{ "type": "URL", "indicator": "https://www.playskeep.com/fifa-23", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.playskeep.com/fifa-23", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3599359537, "indicator": "https://www.playskeep.com/fifa-23", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "639842fa4c386ea45c0d984e", "name": "Threat Actors Targeting Fans Amid FIFA World Cup Fever", "description": "CRIL has identified a number of scams exploiting the popularity of the FIFA World Cup and its theme, using the football theme to lure victims into giving sensitive information.", "modified": "2022-12-13T10:00:11.557000", "created": "2022-12-13T09:16:42.759000", "tags": [ "android", "redline", "infostealer", "btc", "cryptocurrency", "fifa", "phishing", "world cup" ], "references": [ "https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever/" ], "public": 1, "adversary": "", "targeted_countries": [ "Qatar" ], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null } ], "attack_ids": [ { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1433", "name": "Access Call Log", "display_name": "T1433 - Access Call Log" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1517", "name": "Access Notifications", "display_name": "T1517 - Access Notifications" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1533", "name": "Data from Local System", "display_name": "T1533 - Data from Local System" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 387, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 3, "hostname": 1 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 377841, "modified_text": "1224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570974f872f3ad80a8b32c7", "name": "TarD5B7.tmp - and all using its ioc's", "description": "", "modified": "2023-12-06T15:46:23.604000", "created": "2023-12-06T15:46:23.604000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6924, "CVE": 4, "FileHash-SHA256": 24687, "URL": 23965, "domain": 6830, "FileHash-MD5": 943, "FileHash-SHA1": 395, "email": 67 }, "indicator_count": 63815, "is_author": false, "is_subscribing": null, "subscriber_count": 113, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63f4e8f331fad5e54c0bed1e", "name": "TarD5B7.tmp - and all using its ioc's", "description": "TarD5B7.tmp\nc0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd", "modified": "2023-03-23T00:00:46.897000", "created": "2023-02-21T15:53:23.273000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "TarD5B7.tmp" ], "references": [ "TarD587.tmp - c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd", "https://hybrid-analysis.com/sample/c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 23965, "hostname": 6924, "FileHash-SHA256": 24687, "domain": 6830, "CVE": 4, "email": 67, "FileHash-MD5": 943, "FileHash-SHA1": 395 }, "indicator_count": 63815, "is_author": false, "is_subscribing": null, "subscriber_count": 94, "modified_text": "1125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6398f740b7833d444a9687c9", "name": "VTA- Scam Alerts in WhatsApp Message to Offer Users Free Data to Watch FIFA World Cup", "description": "Threat actors targeted unsuspecting individuals with malicious activities that included the FIFA World Cup as a theme. The popularity of the FIFA World Cup is being abused by a number of scams, according to Cyble Research & Intelligence Labs (CRIL), including crypto phishing attempts using fake FIFA airdrops, fake ticket sales, fraudulent giveaways, malicious Android apps, an increase in FIFA betting sites, and a lot more. Scammers spreading messages on WhatsApp stating that FIFA is providing free 50GB bandwidth for everyone to view the 2022 FIFA World Cup in Qatar.", "modified": "2022-12-13T22:05:52.164000", "created": "2022-12-13T22:05:52.164000", "tags": [ "android", "info", "redline", "infostealer", "qatar", "osint", "data leak", "redline stealer", "world cup", "ripple", "cybercriminals", "non fungible tokens", "fake tickets", "btc", "crypto wallets", "iphone", "fifa", "monero", "binanace", "cryptocurrency", "ipads", "youtube", "malware", "whatsapp", "android rat", "facebook", "phishing", "threat intelligence", "fifa2022", "darkweb", "kora442", "threat actors", "fifa world", "cril", "qr code", "facebook page", "download", "protect" ], "references": [ "https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever/" ], "public": 1, "adversary": "", "targeted_countries": [ "Qatar", "India", "Singapore", "Australia", "Georgia" ], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Info", "display_name": "Info", "target": null }, { "id": "Android", "display_name": "Android", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1433", "name": "Access Call Log", "display_name": "T1433 - Access Call Log" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1517", "name": "Access Notifications", "display_name": "T1517 - Access Notifications" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1533", "name": "Data from Local System", "display_name": "T1533 - Data from Local System" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 305, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Provintell-Lab", "id": "112104", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 3, "hostname": 2 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 251, "modified_text": "1224 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6398f71aa923baf76971a0ea", "name": "VTA- Scam Alerts in WhatsApp Message to Offer Users Free Data to Watch FIFA World Cup", "description": "Threat actors targeted unsuspecting individuals with malicious activities that included the FIFA World Cup as a theme. The popularity of the FIFA World Cup is being abused by a number of scams, according to Cyble Research & Intelligence Labs (CRIL), including crypto phishing attempts using fake FIFA airdrops, fake ticket sales, fraudulent giveaways, malicious Android