{ "type": "URL", "indicator": "https://upperdunk.com/mr64.exe", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://upperdunk.com/mr64.exe", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3664276670, "indicator": "https://upperdunk.com/mr64.exe", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "65709bceb0c9761d653cad54", "name": "Royal Ransomware", "description": "", "modified": "2023-12-06T16:05:34.404000", "created": "2023-12-06T16:05:34.404000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 34, "FileHash-MD5": 24, "FileHash-SHA1": 24, "domain": 131, "URL": 4, "hostname": 3 }, "indicator_count": 220, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "909 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6472edabc5b7b76b62159b6b", "name": "Royal Ransomware", "description": "recorded future: Royal Ransomware IOCs", "modified": "2023-06-27T05:03:10.830000", "created": "2023-05-28T05:59:07.275000", "tags": [ "domain", "hash", "ip address", "hashsha256" ], "references": [ "Royal Ransomware IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "royal ransomware", "display_name": "royal ransomware", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "akhanafeer", "id": "195327", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "FileHash-MD5": 24, "FileHash-SHA1": 24, "FileHash-SHA256": 34, "domain": 131, "hostname": 3 }, "indicator_count": 220, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "1071 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64520becfd3f7ba95c144961", "name": "Ex-Conti and FIN7 Actors Collaborate with New Backdoor", "description": "A new family of malware has been created by developers associated with the cybercriminal group ITG14, IBM Security X-Force has discovered. the first in a series of articles on the subject.", "modified": "2023-05-03T07:23:24.311000", "created": "2023-05-03T07:23:24.311000", "tags": [ "minodo", "cobalt strike", "minodo loader", "itg14", "carbanak", "pe", "lizar toolkit", "lizar loader", "project nemesis", "vidar", "batloader", "nemesis infostealer", "itg23", "emotet", "toolkit minodo", "nemesis", "threat intelligence", "backdoor attacks", "x-force", "backdoor", "malware", "malware analysis", "ibm x-force research", "data", "minodo backdoor", "lizar", "dave loader", "scroll", "february", "diceloader", "royal", "stealer", "loader", "steam", "discord", "infostealer", "exodus", "atomic", "april", "domino", "xforce", "blackbasta", "icedid", "ryuk ransomware", "copy", "fenrir", "enumerate" ], "references": [ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-backdoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Nemesis", "display_name": "Nemesis", "target": null }, { "id": "Toolkit Minodo", "display_name": "Toolkit Minodo", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ITG23", "display_name": "ITG23", "target": null }, { "id": "Nemesis Infostealer", "display_name": "Nemesis Infostealer", "target": null }, { "id": "Batloader", "display_name": "Batloader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Lizar Loader", "display_name": "Lizar Loader", "target": null }, { "id": "Lizar Toolkit", "display_name": "Lizar Toolkit", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "ITG14", "display_name": "ITG14", "target": null }, { "id": "Minodo Loader", "display_name": "Minodo Loader", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Minodo", "display_name": "Minodo", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Healthcare", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 10, "FileHash-MD5": 12, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 2, "domain": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "1126 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "644fe31128d4f1b5fda7b7df", "name": "New Backdoor Discovered in Limited Attacks", "description": "IBM updated and republished a report on 27 April 2023, revealing the discovery of a new backdoor malware family called MINODO, used in campaigns since late February 2023. All customers are likely to be targeted by the adversaries, and the impact could cause moderate to considerable damage due to data theft and disruption of operations. The initial infection vector could be phishing or malvertising. This threat is still active, and ATI recommends incorporating the hashes and domains to your defense-in-depth strategy to mitigate the risks.", "modified": "2023-05-01T16:04:33.456000", "created": "2023-05-01T16:04:33.456000", "tags": [], "references": [ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-backdoor/?c=Threat%20Research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MINODO BACKDOOR", "display_name": "MINODO BACKDOOR", "target": null }, { "id": "PROJECT NEMESIS infostealer", "display_name": "PROJECT NEMESIS infostealer", "target": null }, { "id": "DAVE LOADER", "display_name": "DAVE LOADER", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 10, "FileHash-MD5": 12, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 2, "domain": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "1128 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "644fbc5d27c5bf5e3080ef10", "name": "[IBM] Ex-Conti and FIN7 Actors Collaborate with New Backdoor", "description": "", "modified": "2023-05-01T13:19:25.164000", "created": "2023-05-01T13:19:25.164000", "tags": [], "references": [ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-backdoor/?c=Threat%20Research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "99gmotor", "id": "234776", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "domain": 4, "FileHash-SHA1": 22, "FileHash-MD5": 19, "FileHash-SHA256": 16, "IPv4": 14, "URL": 6 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "1128 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "643f749657e248df1c3ffe2d", "name": "Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor", "description": "", "modified": "2023-04-19T04:56:54.877000", "created": "2023-04-19T04:56:54.877000", "tags": [ "domino", "cobalt strike", "itg14", "carbanak", "pe", "lizar toolkit", "lizar loader", "project nemesis", "vidar", "batloader", "nemesis infostealer", "itg23", "emotet", "toolkit domino", "nemesis", "april", "x-force", "backdoor", "backdoor attacks", "malware analysis", "threat intelligence", "malware", "ibm x-force research", "data", "domino backdoor", "lizar", "dave loader", "domino loader", "scroll", "february", "diceloader", "royal", "stealer", "loader", "steam", "discord", "infostealer", "exodus", "atomic", "xforce", "blackbasta", "icedid", "ryuk ransomware", "copy", "fenrir", "enumerate" ], "references": [ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "April", "display_name": "April", "target": null }, { "id": "Nemesis", "display_name": "Nemesis", "target": null }, { "id": "Toolkit Domino", "display_name": "Toolkit Domino", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ITG23", "display_name": "ITG23", "target": null }, { "id": "Nemesis Infostealer", "display_name": "Nemesis Infostealer", "target": null }, { "id": "Batloader", "display_name": "Batloader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Lizar Loader", "display_name": "Lizar Loader", "target": null }, { "id": "Lizar Toolkit", "display_name": "Lizar Toolkit", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "ITG14", "display_name": "ITG14", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Insurance", "Manufacturing", "Energy", "Finance" ], "TLP": "white", "cloned_from": "643f5e082c2f2044df357549", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 10, "FileHash-MD5": 10, "FileHash-SHA1": 6, "FileHash-SHA256": 9, "URL": 2, "domain": 2 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1140 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "643f5e082c2f2044df357549", "name": "Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor", "description": "", "modified": "2023-04-19T03:20:40.743000", "created": "2023-04-19T03:20:40.743000", "tags": [ "domino", "cobalt strike", "itg14", "carbanak", "pe", "lizar toolkit", "lizar loader", "project nemesis", "vidar", "batloader", "nemesis infostealer", "itg23", "emotet", "toolkit domino", "nemesis", "april", "x-force", "backdoor", "backdoor attacks", "malware analysis", "threat intelligence", "malware", "ibm x-force research", "data", "domino backdoor", "lizar", "dave loader", "domino loader", "scroll", "february", "diceloader", "royal", "stealer", "loader", "steam", "discord", "infostealer", "exodus", "atomic", "xforce", "blackbasta", "icedid", "ryuk ransomware", "copy", "fenrir", "enumerate" ], "references": [ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "April", "display_name": "April", "target": null }, { "id": "Nemesis", "display_name": "Nemesis", "target": null }, { "id": "Toolkit Domino", "display_name": "Toolkit Domino", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ITG23", "display_name": "ITG23", "target": null }, { "id": "Nemesis Infostealer", "display_name": "Nemesis Infostealer", "target": null }, { "id": "Batloader", "display_name": "Batloader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Lizar Loader", "display_name": "Lizar Loader", "target": null }, { "id": "Lizar Toolkit", "display_name": "Lizar Toolkit", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "ITG14", "display_name": "ITG14", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Insurance", "Manufacturing", "Energy", "Finance" ], "TLP": "white", "cloned_from": "643e73be4333d29ad6c8d393", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 