{ "type": "URL", "indicator": "https://whatswit.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://whatswit.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3635969210, "indicator": "https://whatswit.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6418d1d8e58faed94f6c05e7", "name": "ACTIVIDAD MALICIOSA | relacionada con Gozi 20-03-2023", "description": "En 2006, se observ\u00f3 por primera vez Gozi v1.0 ('Gozi CRM', tambi\u00e9n conocido como 'CRM'), tambi\u00e9n conocido como Papras.\nSe ofreci\u00f3 como CaaS, conocido como 76Service. Esta primera versi\u00f3n de Gozi fue desarrollada por Nikita Kurmin, y tom\u00f3 prestado el c\u00f3digo de Ursnif, tambi\u00e9n conocido como Snifula, un spyware desarrollado por Alexey Ivanov alrededor del a\u00f1o 2000, y algunos otros kits. Gozi v1.0 ten\u00eda un m\u00f3dulo formgrabber y, a menudo, se clasifica como Ursnif, tambi\u00e9n conocido como Snifula.", "modified": "2023-04-19T21:04:45.711000", "created": "2023-03-20T21:36:24.851000", "tags": [ "t1060", "run keys", "start", "folder", "t1053", "t1089", "security tools", "t1107", "t1056", "t1001", "jameswtmht", "ursnif", "gozi", "ursnif zip", "gozi isfb", "mef mise", "gozi ita", "ita mef", "ita ursnif", "gozi smb", "virusdeck" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi", "https://threatfox.abuse.ch/browse/malware/win.gozi/", "https://bazaar.abuse.ch/browse.php?search=signature%3AGozi", "www.alertasyseguridad.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "FileHash-MD5": 66, "FileHash-SHA1": 66, "FileHash-SHA256": 164, "domain": 1 }, "indicator_count": 306, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "1140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63f6aff3bf8be3af512b2716", "name": "URLHaus data - 22-02-2023", "description": "", "modified": "2023-04-13T13:14:08.076000", "created": "2023-02-23T00:14:43.819000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "hajime", "mirai", "Gamaredon", "geofenced", "hta", "x86-32", "ddos", "dll", "32", "renesas", "cryptbot", "motorola", "sparc", "intel", "PowerPC", "Stealc", "dropped-by-PrivateLoader", "script", "Qakbot", "qbot", "Quakbot", "USA", "encrypted", "RedLine", "ascii", "Encoded", "opendir", "Vidar", "doc", "AgentTesla", "exe", "Formbook", "SocGholish", "njRAT", "dropped-by-amadey", "PowerShellDiscordKeyLogger", "obama241", "gcleaner", "Rhadamanthys", "Socelars", "Loki", "IcedID", "RTF", "rat", "RemcosRAT", "zip", "1234", "Password-protected", "AveMariaRAT", "botsant", "hacktool", "kit", "phishing", "xloader", "GuLoader", "geo-fence", "Gozi", "ISFB", "ITA", "ursnif", "SnakeKeylogger", "Smoke Loader", "eex", "DDoS Bot", "AuroraStealer", "orcusrat", "chm", "vbs", "rar", "bat" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "hostname": 11, "domain": 28 }, "indicator_count": 1039, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "1146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://bazaar.abuse.ch/browse.php?search=signature%3AGozi", "www.alertasyseguridad.com", "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi", "https://urlhaus.abuse.ch/browse/", "https://threatfox.abuse.ch/browse/malware/win.gozi/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 1641 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/whatswit.com", "whois": "http://whois.domaintools.com/whatswit.com", "domain": "whatswit.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6418d1d8e58faed94f6c05e7", "name": "ACTIVIDAD MALICIOSA | relacionada con Gozi 20-03-2023", "description": "En 2006, se observ\u00f3 por primera vez Gozi v1.0 ('Gozi CRM', tambi\u00e9n conocido como 'CRM'), tambi\u00e9n conocido como Papras.\nSe ofreci\u00f3 como CaaS, conocido como 76Service. Esta primera versi\u00f3n de Gozi fue desarrollada por Nikita Kurmin, y tom\u00f3 prestado el c\u00f3digo de Ursnif, tambi\u00e9n conocido como Snifula, un spyware desarrollado por Alexey Ivanov alrededor del a\u00f1o 2000, y algunos otros kits. Gozi v1.0 ten\u00eda un m\u00f3dulo formgrabber y, a menudo, se clasifica como Ursnif, tambi\u00e9n conocido como Snifula.", "modified": "2023-04-19T21:04:45.711000", "created": "2023-03-20T21:36:24.851000", "tags": [ "t1060", "run keys", "start", "folder", "t1053", "t1089", "security tools", "t1107", "t1056", "t1001", "jameswtmht", "ursnif", "gozi", "ursnif zip", "gozi isfb", "mef mise", "gozi ita", "ita mef", "ita ursnif", "gozi smb", "virusdeck" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi", "https://threatfox.abuse.ch/browse/malware/win.gozi/", "https://bazaar.abuse.ch/browse.php?search=signature%3AGozi", "www.alertasyseguridad.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "FileHash-MD5": 66, "FileHash-SHA1": 66, "FileHash-SHA256": 164, "domain": 1 }, "indicator_count": 306, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "1140 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63f6aff3bf8be3af512b2716", "name": "URLHaus data - 22-02-2023", "description": "", "modified": "2023-04-13T13:14:08.076000", "created": "2023-02-23T00:14:43.819000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "hajime", "mirai", "Gamaredon", "geofenced", "hta", "x86-32", "ddos", "dll", "32", "renesas", "cryptbot", "motorola", "sparc", "intel", "PowerPC", "Stealc", "dropped-by-PrivateLoader", "script", "Qakbot", "qbot", "Quakbot", "USA", "encrypted", "RedLine", "ascii", "Encoded", "opendir", "Vidar", "doc", "AgentTesla", "exe", "Formbook", "SocGholish", "njRAT", "dropped-by-amadey", "PowerShellDiscordKeyLogger", "obama241", "gcleaner", "Rhadamanthys", "Socelars", "Loki", "IcedID", "RTF", "rat", "RemcosRAT", "zip", "1234", "Password-protected", "AveMariaRAT", "botsant", "hacktool", "kit", "phishing", "xloader", "GuLoader", "geo-fence", "Gozi", "ISFB", "ITA", "ursnif", "SnakeKeylogger", "Smoke Loader", "eex", "DDoS Bot", "AuroraStealer", "orcusrat", "chm", "vbs", "rar", "bat" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "hostname": 11, "domain": 28 }, "indicator_count": 1039, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "1146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://whatswit.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://whatswit.com/", "type": "URL", "found": true, "verdict": "malicious", "url_status": "offline", "threat": "malware_download", "tags": [ "geo-fence", "Gozi", "ISFB", "ITA", "ursnif" ], "date_added": "2023-02-22", "last_online": "", "reporter": "pr0xylife", "host": "whatswit.com", "payloads": [], "error": null }, "from_cache": true, "_cached_at": 1780460756.3118687 }