024-04-04T23:12:31.591000", "tags": [ "OSINT", "Latrodectus", "Loader", "Phishing", "T1566 - Phishing", "T1129 - Shared Modules", "T1053 - Scheduled Task/Job", "T1059 - Command and Scripting Interpreter", "T1574.002 - DLL Side-Loading", "T1055 - Process Injection", "T1036 - Masquerading" ], "references": [ "https://community.riskiq.com/article/b4fe59bf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 33, "FileHash-SHA1": 1, "domain": 14, "URL": 35 }, "indicator_count": 83, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "759 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "661b254f4a1b2f7a1e39811b", "name": "Latrodectus: This Spider Bytes Like Ice", "description": "", "modified": "2024-05-04T19:01:04.411000", "created": "2024-04-14T00:37:35.710000", "tags": [ "bumblebee", "danabot", "downloader", "pikabot", "campaigns", "icedid", "latrodectus", "malspam" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" ], "public": 1, "adversary": "TA578", "targeted_countries": [], "malware_families": [ { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "IcedID - S0483", "display_name": "IcedID - S0483", "target": null }, { "id": "Pikabot", "display_name": "Pikabot", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Bumblebee - S1039", "display_name": "Bumblebee - S1039", "target": null } ], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1126", "name": "Network Share Connection Removal", "display_name": "T1126 - Network Share Connection Removal" } ], "industries": [], "TLP": "white", "cloned_from": "660efeeff522f4fd488a22ec", "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 5, "FileHash-SHA256": 33, "URL": 39, "domain": 28 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "759 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "661fa8280a655487eff63fda", "name": "Latrodectus: This Spider Bytes Like Ice", "description": "", "modified": "2024-05-04T19:01:04.411000", "created": "2024-04-17T10:44:56.418000", "tags": [ "bumblebee", "danabot", "downloader", "pikabot", "campaigns", "icedid", "latrodectus", "malspam" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" ], "public": 1, "adversary": "TA578", "targeted_countries": [], "malware_families": [ { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "IcedID - S0483", "display_name": "IcedID - S0483", "target": null }, { "id": "Pikabot", "display_name": "Pikabot", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Bumblebee - S1039", "display_name": "Bumblebee - S1039", "target": null } ], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1126", "name": "Network Share Connection Removal", "display_name": "T1126 - Network Share Connection Removal" } ], "industries": [], "TLP": "white", "cloned_from": "661b254f4a1b2f7a1e39811b", "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 5, "FileHash-SHA256": 33, "URL": 39, "domain": 28 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "759 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660ebb70dcfe26b07b7a1eaf", "name": "Latrodectus: This Spider Bytes Like Ice\u00a0 | Proofpoint US", "description": "", "modified": "2024-05-04T14:03:47.113000", "created": "2024-04-04T14:38:40.195000", "tags": [ "latrodectus", "february", "sha256", "march", "november", "latrodectus c2", "icedid", "et malware", "dll payload", "proofpoint", "pikabot", "example", "leverage", "protect", "small", "april", "nail", "download", "bumblebee", "dword", "major", "shutdown", "zergrush", "august", "austin", "delta", "juliet", "jupiter", "kappa", "kilo", "mars", "mike", "wikiloader", "first" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 5, "FileHash-SHA256": 33, "URL": 39, "domain": 28 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "759 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://community.riskiq.com/article/b4fe59bf", "https://www.bleepingcomputer.com/news/security/new-latrodectus-malware-replaces-icedid-in-network-breaches/", "https://www.virustotal.com/graph/g8092339cafc34286bde2badcf413cc29c7cbd21950af45298e2ea39a87423306", "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice", "https://community.riskiq.com/article/974639f2", "https://thehackernews.com/2024/04/watch-out-for-latrodectus-this-malware.html" ], "related": { "alienvault": { "adversary": [ "TA578" ], "malware_families": [ "Danabot", "Icedid - s0483", "Latrodectus", "Bumblebee - s1039", "Pikabot" ], "industries": [], "unique_indicators": 116 }, "other": { "adversary": [ "TA577", "TA578" ], "malware_families": [ "Danabot", "Ta577 latrodectus", "December", "Example ta577", "Cobalt strike", "Ta577", "Kpot", "Icedid", "Latrodectus", "Icedid - s0483", "Qbot", "Bumblebee - s1039", "Pikabot" ], "industries": [ "Legal" ], "unique_indicators": 590 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/sluitionsbad.tech", "whois": "http://whois.domaintools.com/sluitionsbad.tech", "domain": "sluitionsbad.tech", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "660efeeff522f4fd488a22ec", "name": "This Spider Bytes Like Ice", "description": "Proofpoint first observed new malware named Latrodectus in late November 2023, employed in email campaigns. While Latrodectus usage declined in December 2023 and January 2024, it resurged in February and March 2024 campaigns. Initially distributed by threat actor TA577 but later adopted by TA578, Latrodectus is an emerging downloader with sandbox evasion capabilities. Although sharing similarities with IcedID, researchers confirmed Latrodectus as a new malware likely created by IcedID's developers, exhibiting infrastructure overlap with historic