{ "type": "URL", "indicator": "https://www.moongallery.com.tw/upload/py.exe", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.moongallery.com.tw/upload/py.exe", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3620615766, "indicator": "https://www.moongallery.com.tw/upload/py.exe", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "63d01443a731db22dd9783bf", "name": "DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation", "description": "Recent attacks against East Asian organizations we track as \u2018DragonSpark\u2019. The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation.", "modified": "2023-02-23T16:00:50.025000", "created": "2023-01-24T17:24:19.139000", "tags": [ "SparkRAT", "SharpToken", "BadPotato", "GotoHTTP", "Golang", "DragonSpark", "MySQL", "Python" ], "references": [ "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SparkRAT", "display_name": "SparkRAT", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 372, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 2, "URL": 3, "domain": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 386608, "modified_text": "1193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63e0ba96af987d29c17f2298", "name": "Threat Intel Report - W6-2023.pdf", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2023-03-08T08:04:26.856000", "created": "2023-02-06T08:30:14.537000", "tags": [], "references": [ "https://www.dnsbl.info/", "https://www.spamhaus.org/xbl/", "https://www.senderscore.org/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 163, "hostname": 74, "FileHash-MD5": 26, "FileHash-SHA1": 25, "FileHash-SHA256": 44, "CVE": 7, "domain": 127 }, "indicator_count": 466, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "1180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63d3331f9403f4215ecaf55e", "name": "Attacks Evade Detection with SparkRAT", "description": "", "modified": "2023-02-26T02:00:35.497000", "created": "2023-01-27T02:12:47.153000", "tags": [], "references": [ "January 27th, 2023 - CryptoGen Cyber Threat Intelligence - Attacks Evade Detection with SparkRAT..pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "URL": 8, "hostname": 3 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63d071934a22599bc81c29bb", "name": "DragonSpark | Attacks Evade Detection With SparkRAT and Golang Source Code Interpretation", "description": "", "modified": "2023-02-24T00:03:51.033000", "created": "2023-01-25T00:02:27.676000", "tags": [ "OSINT", "SparkRAT", "Golang", "Malware", "DragonSpark", "T1059", "T1574.002", "T1571" ], "references": [ "https://community.riskiq.com/article/70b51060" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63d047ce78b7fe07ff0890ee", "name": "VTA - Hackers use Golang source code interpreter to evade detection", "description": "A Chinese-speaking hacking group tracked as \u2018DragonSpark\u2019 was observed employing Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia. The threat actor, DragonSpark relies on an open-source tool called SparkRAT to steal sensitive data from compromised systems, execute commands, perform lateral network movement, and more.", "modified": "2023-02-23T21:02:12.190000", "created": "2023-01-24T21:04:14.816000", "tags": [ "golang", "meterpreter", "cobalt strike", "zegost", "dragonspark", "sparkrat", "c2 server", "golang source", "shellcodeloader", "china chopper", "base64", "golang malware", "china", "taiwan", "python", "powershell", "malware", "leviathan" ], "references": [ "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/" ], "public": 1, "adversary": "DragonSpark", "targeted_countries": [ "United States of America", "Singapore", "Hong Kong", "Taiwan", "China" ], "malware_families": [ { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Golang", "display_name": "Golang", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Travel" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 5, "FileHash-SHA256": 2, "URL": 8, "domain": 1, "hostname": 4 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "1193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63d0da562d3a007cb1016dce", "name": "DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation", "description": "", "modified": "2023-02-23T16:00:50.025000", "created": "2023-01-25T07:29:26.429000", "tags": [ "SparkRAT", "SharpToken", "BadPotato", "GotoHTTP", "Golang", "DragonSpark", "MySQL", "Python" ], "references": [ "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SparkRAT", "display_name": "SparkRAT", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [], "TLP": "white", "cloned_from": "63d01443a731db22dd9783bf", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 2, "URL": 3, "domain": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63d43fe75091f42e0f6bacb6", "name": "DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation", "description": "", "modified": "2023-02-23T16:00:50.025000", "created": "2023-01-27T21:19:35.608000", "tags": [ "SparkRAT", "SharpToken", "BadPotato", "GotoHTTP", "Golang", "DragonSpark", "MySQL", "Python" ], "references": [ "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SparkRAT", "display_name": "SparkRAT", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [], "TLP": "white", "cloned_from": "63d01443a731db22dd9783bf", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 2, "URL": 3, "domain": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "1193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63d7824e29bf61bd416bd4fe", "name": "DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation", "description": "", "modified": "2023-02-23T16:00:50.025000", "created": "2023-01-30T08:39:42.989000", "tags": [ "SparkRAT", "SharpToken", "BadPotato", "GotoHTTP", "Golang", "DragonSpark", "MySQL", "Python" ], "references": [ "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SparkRAT", "display_name": "SparkRAT", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [], "TLP": "white", "cloned_from": "63d0da562d3a007cb1016dce", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 2, "URL": 3, "domain": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63cfccfa9ed1f92304cbc65d", "name": "DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation - SentinelOne", "description": "A study by SentinelLabs, a security firm based in Hong Kong, shows that a Chinese-speaking threat actor is using a little known open source tool, SparkRAT, to evade detection.", "modified": "2023-02-23T12:03:43.524000", "created": "2023-01-24T12:20:10.638000", "tags": [ "golang", "meterpreter", "cobalt strike", "zegost", "dragonspark", "sparkrat", "c2 server", "golang source", "shellcodeloader", "china chopper", "base64", "golang malware", "china", "taiwan", "python", "powershell", "malware", "leviathan", "badpotato" ], "references": [ "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Hong Kong", "Taiwan", "China" ], "malware_families": [ { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Golang", "display_name": "Golang", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Travel" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "FileHash-MD5": 2, "FileHash-SHA1": 5, "FileHash-SHA256": 2, "domain": 1, "hostname": 4 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63cfc1176791031a0bcf2a64", "name": "Hackers use Golang source code interpreter to evade detection", "description": "A Chinese-speaking hacking group tracked as \u2018DragonSpark\u2019 was observed employing Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia.\n\nThe attacks are tracked by SentinelLabs, whose researchers report that DragonSpark relies on a little-known open-source tool called SparkRAT to steal sensitive data from compromised systems, execute commands, perform lateral network movement, and more.\n\nThe threat actors leverage compromised infrastructure in China, Taiwan, and Singapore to launch their attacks, while the intrusion vector observed by SentinelLabs is vulnerable MySQL database servers exposed online.", "modified": "2023-02-23T11:03:31.745000", "created": "2023-01-24T11:29:27.857000", "tags": [ "golang", "meterpreter", "cobalt strike", "zegost", "dragonspark", "sparkrat", "c2 server", "golang source", "shellcodeloader", "china chopper", "base64", "golang malware", "china", "taiwan", "python", "powershell", "malware", "leviathan", "badpotato" ], "references": [ "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/", "https://www.bleepingcomputer.com/news/security/hackers-use-golang-source-code-interpreter-to-evade-detection/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Hong Kong", "Taiwan", "China" ], "malware_families": [ { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Golang", "display_name": "Golang", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Travel" ], "TLP": "white", "cloned_from": null, "export_count": 231, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 5, "FileHash-SHA256": 1, "URL": 8, "domain": 1, "hostname": 4 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 434, "modified_text": "1193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://community.riskiq.com/article/70b51060", "https://www.bleepingcomputer.com/news/security/hackers-use-golang-source-code-interpreter-to-evade-detection/", "January 27th, 2023 - CryptoGen Cyber Threat Intelligence - Attacks Evade Detection with SparkRAT..pdf", "https://www.dnsbl.info/", "https://www.senderscore.org/", "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/", "https://www.spamhaus.org/xbl/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Sparkrat" ], "industries": [], "unique_indicators": 16 }, "other": { "adversary": [ "DragonSpark" ], "malware_families": [ "Cobalt strike", "Golang", "Sparkrat", "Zegost", "Meterpreter" ], "industries": [ "Travel" ], "unique_indicators": 592 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/moongallery.com.tw", "whois": "http://whois.domaintools.com/moongallery.com.tw", "domain": "moongallery.com.tw", "hostname": "www.moongallery.com.tw" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "63d01443a731db22dd9783bf", "name": "DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation", "description": "Recent attacks against East Asian organizations we track as \u2018DragonSpark\u2019. The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation.", "modified": "2023-02-23T16:00:50.025000", "created": "2023-01-24T17:24:19.139000", "tags": [ "SparkRAT", "SharpToken", "BadPotato", "GotoHTTP", "Golang", "DragonSpark", "MySQL", "Python" ], "references": [ "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SparkRAT", "display_name": "SparkRAT", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 372, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 2, "URL": 3, "domain": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 386608, "modified_text": "1193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63e0ba96af987d29c17f2298", "name": "Threat Intel Report - W6-2023.pdf", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2023-03-08T08:04:26.856000", "created": "2023-02-06T08:30:14.537000", "tags": [], "references": [ "https://www.dnsbl.info/", "https://www.spamhaus.org/xbl/", "https://www.senderscore.org/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 163, "hostname": 74, "FileHash-MD5": 26, "FileHash-SHA1": 25, "FileHash-SHA256": 44, "CVE": 7, "domain": 127 }, "indicator_count": 466, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "1180 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63d3331f9403f4215ecaf55e", "name": "Attacks Evade Detection with SparkRAT", "description": "", "modified": "2023-02-26T02:00:35.497000", "created": "2023-01-27T02:12:47.153000", "tags": [], "references": [ "January 27th, 2023 - CryptoGen Cyber Threat Intelligence - Attacks Evade Detection with SparkRAT..pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 1, "URL": 8, "hostname": 3 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63d071934a22599bc81c29bb", "name": "DragonSpark | Attacks Evade Detection With SparkRAT and Golang Source Code Interpretation", "description": "", "modified": "2023-02-24T00:03:51.033000", "created": "2023-01-25T00:02:27.676000", "tags": [ "OSINT", "SparkRAT", "Golang", "Malware", "DragonSpark", "T1059", "T1574.002", "T1571" ], "references": [ "https://community.riskiq.com/article/70b51060" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63d047ce78b7fe07ff0890ee", "name": "VTA - Hackers use Golang source code interpreter to evade detection", "description": "A Chinese-speaking hacking group tracked as \u2018DragonSpark\u2019 was observed employing Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia. The threat actor, DragonSpark relies on an open-source tool called SparkRAT to steal sensitive data from compromised systems, execute commands, perform lateral network movement, and more.", "modified": "2023-02-23T21:02:12.190000", "created": "2023-01-24T21:04:14.816000", "tags": [ "golang", "meterpreter", "cobalt strike", "zegost", "dragonspark", "sparkrat", "c2 server", "golang source", "shellcodeloader", "china chopper", "base64", "golang malware", "china", "taiwan", "python", "powershell", "malware", "leviathan" ], "references": [ "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/" ], "public": 1, "adversary": "DragonSpark", "targeted_countries": [ "United States of America", "Singapore", "Hong Kong", "Taiwan", "China" ], "malware_families": [ { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Golang", "display_name": "Golang", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Travel" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 5, "FileHash-SHA256": 2, "URL": 8, "domain": 1, "hostname": 4 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "1193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63d0da562d3a007cb1016dce", "name": "DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation", "description": "", "modified": "2023-02-23T16:00:50.025000", "created": "2023-01-25T07:29:26.429000", "tags": [ "SparkRAT", "SharpToken", "BadPotato", "GotoHTTP", "Golang", "DragonSpark", "MySQL", "Python" ], "references": [ "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SparkRAT", "display_name": "SparkRAT", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [], "TLP": "white", "cloned_from": "63d01443a731db22dd9783bf", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 2, "URL": 3, "domain": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63d43fe75091f42e0f6bacb6", "name": "DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation", "description": "", "modified": "2023-02-23T16:00:50.025000", "created": "2023-01-27T21:19:35.608000", "tags": [ "SparkRAT", "SharpToken", "BadPotato", "GotoHTTP", "Golang", "DragonSpark", "MySQL", "Python" ], "references": [ "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SparkRAT", "display_name": "SparkRAT", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [], "TLP": "white", "cloned_from": "63d01443a731db22dd9783bf", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 2, "URL": 3, "domain": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "1193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63d7824e29bf61bd416bd4fe", "name": "DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation", "description": "", "modified": "2023-02-23T16:00:50.025000", "created": "2023-01-30T08:39:42.989000", "tags": [ "SparkRAT", "SharpToken", "BadPotato", "GotoHTTP", "Golang", "DragonSpark", "MySQL", "Python" ], "references": [ "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SparkRAT", "display_name": "SparkRAT", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" } ], "industries": [], "TLP": "white", "cloned_from": "63d0da562d3a007cb1016dce", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 2, "URL": 3, "domain": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63cfccfa9ed1f92304cbc65d", "name": "DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation - SentinelOne", "description": "A study by SentinelLabs, a security firm based in Hong Kong, shows that a Chinese-speaking threat actor is using a little known open source tool, SparkRAT, to evade detection.", "modified": "2023-02-23T12:03:43.524000", "created": "2023-01-24T12:20:10.638000", "tags": [ "golang", "meterpreter", "cobalt strike", "zegost", "dragonspark", "sparkrat", "c2 server", "golang source", "shellcodeloader", "china chopper", "base64", "golang malware", "china", "taiwan", "python", "powershell", "malware", "leviathan", "badpotato" ], "references": [ "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Hong Kong", "Taiwan", "China" ], "malware_families": [ { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Golang", "display_name": "Golang", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Travel" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "FileHash-MD5": 2, "FileHash-SHA1": 5, "FileHash-SHA256": 2, "domain": 1, "hostname": 4 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63cfc1176791031a0bcf2a64", "name": "Hackers use Golang source code interpreter to evade detection", "description": "A Chinese-speaking hacking group tracked as \u2018DragonSpark\u2019 was observed employing Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia.\n\nThe attacks are tracked by SentinelLabs, whose researchers report that DragonSpark relies on a little-known open-source tool called SparkRAT to steal sensitive data from compromised systems, execute commands, perform lateral network movement, and more.\n\nThe threat actors leverage compromised infrastructure in China, Taiwan, and Singapore to launch their attacks, while the intrusion vector observed by SentinelLabs is vulnerable MySQL database servers exposed online.", "modified": "2023-02-23T11:03:31.745000", "created": "2023-01-24T11:29:27.857000", "tags": [ "golang", "meterpreter", "cobalt strike", "zegost", "dragonspark", "sparkrat", "c2 server", "golang source", "shellcodeloader", "china chopper", "base64", "golang malware", "china", "taiwan", "python", "powershell", "malware", "leviathan", "badpotato" ], "references": [ "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/", "https://www.bleepingcomputer.com/news/security/hackers-use-golang-source-code-interpreter-to-evade-detection/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Hong Kong", "Taiwan", "China" ], "malware_families": [ { "id": "Zegost", "display_name": "Zegost", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Golang", "display_name": "Golang", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Travel" ], "TLP": "white", "cloned_from": null, "export_count": 231, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 5, "FileHash-SHA256": 1, "URL": 8, "domain": 1, "hostname": 4 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 434, "modified_text": "1193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.moongallery.com.tw/upload/py.exe", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.moongallery.com.tw/upload/py.exe", "type": "URL", "found": true, "verdict": "malicious", "url_status": "offline", "threat": "malware_download", "tags": [ "exe" ], "date_added": "2023-01-30", "last_online": "2023-03-02", "reporter": "zbetcheckin", "host": "www.moongallery.com.tw", "payloads": [ { "filename": null, "file_type": "exe", "md5": "e00cb21590e1d0cb89eeb16897be82e7", "sha256": "5585750ed182014fa4e52414ff733348ddd324f22f8ca2b476460273cba3d133", "signature": null, "first_seen": "2023-01-30" } ], "error": null }, "from_cache": true, "_cached_at": 1780284907.1576931 }