10, "FileHash-MD5": 10, "FileHash-SHA1": 6, "FileHash-SHA256": 9, "URL": 2, "domain": 2 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1140 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "643e9f3e3412254d3ca9423e", "name": " Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor", "description": "", "modified": "2023-04-18T13:46:38.507000", "created": "2023-04-18T13:46:38.507000", "tags": [ "domino", "cobalt strike", "itg14", "carbanak", "pe", "lizar toolkit", "lizar loader", "project nemesis", "vidar", "batloader", "nemesis infostealer", "itg23", "emotet", "toolkit domino", "nemesis", "april", "x-force", "backdoor", "backdoor attacks", "malware analysis", "threat intelligence", "malware", "ibm x-force research", "data", "domino backdoor", "lizar", "dave loader", "domino loader", "scroll", "february", "diceloader", "royal", "stealer", "loader", "steam", "discord", "infostealer", "exodus", "atomic", "xforce", "blackbasta", "icedid", "ryuk ransomware", "copy", "fenrir", "enumerate" ], "references": [ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "April", "display_name": "April", "target": null }, { "id": "Nemesis", "display_name": "Nemesis", "target": null }, { "id": "Toolkit Domino", "display_name": "Toolkit Domino", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ITG23", "display_name": "ITG23", "target": null }, { "id": "Nemesis Infostealer", "display_name": "Nemesis Infostealer", "target": null }, { "id": "Batloader", "display_name": "Batloader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Lizar Loader", "display_name": "Lizar Loader", "target": null }, { "id": "Lizar Toolkit", "display_name": "Lizar Toolkit", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "ITG14", "display_name": "ITG14", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Insurance", "Manufacturing", "Energy", "Finance" ], "TLP": "white", "cloned_from": "643e73be4333d29ad6c8d393", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "burtcha15", "id": "207697", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 10, "FileHash-MD5": 10, "FileHash-SHA1": 6, "FileHash-SHA256": 9, "URL": 2, "domain": 2 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 53, "modified_text": "1141 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "643e73be4333d29ad6c8d393", "name": "Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor", "description": "A new malware family created by developers associated with the Trickbot/Conti syndicate and its former members has been used to load backdoors, according to IBM Security X-Force and other security researchers.", "modified": "2023-04-18T10:41:02.013000", "created": "2023-04-18T10:41:02.013000", "tags": [ "domino", "cobalt strike", "itg14", "carbanak", "pe", "lizar toolkit", "lizar loader", "project nemesis", "vidar", "batloader", "nemesis infostealer", "itg23", "emotet", "toolkit domino", "nemesis", "april", "x-force", "backdoor", "backdoor attacks", "malware analysis", "threat intelligence", "malware", "ibm x-force research", "data", "domino backdoor", "lizar", "dave loader", "domino loader", "scroll", "february", "diceloader", "royal", "stealer", "loader", "steam", "discord", "infostealer", "exodus", "atomic", "xforce", "blackbasta", "icedid", "ryuk ransomware", "copy", "fenrir", "enumerate" ], "references": [ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "April", "display_name": "April", "target": null }, { "id": "Nemesis", "display_name": "Nemesis", "target": null }, { "id": "Toolkit Domino", "display_name": "Toolkit Domino", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ITG23", "display_name": "ITG23", "target": null }, { "id": "Nemesis Infostealer", "display_name": "Nemesis Infostealer", "target": null }, { "id": "Batloader", "display_name": "Batloader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Lizar Loader", "display_name": "Lizar Loader", "target": null }, { "id": "Lizar Toolkit", "display_name": "Lizar Toolkit", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "ITG14", "display_name": "ITG14", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Insurance", "Manufacturing", "Energy", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 10, "FileHash-MD5": 10, "FileHash-SHA1": 6, "FileHash-SHA256": 9, "URL": 2, "domain": 2 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1141 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6439c686b241a93f836793bd", "name": "Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor", "description": "A new malware family created by developers associated with the Trickbot/Conti syndicate and its