{ "type": "URL", "indicator": "https://www.behejbrno.com/wp-json/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.behejbrno.com/wp-json/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3939187417, "indicator": "https://www.behejbrno.com/wp-json/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "66b878d22e70b331adf96ada", "name": "Cryptowall affecting Social Media and other Enterprise Resources", "description": "*Cryptowall\nby Malpedia\nCryptoWall is a ransomware, is usually spread by spam and phishing emails, malicious ads, hacked websites, or other malware and uses a Trojan horse to deliver the malicious payload.\n\nCryptowall\nUpdated 8 days ago by Malpedia\ntrusted CryptoWall is a ransomware, is usually spread by spam and phishing emails, malicious ads, hacked websites, or other malware and uses a Trojan horse to deliver the malicious payload.", "modified": "2024-09-10T07:03:46.003000", "created": "2024-08-11T08:39:46.489000", "tags": [ "default", "msie", "windows nt", "wow64", "slcc2", "media center", "cryptowall", "malware beacon", "show", "inprocserver32", "suspicious", "copy", "write", "unknown", "malware", "main", "look", "install", "pe features", "network icmp", "creates exe", "packer entropy", "injection runpe", "dumped buffer", "allocates rwx", "exe appdata", "pe unknown", "resource name", "dynamicloader", "medium", "high", "passive dns", "urls", "domain", "creation date", "ransom", "date", "next", "scan endpoints", "all scoreblue", "hostname", "historical ssl", "referrer", "pe file", "downloads", "http route", "found", "logon autostart", "execution t1547", "registry run", "keys", "startup folder", "system process", "window", "post http", "response", "get https", "cachecontrol", "pragma nocache", "accept", "cnr3 cus", "number", "subject", "user", "runtime modules", "samplepath", "userprofile", "signals mutexes", "appdata", "local", "temp", "rarsfx0", "iconcacheinit", "mutexes", "defaulttabtip", "windir", "process", "created", "shell commands", "k wersvcgroup", "registry keys", "registry", "shell folders", "hkeyusers", "storage", "peexe", "programfiles", "appdatalocal", "localappdata", "serial number", "signature", "file", "x509", "name", "issuer enigma", "protector ca", "valid from", "usage client", "auth algorithm", "vhash", "imphash", "rich pe", "ssdeep", "win32 exe", "magic pe32", "intel", "ms windows", "trid win32", "dynamic link", "enigma", "vs2008", "rticon english", "vs2008 sp1", "contained", "info compiler", "products", "header target", "machine intel", "utc entry", "point" ], "references": [ "Antivirus Detections: Win.Ransomware.Cryakl-7691592-0 Alerts injection_inter_process injection_create_remote_thread cape_detected_threat injection_process_hollowing", "IDS Detections: CryptoWall Check-in TLS Handshake Failure", "Yara Detections: EnigmaProtector , WinRAR_SFX , xor_0x1f_This_program", "Alerts: injection_inter_process injection_create_remote_thread cape_detected_threat injection_process_hollowing", "CS Sigma: Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "CS Sigma Rules: Matches rule Uncommon Svchost Parent Process by Florian Roth (Nextron Systems)", "CS Sigma Rules: Matches rule Windows Processes Suspicious Parent Directory by vburov", "Privilege Escalation TA0004 Process Injection T1055 Early bird code injection technique detected", "\u2205 The sandbox C2AE flags this file as: RANSOM | Matches rule MALWARE-CNC Win.Trojan.FileEncoder variant outbound connection", "\u2205 System process connects to network (likely due to code injection) \u2205 Injects a PE file into a foreign processes", "\u2205 Maps a DLL or memory area into another process \u2205 Queues an APC in another process (thread)", "\u2205 Early bird code injection technique detected System process connects to network (likely due to code injection) \u2205 Injects a PE file into a foreign processes \u2205 Maps a DLL or memory area into another process", "Matches rule ET MALWARE CryptoWall Check-in Matches rule ET INFO HTTP Request to a *.asia domain", "\u2205 Queues an APC in another process (thread injection)", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7bfcaf9d12548e7653109601a8678c94a92abce57cbddcc04939c422d9bb348", "pc.all-to-all.com", "x.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Win.Ransomware.Cryakl", "display_name": "Win.Ransomware.Cryakl", "target": null }, { "id": "Trojan.Cryakl/Crowti", "display_name": "Trojan.Cryakl/Crowti", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 79, "FileHash-SHA1": 60, "FileHash-SHA256": 298, "SSLCertFingerprint": 1, "URL": 313, "domain": 89, "hostname": 62 }, "indicator_count": 902, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "629 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "CS Sigma Rules: Matches rule Windows Processes Suspicious Parent Directory by vburov", "Privilege Escalation TA0004 Process Injection T1055 Early bird code injection technique detected", "CS Sigma: Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "Matches rule ET MALWARE CryptoWall Check-in Matches rule ET INFO HTTP Request to a *.asia domain", "\u2205 The sandbox C2AE flags this file as: RANSOM | Matches rule MALWARE-CNC Win.Trojan.FileEncoder variant outbound connection", "IDS Detections: CryptoWall Check-in TLS Handshake Failure", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7bfcaf9d12548e7653109601a8678c94a92abce57cbddcc04939c422d9bb348", "\u2205 Early bird code injection technique detected System process connects to network (likely due to code injection) \u2205 Injects a PE file into a foreign processes \u2205 Maps a DLL or memory area into another process", "pc.all-to-all.com", "Yara Detections: EnigmaProtector , WinRAR_SFX , xor_0x1f_This_program", "\u2205 