IcedID operations.", "modified": "2024-05-04T19:01:04.411000", "created": "2024-04-04T19:26:39.218000", "tags": [ "bumblebee", "danabot", "downloader", "pikabot", "campaigns", "icedid", "latrodectus", "malspam" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" ], "public": 1, "adversary": "TA578", "targeted_countries": [], "malware_families": [ { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "IcedID - S0483", "display_name": "IcedID - S0483", "target": null }, { "id": "Pikabot", "display_name": "Pikabot", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Bumblebee - S1039", "display_name": "Bumblebee - S1039", "target": null } ], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1126", "name": "Network Share Connection Removal", "display_name": "T1126 - Network Share Connection Removal" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 382, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 5, "FileHash-SHA256": 33, "URL": 39, "domain": 28 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 387018, "modified_text": "759 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6615bbd834d097f7869d5b1a", "name": "Watch Out for Latrodectus - This Malware Could Be In Your Inbox", "description": "A new type of malware has been distributed as part of email phishing campaigns since at least late November 2023, according to researchers from Proofpoint and Team Cymru, who have identified the threat actors behind QakBot and PikaBot.", "modified": "2024-05-09T22:01:15.094000", "created": "2024-04-09T22:06:16.288000", "tags": [ "cyber security news", "cyber news", "cyber security news today", "cyber security updates", "cyber updates", "hacker news", "hacking news", "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "how to hack", "network security", "information security", "the hacker news", "computer security", "latrodectus", "icedid", "ta578", "proofpoint", "team cymru", "iabs", "qakbot", "pikabot", "august", "november", "ursnif", "kpot stealer", "bazaloader", "cobalt strike", "bumblebee", "darkgate", "twitter", "kpot", "february", "sha256", "march", "latrodectus c2", "et malware", "dll payload", "example", "leverage", "protect", "small", "april", "nail", "download", "dword", "major", "shutdown", "zergrush", "austin", "delta", "juliet", "jupiter", "kappa", "kilo", "mars", "mike", "wikiloader", "first" ], "references": [ "https://thehackernews.com/2024/04/watch-out-for-latrodectus-this-malware.html", "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "KPOT", "display_name": "KPOT", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "text_account", "id": "221593", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 22, "FileHash-SHA256": 34, "URL": 39, "domain": 28 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 51, "modified_text": "754 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6614b304c45a43be1de08a81", "name": "meethub.gg", "description": "", "modified": "2024-05-09T03:03:34.604000", "created": "2024-04-09T03:16:20.964000", "tags": [ "virustotal" ], "references": [ "https://www.virustotal.com/graph/g8092339cafc34286bde2badcf413cc29c7cbd21950af45298e2ea39a87423306" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "FileHash-MD5": 37, "FileHash-SHA1": 33, "FileHash-SHA256": 75, "domain": 126, "hostname": 21 }, "indicator_count": 350, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6614792f8b0119f9e89c7fb7", "name": "Weekly OSINT Highlights, 8 April 2024", "description": "", "modified": "2024-05-08T23:03:43.786000", "created": "2024-04-08T23:09:35.206000", "tags": [ "OSINT", "Latrodectus", "Phishing", "Agent Tesla", "RAT", "Earth Freybug", "Brass Typhoon", "APT-41", "UNAPIMON", "Linux", "Rhadamanthys", "Malvertising" ], "references": [ "https://community.riskiq.com/article/974639f2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 36, "FileHash-SHA256": 45, "FileHash-MD5": 9, "domain": 14, "email": 41, "URL": 51 }, "indicator_count": 196, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "755 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6611a6200d9ffe4498cf8152", "name": "IcedID Malware Replaced by Latrodectus", "description": "", "modified": "2024-05-06T19:03:29.315000", "created": "2024-04-06T19:44:32.165000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 20, "FileHash-SHA256": 33, "URL": 37, "domain": 32 }, "indicator_count": 142, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "757 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660fd8ca8165a32bf1d4d93b", "name": "New Latrodectus malware replaces IcedID in network breaches", "description": "A relatively new malware called Latrodectus is believed to be an evolution of the IcedID loader, seen in malicious email campaigns since November 2023.