former members has been used to load backdoors, according to IBM Security X-Force and other security researchers.", "modified": "2023-04-14T21:32:54.069000", "created": "2023-04-14T21:32:54.069000", "tags": [ "domino", "cobalt strike", "itg14", "carbanak", "pe", "lizar toolkit", "lizar loader", "project nemesis", "vidar", "batloader", "nemesis infostealer", "itg23", "emotet", "toolkit domino", "nemesis", "threat intelligence", "malware", "ibm x-force research", "x-force", "malware analysis", "backdoor attacks", "backdoor", "data", "domino backdoor", "lizar", "dave loader", "domino loader", "scroll", "february", "diceloader", "royal", "stealer", "loader", "steam", "discord", "infostealer", "exodus", "atomic", "xforce", "blackbasta", "icedid", "ryuk ransomware", "copy", "fenrir", "enumerate" ], "references": [ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Nemesis", "display_name": "Nemesis", "target": null }, { "id": "Toolkit Domino", "display_name": "Toolkit Domino", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ITG23", "display_name": "ITG23", "target": null }, { "id": "Nemesis Infostealer", "display_name": "Nemesis Infostealer", "target": null }, { "id": "Batloader", "display_name": "Batloader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Lizar Loader", "display_name": "Lizar Loader", "target": null }, { "id": "Lizar Toolkit", "display_name": "Lizar Toolkit", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "ITG14", "display_name": "ITG14", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Insurance", "Manufacturing", "Energy", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 9, "FileHash-MD5": 9, "FileHash-SHA1": 5, "FileHash-SHA256": 9, "URL": 2, "domain": 2 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "1145 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-backdoor/", "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/", "Royal Ransomware IOCs.csv", "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-backdoor/?c=Threat%20Research" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Project nemesis infostealer", "Cobalt strike", "Itg23", "Toolkit minodo", "Lizar loader", "Itg14", "Pe", "Nemesis infostealer", "Minodo loader", "Vidar", "Minodo", "Toolkit domino", "Nemesis", "Domino", "Minodo backdoor", "April", "Emotet", "Lizar toolkit", "Project nemesis", "Carbanak", "Dave loader", "Batloader", "Royal ransomware" ], "industries": [ "Insurance", "Manufacturing", "Healthcare", "Energy", "Finance", "Financial" ], "unique_indicators": 282 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/upperdunk.com", "whois": "http://whois.domaintools.com/upperdunk.com", "domain": "upperdunk.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "65709bceb0c9761d653cad54", "name": "Royal Ransomware", "description": "", "modified": "2023-12-06T16:05:34.404000", "created": "2023-12-06T16:05:34.404000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 34, "FileHash-MD5": 24, "FileHash-SHA1": 24, "domain": 131, "URL": 4, "hostname": 3 }, "indicator_count": 220, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "909 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6472edabc5b7b76b62159b6b", "name": "Royal Ransomware", "description": "recorded future: Royal Ransomware IOCs", "modified": "2023-06-27T05:03:10.830000", "created": "2023-05-28T05:59:07.275000", "tags": [ "domain", "hash", "ip address", "hashsha256" ], "references": [ "Royal Ransomware IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "royal ransomware", "display_name": "royal ransomware", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "akhanafeer", "id": "195327", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "FileHash-MD5": 24, "FileHash-SHA1": 24, "FileHash-SHA256": 34, "domain": 131, "hostname": 3 }, "indicator_count": 220, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "1071 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64520becfd3f7ba95c144961", "name": "Ex-Conti and FIN7 Actors Collaborate with New Backdoor", "description": "A new family of malware has been created by developers associated with the cybercriminal group ITG14, IBM Security X-Force has discovered. the first in a series of articles on the subject.", "modified": "2023-05-03T07:23:24.311000", "created": "2023-05-03T07:23:24.311000", "tags": [ "minodo", "cobalt strike", "minodo loader", "itg14", "carbanak", "pe", "lizar toolkit", "lizar loader", "project nemesis", "vidar", "batloader", "nemesis infostealer", "itg23", "emotet", "toolkit minodo", "nemesis", "threat intelligence", "backdoor attacks", "x-force", "backdoor", "malware", "malware analysis", "ibm x-force research", "data", "minodo backdoor", "lizar", "dave