{ "type": "URL", "indicator": "https://t.co/jitkZ", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://t.co/jitkZ", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #286", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #331", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain t.co", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain t.co", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3688634385, "indicator": "https://t.co/jitkZ", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6475bd90ede599de179fda3b", "name": "Operation Magalenha | Long-Running Campaign Pursues Portuguese Credentials and PII - SentinelOne", "description": "A Brazilian threat group has been targeting Portuguese financial institutions, including government, government-backed and private institutions in the first quarter of 2023, according to research conducted by SentinelLabs, a UK-based security firm.", "modified": "2023-06-29T09:02:39.482000", "created": "2023-05-30T09:10:40.475000", "tags": [ "peepingtitle", "timeweb cloud", "digitalocean", "online banking", "c2 server", "timeweb", "iaas provider", "ttps", "portugal", "google chrome", "code", "delphi", "april", "bank", "example" ], "references": [ "https://www.sentinelone.com/labs/operation-magalenha-long-running-campaign-pursues-portuguese-credentials-and-pii/" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Portugal" ], "malware_families": [ { "id": "Timeweb Cloud", "display_name": "Timeweb Cloud", "target": null }, { "id": "PeepingTitle", "display_name": "PeepingTitle", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Financial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 27, "domain": 1, "URL": 85, "FileHash-MD5": 81, "FileHash-SHA1": 106, "FileHash-SHA256": 81 }, "indicator_count": 381, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1069 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6475c4f9dcffb720e9c7a305", "name": "Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit - SentinelOne", "description": "North Korea-focused information services, human rights activists and defectors in relation to North Korea are the target of an ongoing campaign by a suspected North Korean advanced persistent threat group, according to SentinelLabs.", "modified": "2023-05-30T09:42:17.761000", "created": "2023-05-30T09:42:17.761000", "tags": [ "kimsuky", "randomquery", "vbscript randomquery", "tlds", "north korea", "korean", "vb script", "chm file", "userprofile", "c2 server", "program files", "daum", "desktop" ], "references": [ "https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Korea, Democratic People's Republic of" ], "malware_families": [ { "id": "VBScript RandomQuery", "display_name": "VBScript RandomQuery", "target": null }, { "id": "RandomQuery", "display_name": "RandomQuery", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Human Rights" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 1, "URL": 4, "FileHash-MD5": 5, "FileHash-SHA1": 6, "FileHash-SHA256": 5, "domain": 16, "hostname": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1099 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6475bf865f5279511b5a830c", "name": "New Version Of Apostle Ransomware Reemerges In Targeted Attack On Higher Education - SentinelOne", "description": "SentinelLabs has identified a new version of the Apostle ransomware, which was used in a targeted attack on the Israeli university Bar-Ilan on August 15, 2021, and how it handles the payload.", "modified": "2023-05-30T09:19:02.057000", "created": "2023-05-30T09:19:02.057000", "tags": [ "apostle", "agrius", "macos", "orcusrat", "jennlog", "sentinellabs", "august", "apostle payload", "jennlog loader", "agrius malware", "iran", "decoy", "loader", "virustotal", "june" ], "references": [ "https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "OrcusRAT", "display_name": "OrcusRAT", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Agrius", "display_name": "Agrius", "target": null }, { "id": "Apostle", "display_name": "Apostle", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1099 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/", "https://www.sentinelone.com/labs/operation-magalenha-long-running-campaign-pursues-portuguese-credentials-and-pii/", "https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Kimsuky" ], "malware_families": [ "Timeweb cloud", "Agrius", "Vbscript randomquery", "Kimsuky", "Orcusrat", "Peepingtitle", "Randomquery", "Apostle", "Macos" ], "industries": [ "Government", "Human rights", "Financial" ], "unique_indicators": 451 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/t.co", "whois": "http://whois.domaintools.com/t.co", "domain": "t.co", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6475bd90ede599de179fda3b", "name": "Operation Magalenha | Long-Running Campaign Pursues Portuguese Credentials and PII - SentinelOne", "description": "A Brazilian threat group has been targeting Portuguese financial institutions, including government, government-backed and private institutions in the first quarter of 2023, according to research conducted by SentinelLabs, a UK-based security firm.", "modified": "2023-06-29T09:02:39.482000", "created": "2023-05-30T09:10:40.475000", "tags": [ "peepingtitle", "timeweb cloud", "digitalocean", "online banking", "c2 server", "timeweb", "iaas provider", "ttps", "portugal", "google chrome", "code", "delphi", "april", "bank", "example" ], "references": [ "https://www.sentinelone.com/labs/operation-magalenha-long-running-campaign-pursues-portuguese-credentials-and-pii/" ], "public": 1, "adversary": "", "targeted_countries": [ "Spain", "Portugal" ], "malware_families": [ { "id": "Timeweb Cloud", "display_name": "Timeweb Cloud", "target": null }, { "id": "PeepingTitle", "display_name": "PeepingTitle", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Financial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 27, "domain": 1, "URL": 85, "FileHash-MD5": 81, "FileHash-SHA1": 106, "FileHash-SHA256": 81 }, "indicator_count": 381, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1069 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6475c4f9dcffb720e9c7a305", "name": "Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit - SentinelOne", "description": "North Korea-focused information services, human rights activists and defectors in relation to North Korea are the target of an ongoing campaign by a suspected North Korean advanced persistent threat group, according to SentinelLabs.", "modified": "2023-05-30T09:42:17.761000", "created": "2023-05-30T09:42:17.761000", "tags": [ "kimsuky", "randomquery", "vbscript randomquery", "tlds", "north korea", "korean", "vb script", "chm file", "userprofile", "c2 server", "program files", "daum", "desktop" ], "references": [ "https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Korea, Democratic People's Republic of" ], "malware_families": [ { "id": "VBScript RandomQuery", "display_name": "VBScript RandomQuery", "target": null }, { "id": "RandomQuery", "display_name": "RandomQuery", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Human Rights" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 1, "URL": 4, "FileHash-MD5": 5, "FileHash-SHA1": 6, "FileHash-SHA256": 5, "domain": 16, "hostname": 1 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1099 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6475bf865f5279511b5a830c", "name": "New Version Of Apostle Ransomware Reemerges In Targeted Attack On Higher Education - SentinelOne", "description": "SentinelLabs has identified a new version of the Apostle ransomware, which was used in a targeted attack on the Israeli university Bar-Ilan on August 15, 2021, and how it handles the payload.", "modified": "2023-05-30T09:19:02.057000", "created": "2023-05-30T09:19:02.057000", "tags": [ "apostle", "agrius", "macos", "orcusrat", "jennlog", "sentinellabs", "august", "apostle payload", "jennlog loader", "agrius malware", "iran", "decoy", "loader", "virustotal", "june" ], "references": [ "https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "OrcusRAT", "display_name": "OrcusRAT", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Agrius", "display_name": "Agrius", "target": null }, { "id": "Apostle", "display_name": "Apostle", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1099 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://t.co/jitkZ", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://t.co/jitkZ", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780421170.4982057 }