apps, an increase in FIFA betting sites, and a lot more. Scammers spreading messages on WhatsApp stating that FIFA is providing free 50GB bandwidth for everyone to view the 2022 FIFA World Cup in Qatar.", "modified": "2022-12-13T22:05:14.451000", "created": "2022-12-13T22:05:14.451000", "tags": [ "android", "info", "redline", "infostealer", "qatar", "osint", "data leak", "redline stealer", "world cup", "ripple", "cybercriminals", "non fungible tokens", "fake tickets", "btc", "crypto wallets", "iphone", "fifa", "monero", "binanace", "cryptocurrency", "ipads", "youtube", "malware", "whatsapp", "android rat", "facebook", "phishing", "threat intelligence", "fifa2022", "darkweb", "kora442", "threat actors", "fifa world", "cril", "qr code", "facebook page", "download", "protect" ], "references": [ "https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever/" ], "public": 1, "adversary": "", "targeted_countries": [ "Qatar", "India", "Singapore", "Australia", "Georgia" ], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Info", "display_name": "Info", "target": null }, { "id": "Android", "display_name": "Android", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1433", "name": "Access Call Log", "display_name": "T1433 - Access Call Log" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1517", "name": "Access Notifications", "display_name": "T1517 - Access Notifications" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1533", "name": "Data from Local System", "display_name": "T1533 - Data from Local System" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 306, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Provintell-Lab", "id": "112104", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 3, "hostname": 2 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 251, "modified_text": "1224 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "639312917e50a5e5d809c93b", "name": "Cyble - Threat Actors Targeting Fans Amid FIFA World Cup Fever", "description": "Cyble Research & Intelligence Labs (CRIL) has identified a number of scams exploiting the popularity of the 2022 FIFA World Cup, including crypto phishing schemes using the football theme to lure victims.", "modified": "2022-12-09T10:48:49.098000", "created": "2022-12-09T10:48:49.098000", "tags": [ "android", "info", "redline", "threat actors", "whatsapp", "phishing", "qatar", "threat intelligence", "malware", "data leak", "redline stealer", "binanace", "cryptocurrency", "infostealer", "non fungible tokens", "world cup", "android rat", "fifa", "cybercriminals", "btc", "kora442", "fifa2022", "ripple", "fake tickets", "iphone", "osint", "monero", "ipads", "youtube", "crypto wallets", "darkweb", "facebook", "fifa world", "cril", "qr code", "facebook page", "download", "protect" ], "references": [ "https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever/" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Singapore", "Australia", "Georgia", "Qatar" ], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Info", "display_name": "Info", "target": null }, { "id": "Android", "display_name": "Android", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1433", "name": "Access Call Log", "display_name": "T1433 - Access Call Log" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1517", "name": "Access Notifications", "display_name": "T1517 - Access Notifications" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1533", "name": "Data from Local System", "display_name": "T1533 - Data from Local System" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 3, "hostname": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 848, "modified_text": "1228 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63930e427a0fa505027c270c", "name": "Cyble — Threat Actors Targeting Fans Amid FIFA World Cup Fever", "description": "Cyble Research & Intelligence Labs (CRIL) has identified a number of scams exploiting the popularity of the 2022 FIFA World Cup, including crypto phishing schemes using the football theme to lure victims.", "modified": "2022-12-09T10:30:26.560000", "created": "2022-12-09T10:30:26.560000", "tags": [ "android", "info", "redline", "threat actors", "whatsapp", "phishing", "qatar", "threat intelligence", "malware", "data leak", "redline stealer", "binanace", "cryptocurrency", "infostealer", "non fungible tokens", "world cup", "android rat", "fifa", "cybercriminals", "btc", "kora442", "fifa2022", "ripple", "fake tickets", "iphone", "osint", "monero", "ipads", "youtube", "crypto wallets", "darkweb", "facebook", "fifa world", "cril", "qr code", "facebook page", "download", "protect" ], "references": [ "https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever/" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Singapore", "Australia", "Georgia", "Qatar" ], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Info", "display_name": "Info", "target": null }, { "id": "Android", "display_name": "Android", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1433", "name": "Access Call Log", "display_name": "T1433 - Access Call Log" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1517", "name": "Access Notifications", "display_name": "T1517 - Access Notifications" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1533", "name": "Data from Local System", "display_name": "T1533 - Data from Local System" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rajeevranjancom", "id": "210113", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "domain": 3, "hostname": 2 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "1228 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever/", "TarD587.tmp - c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd", "https://hybrid-analysis.com/sample/c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Redline" ], "industries": [], "unique_indicators": 14 }, "other": { "adversary": [], "malware_families": [ "Info", "Redline", "Android" ], "industries": [], "unique_indicators": 64077 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/playskeep.com", "whois": "http://whois.domaintools.com/playskeep.com", "domain": "playskeep.com", "hostname": "www.playskeep.