loader", "scroll", "february", "diceloader", "royal", "stealer", "loader", "steam", "discord", "infostealer", "exodus", "atomic", "april", "domino", "xforce", "blackbasta", "icedid", "ryuk ransomware", "copy", "fenrir", "enumerate" ], "references": [ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-backdoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Nemesis", "display_name": "Nemesis", "target": null }, { "id": "Toolkit Minodo", "display_name": "Toolkit Minodo", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ITG23", "display_name": "ITG23", "target": null }, { "id": "Nemesis Infostealer", "display_name": "Nemesis Infostealer", "target": null }, { "id": "Batloader", "display_name": "Batloader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Lizar Loader", "display_name": "Lizar Loader", "target": null }, { "id": "Lizar Toolkit", "display_name": "Lizar Toolkit", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "ITG14", "display_name": "ITG14", "target": null }, { "id": "Minodo Loader", "display_name": "Minodo Loader", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Minodo", "display_name": "Minodo", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Healthcare", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 10, "FileHash-MD5": 12, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 2, "domain": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "1126 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "644fe31128d4f1b5fda7b7df", "name": "New Backdoor Discovered in Limited Attacks", "description": "IBM updated and republished a report on 27 April 2023, revealing the discovery of a new backdoor malware family called MINODO, used in campaigns since late February 2023. All customers are likely to be targeted by the adversaries, and the impact could cause moderate to considerable damage due to data theft and disruption of operations. The initial infection vector could be phishing or malvertising. This threat is still active, and ATI recommends incorporating the hashes and domains to your defense-in-depth strategy to mitigate the risks.", "modified": "2023-05-01T16:04:33.456000", "created": "2023-05-01T16:04:33.456000", "tags": [], "references": [ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-backdoor/?c=Threat%20Research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MINODO BACKDOOR", "display_name": "MINODO BACKDOOR", "target": null }, { "id": "PROJECT NEMESIS infostealer", "display_name": "PROJECT NEMESIS infostealer", "target": null }, { "id": "DAVE LOADER", "display_name": "DAVE LOADER", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 10, "FileHash-MD5": 12, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 2, "domain": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "1128 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "644fbc5d27c5bf5e3080ef10", "name": "[IBM] Ex-Conti and FIN7 Actors Collaborate with New Backdoor", "description": "", "modified": "2023-05-01T13:19:25.164000", "created": "2023-05-01T13:19:25.164000", "tags": [], "references": [ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-backdoor/?c=Threat%20Research" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "99gmotor", "id": "234776", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "domain": 4, "FileHash-SHA1": 22, "FileHash-MD5": 19, "FileHash-SHA256": 16, "IPv4": 14, "URL": 6 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "1128 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "643f749657e248df1c3ffe2d", "name": "Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor", "description": "", "modified": "2023-04-19T04:56:54.877000", "created": "2023-04-19T04:56:54.877000", "tags": [ "domino", "cobalt strike", "itg14", "carbanak", "pe", "lizar toolkit", "lizar loader", "project nemesis", "vidar", "batloader", "nemesis infostealer", "itg23", "emotet", "toolkit domino", "nemesis", "april", "x-force", "backdoor", "backdoor attacks", "malware analysis", "threat intelligence", "malware", "ibm x-force research", "data", "domino backdoor", "lizar", "dave loader", "domino loader", "scroll", "february", "diceloader", "royal", "stealer", "loader", "steam", "discord", "infostealer", "exodus", "atomic", "xforce", "blackbasta", "icedid", "ryuk ransomware", "copy", "fenrir", "enumerate" ], "references": [ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "April", "display_name": "April", "target": null }, { "id": "Nemesis", "display_name": "Nemesis", "target": null }, { "id": "Toolkit Domino", "display_name": "Toolkit Domino", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ITG23", "display_name": "ITG23", "target": null }, { "id": "Nemesis Infostealer", "display_name": "Nemesis