System process connects to network (likely due to code injection) \u2205 Injects a PE file into a foreign processes", "\u2205 Maps a DLL or memory area into another process \u2205 Queues an APC in another process (thread)", "CS Sigma Rules: Matches rule Uncommon Svchost Parent Process by Florian Roth (Nextron Systems)", "\u2205 Queues an APC in another process (thread injection)", "x.com", "Antivirus Detections: Win.Ransomware.Cryakl-7691592-0 Alerts injection_inter_process injection_create_remote_thread cape_detected_threat injection_process_hollowing", "Alerts: injection_inter_process injection_create_remote_thread cape_detected_threat injection_process_hollowing" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.ransomware.cryakl", "Trojan.cryakl/crowti", "Ransom:win32/crowti.a" ], "industries": [], "unique_indicators": 996 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/behejbrno.com", "whois": "http://whois.domaintools.com/behejbrno.com", "domain": "behejbrno.com", "hostname": "www.behejbrno.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "66b878d22e70b331adf96ada", "name": "Cryptowall affecting Social Media and other Enterprise Resources", "description": "*Cryptowall\nby Malpedia\nCryptoWall is a ransomware, is usually spread by spam and phishing emails, malicious ads, hacked websites, or other malware and uses a Trojan horse to deliver the malicious payload.\n\nCryptowall\nUpdated 8 days ago by Malpedia\ntrusted CryptoWall is a ransomware, is usually spread by spam and phishing emails, malicious ads, hacked websites, or other malware and uses a Trojan horse to deliver the malicious payload.", "modified": "2024-09-10T07:03:46.003000", "created": "2024-08-11T08:39:46.489000", "tags": [ "default", "msie", "windows nt", "wow64", "slcc2", "media center", "cryptowall", "malware beacon", "show", "inprocserver32", "suspicious", "copy", "write", "unknown", "malware", "main", "look", "install", "pe features", "network icmp", "creates exe", "packer entropy", "injection runpe", "dumped buffer", "allocates rwx", "exe appdata", "pe unknown", "resource name", "dynamicloader", "medium", "high", "passive dns", "urls", "domain", "creation date", "ransom", "date", "next", "scan endpoints", "all scoreblue", "hostname", "historical ssl", "referrer", "pe file", "downloads", "http route", "found", "logon autostart", "execution t1547", "registry run", "keys", "startup folder", "system process", "window", "post http", "response", "get https", "cachecontrol", "pragma nocache", "accept", "cnr3 cus", "number", "subject", "user", "runtime modules", "samplepath", "userprofile", "signals mutexes", "appdata", "local", "temp", "rarsfx0", "iconcacheinit", "mutexes", "defaulttabtip", "windir", "process", "created", "shell commands", "k wersvcgroup", "registry keys", "registry", "shell folders", "hkeyusers", "storage", "peexe", "programfiles", "appdatalocal", "localappdata", "serial number", "signature", "file", "x509", "name", "issuer enigma", "protector ca", "valid from", "usage client", "auth algorithm", "vhash", "imphash", "rich pe", "ssdeep", "win32 exe", "magic pe32", "intel", "ms windows", "trid win32", "dynamic link", "enigma", "vs2008", "rticon english", "vs2008 sp1", "contained", "info compiler", "products", "header target", "machine intel", "utc entry", "point" ], "references": [ "Antivirus Detections: Win.Ransomware.Cryakl-7691592-0 Alerts injection_inter_process injection_create_remote_thread cape_detected_threat injection_process_hollowing", "IDS Detections: CryptoWall Check-in TLS Handshake Failure", "Yara Detections: EnigmaProtector , WinRAR_SFX , xor_0x1f_This_program", "Alerts: injection_inter_process injection_create_remote_thread cape_detected_threat injection_process_hollowing", "CS Sigma: Matches rule CurrentVersion Autorun Keys Modification by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "CS Sigma Rules: Matches rule Uncommon Svchost Parent Process by Florian Roth (Nextron Systems)", "CS Sigma Rules: Matches rule Windows Processes Suspicious Parent Directory by vburov", "Privilege Escalation TA0004 Process Injection T1055 Early bird code injection technique detected", "\u2205 The sandbox C2AE flags this file as: RANSOM | Matches rule MALWARE-CNC Win.Trojan.FileEncoder variant outbound connection", "\u2205 System process connects to network (likely due to code injection) \u2205 Injects a PE file into a foreign processes", "\u2205 Maps a DLL or memory area into another process \u2205 Queues an APC in another process (thread)", "\u2205 Early bird code injection technique detected System process connects to network (likely due to code injection) \u2205 Injects a PE file into a foreign processes \u2205 Maps a DLL or memory area into another process", "Matches rule ET MALWARE CryptoWall Check-in Matches rule ET INFO HTTP Request to a *.asia domain", "\u2205 Queues an APC in another process (thread injection)", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7bfcaf9d12548e7653109601a8678c94a92abce57cbddcc04939c422d9bb348", "pc.all-to-all.com", "x.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Win.Ransomware.Cryakl", "display_name": "Win.Ransomware.Cryakl", "target": null }, { "id": "Trojan.Cryakl/Crowti", "display_name": "Trojan.Cryakl/Crowti", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 79, "FileHash-SHA1": 60, "FileHash-SHA256": 298, "SSLCertFingerprint": 1, "URL": 313, "domain": 89, "hostname": 62 }, "indicator_count": 902, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "629 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.behejbrno.com/wp-json/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.behejbrno.com/wp-json/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780304428.9374785 }