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "639842fa4c386ea45c0d984e", "name": "Threat Actors Targeting Fans Amid FIFA World Cup Fever", "description": "CRIL has identified a number of scams exploiting the popularity of the FIFA World Cup and its theme, using the football theme to lure victims into giving sensitive information.", "modified": "2022-12-13T10:00:11.557000", "created": "2022-12-13T09:16:42.759000", "tags": [ "android", "redline", "infostealer", "btc", "cryptocurrency", "fifa", "phishing", "world cup" ], "references": [ "https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever/" ], "public": 1, "adversary": "", "targeted_countries": [ "Qatar" ], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null } ], "attack_ids": [ { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1433", "name": "Access Call Log", "display_name": "T1433 - Access Call Log" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1517", "name": "Access Notifications", "display_name": "T1517 - Access Notifications" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1533", "name": "Data from Local System", "display_name": "T1533 - Data from Local System" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 387, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 3, "hostname": 1 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 377841, "modified_text": "1224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570974f872f3ad80a8b32c7", "name": "TarD5B7.tmp - and all using its ioc's", "description": "", "modified": "2023-12-06T15:46:23.604000", "created": "2023-12-06T15:46:23.604000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6924, "CVE": 4, "FileHash-SHA256": 24687, "URL": 23965, "domain": 6830, "FileHash-MD5": 943, "FileHash-SHA1": 395, "email": 67 }, "indicator_count": 63815, "is_author": false, "is_subscribing": null, "subscriber_count": 113, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63f4e8f331fad5e54c0bed1e", "name": "TarD5B7.tmp - and all using its ioc's", "description": "TarD5B7.tmp\nc0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd", "modified": "2023-03-23T00:00:46.897000", "created": "2023-02-21T15:53:23.273000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "TarD5B7.tmp" ], "references": [ "TarD587.tmp - c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd", "https://hybrid-analysis.com/sample/c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 23965, "hostname": 6924, "FileHash-SHA256": 24687, "domain": 6830, "CVE": 4, "email": 67, "FileHash-MD5": 943, "FileHash-SHA1": 395 }, "indicator_count": 63815, "is_author": false, "is_subscribing": null, "subscriber_count": 94, "modified_text": "1125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6398f740b7833d444a9687c9", "name": "VTA- Scam Alerts in WhatsApp Message to Offer Users Free Data to Watch FIFA World Cup", "description": "Threat actors targeted unsuspecting individuals with malicious activities that included the FIFA World Cup as a theme. The popularity of the FIFA World Cup is being abused by a number of scams, according to Cyble Research & Intelligence Labs (CRIL), including crypto phishing attempts using fake FIFA airdrops, fake ticket sales, fraudulent giveaways, malicious Android apps, an increase in FIFA betting sites, and a lot more. Scammers spreading messages on WhatsApp stating that FIFA is providing free 50GB bandwidth for everyone to view the 2022 FIFA World Cup in Qatar.", "modified": "2022-12-13T22:05:52.164000", "created": "2022-12-13T22:05:52.164000", "tags": [ "android", "info", "redline", "infostealer", "qatar", "osint", "data leak", "redline stealer", "world cup", "ripple", "cybercriminals", "non fungible tokens", "fake tickets", "btc", "crypto wallets", "iphone", "fifa", "monero", "binanace", "cryptocurrency", "ipads", "youtube", "malware", "whatsapp", "android rat", "facebook", "phishing", "threat intelligence", "fifa2022", "darkweb", "kora442", "threat actors", "fifa world", "cril", "qr code", "facebook page", "download", "protect" ], "references": [ "https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever/" ], "public": 1, "adversary": "", "targeted_countries": [ "Qatar", "India", "Singapore", "Australia", "Georgia" ], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Info", "display_name": "Info", "target": null }, { "id": "Android", "display_name": "Android", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1433", "name": "Access Call Log", "display_name": "T1433 - Access Call Log" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1517", "name": "Access Notifications", "display_name": "T1517 - Access Notifications" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1533", "name": "Data from Local System", "display_name": "T1533 - Data from Local System" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 305, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Provintell-Lab", "id": "112104", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 3, "hostname": 2 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 251, "modified_text": "1224 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6398f71aa923baf76971a0ea", "name": "VTA- Scam Alerts in WhatsApp Message to Offer Users Free Data to Watch FIFA World Cup", "description": "Threat actors targeted unsuspecting individuals with malicious activities that included the FIFA World Cup as a theme. The popularity of the FIFA World Cup is being abused by a number of scams, according to Cyble Research & Intelligence Labs (CRIL), including crypto phishing attempts using fake FIFA airdrops, fake ticket sales, fraudulent