Infostealer", "target": null }, { "id": "Batloader", "display_name": "Batloader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Lizar Loader", "display_name": "Lizar Loader", "target": null }, { "id": "Lizar Toolkit", "display_name": "Lizar Toolkit", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "ITG14", "display_name": "ITG14", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Insurance", "Manufacturing", "Energy", "Finance" ], "TLP": "white", "cloned_from": "643f5e082c2f2044df357549", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 10, "FileHash-MD5": 10, "FileHash-SHA1": 6, "FileHash-SHA256": 9, "URL": 2, "domain": 2 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1140 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "643f5e082c2f2044df357549", "name": "Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor", "description": "", "modified": "2023-04-19T03:20:40.743000", "created": "2023-04-19T03:20:40.743000", "tags": [ "domino", "cobalt strike", "itg14", "carbanak", "pe", "lizar toolkit", "lizar loader", "project nemesis", "vidar", "batloader", "nemesis infostealer", "itg23", "emotet", "toolkit domino", "nemesis", "april", "x-force", "backdoor", "backdoor attacks", "malware analysis", "threat intelligence", "malware", "ibm x-force research", "data", "domino backdoor", "lizar", "dave loader", "domino loader", "scroll", "february", "diceloader", "royal", "stealer", "loader", "steam", "discord", "infostealer", "exodus", "atomic", "xforce", "blackbasta", "icedid", "ryuk ransomware", "copy", "fenrir", "enumerate" ], "references": [ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "April", "display_name": "April", "target": null }, { "id": "Nemesis", "display_name": "Nemesis", "target": null }, { "id": "Toolkit Domino", "display_name": "Toolkit Domino", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ITG23", "display_name": "ITG23", "target": null }, { "id": "Nemesis Infostealer", "display_name": "Nemesis Infostealer", "target": null }, { "id": "Batloader", "display_name": "Batloader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Lizar Loader", "display_name": "Lizar Loader", "target": null }, { "id": "Lizar Toolkit", "display_name": "Lizar Toolkit", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "ITG14", "display_name": "ITG14", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Insurance", "Manufacturing", "Energy", "Finance" ], "TLP": "white", "cloned_from": "643e73be4333d29ad6c8d393", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 10, "FileHash-MD5": 10, "FileHash-SHA1": 6, "FileHash-SHA256": 9, "URL": 2, "domain": 2 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1140 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "643e9f3e3412254d3ca9423e", "name": " Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor", "description": "", "modified": "2023-04-18T13:46:38.507000", "created": "2023-04-18T13:46:38.507000", "tags": [ "domino", "cobalt strike", "itg14", "carbanak", "pe", "lizar toolkit", "lizar loader", "project nemesis", "vidar", "batloader", "nemesis infostealer", "itg23", "emotet", "toolkit domino", "nemesis", "april", "x-force", "backdoor", "backdoor attacks", "malware analysis", "threat intelligence", "malware", "ibm x-force research", "data", "domino backdoor", "lizar", "dave loader", "domino loader", "scroll", "february", "diceloader", "royal", "stealer", "loader", "steam", "discord", "infostealer", "exodus", "atomic", "xforce", "blackbasta", "icedid", "ryuk ransomware", "copy", "fenrir", "enumerate" ], "references": [ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "April", "display_name": "April", "target": null }, { "id": "Nemesis", "display_name": "Nemesis", "target": null }, { "id": "Toolkit Domino", "display_name": "Toolkit Domino", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ITG23", "display_name": "ITG23", "target": null }, { "id": "Nemesis Infostealer", "display_name": "Nemesis Infostealer", "target": null }, { "id": "Batloader", "display_name": "Batloader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Lizar Loader", "display_name": "Lizar Loader", "target": null }, { "id": "Lizar Toolkit", "display_name": "Lizar Toolkit", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "ITG14", "display_name": "ITG14", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Insurance", "Manufacturing", "Energy", "Finance" ], "TLP": "white", "cloned_from": "643e73be4333d29ad6c8d393", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "burtcha15", "id": "207697", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 10, "FileHash-MD5": 10, "FileHash-SHA1": 6, "FileHash-SHA256": 9, "URL": 2, "domain": 2 