{ "type": "URL", "indicator": "https://stats-best.site/fp.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://stats-best.site/fp.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3749508164, "indicator": "https://stats-best.site/fp.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "652d4af14757d6463fcc430b", "name": "ClearFake: a newcomer to the \u201cfake updates\u201d threats landscape", "description": "A security analysis of ClearFake, a new malicious JavaScript framework deployed on compromised websites to deliver malware using a drive-by download technique, reveals how the malware is deployed and how it is tracked.", "modified": "2024-11-11T13:37:58.714000", "created": "2023-10-16T14:38:40.705000", "tags": [ "clearfake", "javascript", "fake update" ], "references": [ "https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 410, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 9, "domain": 50, "hostname": 1 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 386581, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65fe20d1635c58fd2be328bc", "name": "FAKEUPDATES by ThreatFox", "description": "", "modified": "2024-05-12T20:27:02.873000", "created": "2024-03-23T00:22:41.667000", "tags": [ "virustotal" ], "references": [ "https://www.virustotal.com/gui/collection/threatfox_js_fakeupdates", "https://twitter.com/500mk500/status/1771235578274607201" ], "public": 1, "adversary": "TA569", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1001, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 5, "domain": 426, "hostname": 272 }, "indicator_count": 1708, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "749 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6530cf01c7fad411c90de0e2", "name": "ClearFake: a newcomer to the \"fake updates\" threats landscape - Sekoia.io Blog", "description": "A security analysis of ClearFake, a new malicious JavaScript framework deployed on compromised websites to deliver malware using a drive-by download technique, reveals how the malware is deployed and how it is tracked.", "modified": "2023-11-18T06:02:04.242000", "created": "2023-10-19T06:38:57.397000", "tags": [ "clearfake", "javascript", "september", "appx file", "hijackloader", "appx", "clearfake c2", "iocs", "socgholish", "html page", "next", "august", "raccoon", "vidar", "first", "click", "malware", "bazarbackdoor", "emotet", "danabot", "redline", "remcos", "systembc", "third", "loader", "fakesg", "magniber", "idat loader" ], "references": [ "https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/#h-iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "Javascript", "display_name": "Javascript", "target": null }, { "id": "FakeSG", "display_name": "FakeSG", "target": null }, { "id": "Magniber", "display_name": "Magniber", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "HijackLoader", "display_name": "HijackLoader", "target": null }, { "id": "IDAT Loader", "display_name": "IDAT Loader", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "domain": 51, "hostname": 3 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "925 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652cea1ea4d132759b92b269", "name": "ClearFake Malware Analysis | malware-analysis", "description": "Here\u2019s a look at some of the Javascript injections being used in a fake update campaign for Google Chrome, known as SocGholish, which appears to be running from a compromised website.", "modified": "2023-11-15T07:05:53.201000", "created": "2023-10-16T07:45:34.149000", "tags": [ "binance", "wordpress", "clearfake", "wordpress site", "blockchain", "etherhiding", "code", "javascript code", "array", "script", "redline", "amadey", "mask", "june", "possible", "malicious", "javascript", "payload", "july", "analysis", "randy mceoin", "publicwww", "socgholish", "chrome", "fiddler", "download" ], "references": [ "https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16", "https://rmceoin.github.io/malware-analysis/clearfake/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null } ], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 14, "URL": 7, "domain": 43, "hostname": 1 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "928 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://twitter.com/500mk500/status/1771235578274607201", "https://rmceoin.github.io/malware-analysis/clearfake/", "https://www.virustotal.com/gui/collection/threatfox_js_fakeupdates", "https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/", "https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/#h-iocs", "https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Clearfake" ], "industries": [], "unique_indicators": 81 }, "other": { "adversary": [ "TA569" ], "malware_families": [ "Clearfake", "Amadey", "Vidar", "Idat loader", "Hijackloader", "Magniber", "Fakesg", "Javascript" ], "industries": [], "unique_indicators": 1987 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/stats-best.site", "whois": "http://whois.domaintools.com/stats-best.site", "domain": "stats-best.site", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "652d4af14757d6463fcc430b", "name": "ClearFake: a newcomer to the \u201cfake updates\u201d threats landscape", "description": "A security analysis of ClearFake, a new malicious JavaScript framework deployed on compromised websites to deliver malware using a drive-by download technique, reveals how the malware is deployed and how it is tracked.", "modified": "2024-11-11T13:37:58.714000", "created": "2023-10-16T14:38:40.705000", "tags": [ "clearfake", "javascript", "fake update" ], "references": [ "https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 410, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 9, "domain": 50, "hostname": 1 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 386581, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65fe20d1635c58fd2be328bc", "name": "FAKEUPDATES by ThreatFox", "description": "", "modified": "2024-05-12T20:27:02.873000", "created": "2024-03-23T00:22:41.667000", "tags": [ "virustotal" ], "references": [ "https://www.virustotal.com/gui/collection/threatfox_js_fakeupdates", "https://twitter.com/500mk500/status/1771235578274607201" ], "public": 1, "adversary": "TA569", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1001, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 5, "domain": 426, "hostname": 272 }, "indicator_count": 1708, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "749 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6530cf01c7fad411c90de0e2", "name": "ClearFake: a newcomer to the \"fake updates\" threats landscape - Sekoia.io Blog", "description": "A security analysis of ClearFake, a new malicious JavaScript framework deployed on compromised websites to deliver malware using a drive-by download technique, reveals how the malware is deployed and how it is tracked.", "modified": "2023-11-18T06:02:04.242000", "created": "2023-10-19T06:38:57.397000", "tags": [ "clearfake", "javascript", "september", "appx file", "hijackloader", "appx", "clearfake c2", "iocs", "socgholish", "html page", "next", "august", "raccoon", "vidar", "first", "click", "malware", "bazarbackdoor", "emotet", "danabot", "redline", "remcos", "systembc", "third", "loader", "fakesg", "magniber", "idat loader" ], "references": [ "https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/#h-iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "Javascript", "display_name": "Javascript", "target": null }, { "id": "FakeSG", "display_name": "FakeSG", "target": null }, { "id": "Magniber", "display_name": "Magniber", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "HijackLoader", "display_name": "HijackLoader", "target": null }, { "id": "IDAT Loader", "display_name": "IDAT Loader", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "domain": 51, "hostname": 3 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "925 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652cea1ea4d132759b92b269", "name": "ClearFake Malware Analysis | malware-analysis", "description": "Here\u2019s a look at some of the Javascript injections being used in a fake update campaign for Google Chrome, known as SocGholish, which appears to be running from a compromised website.", "modified": "2023-11-15T07:05:53.201000", "created": "2023-10-16T07:45:34.149000", "tags": [ "binance", "wordpress", "clearfake", "wordpress site", "blockchain", "etherhiding", "code", "javascript code", "array", "script", "redline", "amadey", "mask", "june", "possible", "malicious", "javascript", "payload", "july", "analysis", "randy mceoin", "publicwww", "socgholish", "chrome", "fiddler", "download" ], "references": [ "https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16", "https://rmceoin.github.io/malware-analysis/clearfake/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null } ], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 14, "URL": 7, "domain": 43, "hostname": 1 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "928 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://stats-best.site/fp.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://stats-best.site/fp.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780265894.303375 }