giveaways, malicious Android apps, an increase in FIFA betting sites, and a lot more. Scammers spreading messages on WhatsApp stating that FIFA is providing free 50GB bandwidth for everyone to view the 2022 FIFA World Cup in Qatar.", "modified": "2022-12-13T22:05:14.451000", "created": "2022-12-13T22:05:14.451000", "tags": [ "android", "info", "redline", "infostealer", "qatar", "osint", "data leak", "redline stealer", "world cup", "ripple", "cybercriminals", "non fungible tokens", "fake tickets", "btc", "crypto wallets", "iphone", "fifa", "monero", "binanace", "cryptocurrency", "ipads", "youtube", "malware", "whatsapp", "android rat", "facebook", "phishing", "threat intelligence", "fifa2022", "darkweb", "kora442", "threat actors", "fifa world", "cril", "qr code", "facebook page", "download", "protect" ], "references": [ "https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever/" ], "public": 1, "adversary": "", "targeted_countries": [ "Qatar", "India", "Singapore", "Australia", "Georgia" ], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Info", "display_name": "Info", "target": null }, { "id": "Android", "display_name": "Android", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1433", "name": "Access Call Log", "display_name": "T1433 - Access Call Log" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1517", "name": "Access Notifications", "display_name": "T1517 - Access Notifications" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1533", "name": "Data from Local System", "display_name": "T1533 - Data from Local System" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 306, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Provintell-Lab", "id": "112104", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 3, "hostname": 2 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 251, "modified_text": "1224 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "639312917e50a5e5d809c93b", "name": "Cyble - Threat Actors Targeting Fans Amid FIFA World Cup Fever", "description": "Cyble Research & Intelligence Labs (CRIL) has identified a number of scams exploiting the popularity of the 2022 FIFA World Cup, including crypto phishing schemes using the football theme to lure victims.", "modified": "2022-12-09T10:48:49.098000", "created": "2022-12-09T10:48:49.098000", "tags": [ "android", "info", "redline", "threat actors", "whatsapp", "phishing", "qatar", "threat intelligence", "malware", "data leak", "redline stealer", "binanace", "cryptocurrency", "infostealer", "non fungible tokens", "world cup", "android rat", "fifa", "cybercriminals", "btc", "kora442", "fifa2022", "ripple", "fake tickets", "iphone", "osint", "monero", "ipads", "youtube", "crypto wallets", "darkweb", "facebook", "fifa world", "cril", "qr code", "facebook page", "download", "protect" ], "references": [ "https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever/" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Singapore", "Australia", "Georgia", "Qatar" ], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Info", "display_name": "Info", "target": null }, { "id": "Android", "display_name": "Android", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1433", "name": "Access Call Log", "display_name": "T1433 - Access Call Log" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1517", "name": "Access Notifications", "display_name": "T1517 - Access Notifications" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1533", "name": "Data from Local System", "display_name": "T1533 - Data from Local System" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 3, "hostname": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 848, "modified_text": "1228 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63930e427a0fa505027c270c", "name": "Cyble — Threat Actors Targeting Fans Amid FIFA World Cup Fever", "description": "Cyble Research & Intelligence Labs (CRIL) has identified a number of scams exploiting the popularity of the 2022 FIFA World Cup, including crypto phishing schemes using the football theme to lure victims.", "modified": "2022-12-09T10:30:26.560000", "created": "2022-12-09T10:30:26.560000", "tags": [ "android", "info", "redline", "threat actors", "whatsapp", "phishing", "qatar", "threat intelligence", "malware", "data leak", "redline stealer", "binanace", "cryptocurrency", "infostealer", "non fungible tokens", "world cup", "android rat", "fifa", "cybercriminals", "btc", "kora442", "fifa2022", "ripple", "fake tickets", "iphone", "osint", "monero", "ipads", "youtube", "crypto wallets", "darkweb", "facebook", "fifa world", "cril", "qr code", "facebook page", "download", "protect" ], "references": [ "https://blog.cyble.com/2022/12/09/threat-actors-targeting-fans-amid-fifa-world-cup-fever/" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Singapore", "Australia", "Georgia", "Qatar" ], "malware_families": [ { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Info", "display_name": "Info", "target": null }, { "id": "Android", "display_name": "Android", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1433", "name": "Access Call Log", "display_name": "T1433 - Access Call Log" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1517", "name": "Access Notifications", "display_name": "T1517 - Access Notifications" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1533", "name": "Data from Local System", "display_name": "T1533 - Data from Local System" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rajeevranjancom", "id": "210113", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "domain": 3, "hostname": 2 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "1228 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.playskeep.com/fifa-23", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.playskeep.com/fifa-23", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776736045.4818475 }