\nThe malware was spotted by researchers at Proofpoint and Team Cymru, who worked together to document its capabilities, which are still unstable and experimental. Latrodectus was spotted in November 2023, used by threat actors tracked as TA577 and TA578, with a notable increase in observed deployments in February and March 2024.", "modified": "2024-05-05T10:01:19.665000", "created": "2024-04-05T10:56:10.824000", "tags": [ "latrodectus", "february", "sha256", "march", "november", "latrodectus c2", "icedid", "et malware", "dll payload", "proofpoint", "pikabot", "example", "leverage", "protect", "small", "april", "nail", "download", "bumblebee", "dword", "major", "shutdown", "zergrush", "august", "austin", "delta", "juliet", "jupiter", "kappa", "kilo", "mars", "mike", "wikiloader", "first", "ta577", "ta544", "ta581", "qbot", "example ta577", "ta577 latrodectus", "december" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice", "https://www.bleepingcomputer.com/news/security/new-latrodectus-malware-replaces-icedid-in-network-breaches/" ], "public": 1, "adversary": "TA577", "targeted_countries": [], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Example TA577", "display_name": "Example TA577", "target": null }, { "id": "TA577 Latrodectus", "display_name": "TA577 Latrodectus", "target": null }, { "id": "December", "display_name": "December", "target": null }, { "id": "TA577", "display_name": "TA577", "target": null }, { "id": "IcedID", "display_name": "IcedID", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 348, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 22, "FileHash-SHA256": 34, "URL": 39, "domain": 28 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 434, "modified_text": "758 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660fc0698e1e73e86347ab7f", "name": "Latrodectus: This Spider Bytes Like Ice\u00a0 | Proofpoint US", "description": "", "modified": "2024-05-05T09:01:07.896000", "created": "2024-04-05T09:12:09.561000", "tags": [ "latrodectus", "february", "sha256", "march", "november", "latrodectus c2", "icedid", "et malware", "dll payload", "proofpoint", "pikabot", "example", "leverage", "protect", "small", "april", "nail", "download", "bumblebee", "dword", "major", "shutdown", "zergrush", "august", "austin", "delta", "juliet", "jupiter", "kappa", "kilo", "mars", "mike", "wikiloader", "first" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 22, "FileHash-SHA256": 34, "URL": 39, "domain": 28 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "758 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660fb4ea20b816f2ffff9b2e", "name": "Latrodectus: This Spider Bytes Like Ice\u00a0 | Proofpoint US", "description": "Find out more about Proofpoint, the world's leading cybersecurity company, in a daily guide to the best products, services and resources to help companies protect their people, data and brand from cyber attacks.", "modified": "2024-05-05T08:00:52.318000", "created": "2024-04-05T08:23:06.038000", "tags": [ "latrodectus", "february", "sha256", "march", "november", "latrodectus c2", "icedid", "et malware", "dll payload", "proofpoint", "pikabot", "example", "leverage", "protect", "small", "april", "nail", "download", "bumblebee", "dword", "major", "shutdown", "zergrush", "august", "austin", "delta", "juliet", "jupiter", "kappa", "kilo", "mars", "mike", "wikiloader", "first", "ta577", "ta544", "ta581", "qbot", "example ta577", "ta577 latrodectus", "december" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" ], "public": 1, "adversary": "TA577", "targeted_countries": [], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "Example TA577", "display_name": "Example TA577", "target": null }, { "id": "TA577 Latrodectus", "display_name": "TA577 Latrodectus", "target": null }, { "id": "December", "display_name": "December", "target": null }, { "id": "TA577", "display_name": "TA577", "target": null }, { "id": "IcedID", "display_name": "IcedID", "target": null }, { "id": "Latrodectus", "display_name": "Latrodectus", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 22, "FileHash-SHA256": 34, "URL": 39, "domain": 28 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "758 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660f33df0b28f8ab71602d46", "name": "Latrodectus: This Spider Bytes Like Ice", "description": "", "modified": "2024-05-04T23:00:18.200000", "created": "2024-04-04T23:12:31.591000", "tags": [ "OSINT", "Latrodectus", "Loader", "Phishing", "T1566 - Phishing", "T1129 - Shared Modules", "T1053 - Scheduled Task/Job", "T1059 - Command and Scripting Interpreter", "T1574.002 - DLL Side-Loading", "T1055 - Process Injection", "T1036 - Masquerading" ], "references": [ "https://community.riskiq.com/article/b4fe59bf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 33, "FileHash-SHA1": 1, "domain": 14, "URL": 35 }, "indicator_count": 83, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "759 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "661b254f4a1b2f7a1e39811b", "name": "Latrodectus: This Spider Bytes Like Ice", "description": "", "modified": "2024-05-04T19:01:04.411000", "created": "2024-04-14T00:37:35.710000", "tags": [ "bumblebee", "danabot", "downloader", "pikabot", "campaigns", "icedid", "latrodectus", "malspam" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" ], "public": 1, "adversary": "TA578", "targeted_countries": [], "malware_families": [ { "id": "Latrodectus", "display_name": "Latrodectus", "target": null }, { "id": "IcedID - S0483", "display_name": "IcedID - S0483", "target": null }, { "id": "Pikabot", "display_name": "Pikabot", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Bumblebee - S1039", "display_name": "Bumblebee - S1039", "target": null } ], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1126", "name": "Network Share Connection Removal", "display_name": "T1126 - Network Share Connection Removal" } ], "industries": [], "TLP": "white", "cloned_from": "660efeeff522f4fd488a22ec", "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 5, "FileHash-SHA256": 33, "URL": 39, "domain": 28 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "759 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://sluitionsbad.tech/live/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://sluitionsbad.tech/live/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780468347.6919188 }