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 53, "modified_text": "1141 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "643e73be4333d29ad6c8d393", "name": "Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor", "description": "A new malware family created by developers associated with the Trickbot/Conti syndicate and its former members has been used to load backdoors, according to IBM Security X-Force and other security researchers.", "modified": "2023-04-18T10:41:02.013000", "created": "2023-04-18T10:41:02.013000", "tags": [ "domino", "cobalt strike", "itg14", "carbanak", "pe", "lizar toolkit", "lizar loader", "project nemesis", "vidar", "batloader", "nemesis infostealer", "itg23", "emotet", "toolkit domino", "nemesis", "april", "x-force", "backdoor", "backdoor attacks", "malware analysis", "threat intelligence", "malware", "ibm x-force research", "data", "domino backdoor", "lizar", "dave loader", "domino loader", "scroll", "february", "diceloader", "royal", "stealer", "loader", "steam", "discord", "infostealer", "exodus", "atomic", "xforce", "blackbasta", "icedid", "ryuk ransomware", "copy", "fenrir", "enumerate" ], "references": [ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "April", "display_name": "April", "target": null }, { "id": "Nemesis", "display_name": "Nemesis", "target": null }, { "id": "Toolkit Domino", "display_name": "Toolkit Domino", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ITG23", "display_name": "ITG23", "target": null }, { "id": "Nemesis Infostealer", "display_name": "Nemesis Infostealer", "target": null }, { "id": "Batloader", "display_name": "Batloader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Lizar Loader", "display_name": "Lizar Loader", "target": null }, { "id": "Lizar Toolkit", "display_name": "Lizar Toolkit", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "ITG14", "display_name": "ITG14", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Insurance", "Manufacturing", "Energy", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 10, "FileHash-MD5": 10, "FileHash-SHA1": 6, "FileHash-SHA256": 9, "URL": 2, "domain": 2 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1141 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6439c686b241a93f836793bd", "name": "Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor", "description": "A new malware family created by developers associated with the Trickbot/Conti syndicate and its former members has been used to load backdoors, according to IBM Security X-Force and other security researchers.", "modified": "2023-04-14T21:32:54.069000", "created": "2023-04-14T21:32:54.069000", "tags": [ "domino", "cobalt strike", "itg14", "carbanak", "pe", "lizar toolkit", "lizar loader", "project nemesis", "vidar", "batloader", "nemesis infostealer", "itg23", "emotet", "toolkit domino", "nemesis", "threat intelligence", "malware", "ibm x-force research", "x-force", "malware analysis", "backdoor attacks", "backdoor", "data", "domino backdoor", "lizar", "dave loader", "domino loader", "scroll", "february", "diceloader", "royal", "stealer", "loader", "steam", "discord", "infostealer", "exodus", "atomic", "xforce", "blackbasta", "icedid", "ryuk ransomware", "copy", "fenrir", "enumerate" ], "references": [ "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Nemesis", "display_name": "Nemesis", "target": null }, { "id": "Toolkit Domino", "display_name": "Toolkit Domino", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "ITG23", "display_name": "ITG23", "target": null }, { "id": "Nemesis Infostealer", "display_name": "Nemesis Infostealer", "target": null }, { "id": "Batloader", "display_name": "Batloader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Project Nemesis", "display_name": "Project Nemesis", "target": null }, { "id": "Lizar Loader", "display_name": "Lizar Loader", "target": null }, { "id": "Lizar Toolkit", "display_name": "Lizar Toolkit", "target": null }, { "id": "PE", "display_name": "PE", "target": null }, { "id": "Carbanak", "display_name": "Carbanak", "target": null }, { "id": "ITG14", "display_name": "ITG14", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Domino", "display_name": "Domino", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Insurance", "Manufacturing", "Energy", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 9, "FileHash-MD5": 9, "FileHash-SHA1": 5, "FileHash-SHA256": 9, "URL": 2, "domain": 2 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "1145 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://upperdunk.com/mr64.exe", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://upperdunk.com/mr64.exe", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780438900.2530158 }