{ "type": "URL", "indicator": "https://www.rockcreekdds.com/wp-content/1.hta", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.rockcreekdds.com/wp-content/1.hta", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3888795521, "indicator": "https://www.rockcreekdds.com/wp-content/1.hta", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "666162acc519496e8fdc8a0b", "name": "Warning Against Phishing Emails Prompting Execution of Commands via Paste", "description": "This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exercising caution with files from unknown sources.", "modified": "2024-06-06T07:34:53.388000", "created": "2024-06-06T07:18:04.975000", "tags": [ "phishing", "emails", "malicious", "darkgate", "commands", "powershell" ], "references": [ "https://asec.ahnlab.com/en/66300/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DarkGate", "display_name": "DarkGate", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 355, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "URL": 9, "domain": 5, "hostname": 1 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 386480, "modified_text": "723 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d9eb082ba8ee6c0db1c9cf", "name": "urlhaus.abuse.ch", "description": "", "modified": "2024-10-05T17:03:18.260000", "created": "2024-09-05T17:31:52.439000", "tags": [ "nda0e", "mozi", "clearlynotb", "coinminer", "cobaltstrike", "bitsight", "guloader", "redlinestealer", "stealc", "lummastealer", "vidar", "ransomware", "remcosrat", "asyncrat", "gandcrab", "agenttesla", "amadey", "systembc", "recordbreaker", "quasarrat", "spynote", "formbook", "babadeda", "metasploit", "metastealer", "loki", "blackmoon", "loader", "raccoonstealer", "piratestealer", "dridex", "cobalt strike", "stormkitty", "darktortilla", "venomrat", "sliver", "avemariarat", "neshta", "triada", "fakechrome", "grayware", "danabot", "darkgate", "connectback", "troldesh", "rhadamanthys", "nukesped", "tofsee", "purplefox", "earthworm", "azorult", "redosdru", "getshell", "donut", "aurora stealer", "laplasclipper", "redline", "wingo", "flyagent", "darkside", "badpotato", "juicypotato", "dharma", "casbaneiro", "clearfake", "parallax", "parallaxrat", "phonk", "qakbot", "purecrypter", "revengerat" ], "references": [ "https://urlhaus.abuse.ch/downloads/json_online/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 95, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "JohnnyCS", "id": "293079", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 3, "FileHash-SHA1": 8, "URL": 7927, "domain": 119, "hostname": 162 }, "indicator_count": 8228, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "602 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "664691ffaa3f0b9ad1cf3b65", "name": "URLHaus data - 16-05-2024", "description": "", "modified": "2024-06-15T23:00:48.837000", "created": "2024-05-16T23:08:45.858000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "mirai", "ddos", "dropped-by-PrivateLoader", "Stealc", "encrypted", "exe", "remcos", "dropped-by-SmokeLoader", "Formbook", "32", "gcleaner", "doc", "ascii", "Encoded", "geofenced", "USA", "GuLoader", "AgentTesla", "DBatLoader", "powershell", "ps1", "hta", "rat", "RemcosRAT", "Loki", "PureLogStealer", "xworm", "CoinMiner", "byob", "bat", "cmd", "hajime", "AsyncRAT", "lnk", "VenomRAT", "CVE-2021-44228", "java-bytecode", "log4j", "log4shell", "vbs", "trojan", "msi", "Ousaban", "zip", "kryptik", "mp4", "powershelldropper", "vbs-dropper", "zbot", "kaji", "64", "CobaltStrike", "adbape", "Gh0stRAT", "zusy", "baseloader", "marte", "orcus", "orcusrat", "blamon", "tag:farfli", "shellscript", "Autogenerated-phishing", "pw-123", "scr", "QuasarRAT", "Metasploit", "meterpreter", "CVE-2022-0847", "netcat", "discord", "github", "npm", "supplychain", "dll", "HyperBro", "DarkGate", "64-bit", "x86-64", "downloader", "script", "powedon", "gafgyt" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 999, "domain": 19, "hostname": 23 }, "indicator_count": 1041, "is_author": false, "is_subscribing": null, "subscriber_count": 1620, "modified_text": "714 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6662d357439f5f13ac888b7a", "name": "Warning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V) - ASEC BLOG", "description": "", "modified": "2024-06-07T09:31:03.677000", "created": "2024-06-07T09:31:03.677000", "tags": [ "figure", "ctrlv", "autoit", "ahnlab", "ahnlab security", "center", "asec", "html", "html file", "ms word" ], "references": [ "https://asec.ahnlab.com/en/66300/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 9, "domain": 5, "hostname": 1 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "722 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://asec.ahnlab.com/en/66300/", "https://urlhaus.abuse.ch/browse/", "https://urlhaus.abuse.ch/downloads/json_online/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Darkgate" ], "industries": [], "unique_indicators": 27 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 12152 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/rockcreekdds.com", "whois": "http://whois.domaintools.com/rockcreekdds.com", "domain": "rockcreekdds.com", "hostname": "www.rockcreekdds.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "666162acc519496e8fdc8a0b", "name": "Warning Against Phishing Emails Prompting Execution of Commands via Paste", "description": "This report details a phishing campaign distributing malicious HTML files through emails. The files prompt users to paste and run malicious PowerShell commands that initiate a multi-stage infection process. The campaign ultimately delivers the DarkGate malware, highlighting the importance of exercising caution with files from unknown sources.", "modified": "2024-06-06T07:34:53.388000", "created": "2024-06-06T07:18:04.975000", "tags": [ "phishing", "emails", "malicious", "darkgate", "commands", "powershell" ], "references": [ "https://asec.ahnlab.com/en/66300/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DarkGate", "display_name": "DarkGate", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 355, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "URL": 9, "domain": 5, "hostname": 1 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 386480, "modified_text": "723 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d9eb082ba8ee6c0db1c9cf", "name": "urlhaus.abuse.ch", "description": "", "modified": "2024-10-05T17:03:18.260000", "created": "2024-09-05T17:31:52.439000", "tags": [ "nda0e", "mozi", "clearlynotb", "coinminer", "cobaltstrike", "bitsight", "guloader", "redlinestealer", "stealc", "lummastealer", "vidar", "ransomware", "remcosrat", "asyncrat", "gandcrab", "agenttesla", "amadey", "systembc", "recordbreaker", "quasarrat", "spynote", "formbook", "babadeda", "metasploit", "metastealer", "loki", "blackmoon", "loader", "raccoonstealer", "piratestealer", "dridex", "cobalt strike", "stormkitty", "darktortilla", "venomrat", "sliver", "avemariarat", "neshta", "triada", "fakechrome", "grayware", "danabot", "darkgate", "connectback", "troldesh", "rhadamanthys", "nukesped", "tofsee", "purplefox", "earthworm", "azorult", "redosdru", "getshell", "donut", "aurora stealer", "laplasclipper", "redline", "wingo", "flyagent", "darkside", "badpotato", "juicypotato", "dharma", "casbaneiro", "clearfake", "parallax", "parallaxrat", "phonk", "qakbot", "purecrypter", "revengerat" ], "references": [ "https://urlhaus.abuse.ch/downloads/json_online/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 95, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "JohnnyCS", "id": "293079", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 3, "FileHash-SHA1": 8, "URL": 7927, "domain": 119, "hostname": 162 }, "indicator_count": 8228, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "602 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "664691ffaa3f0b9ad1cf3b65", "name": "URLHaus data - 16-05-2024", "description": "", "modified": "2024-06-15T23:00:48.837000", "created": "2024-05-16T23:08:45.858000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "mirai", "ddos", "dropped-by-PrivateLoader", "Stealc", "encrypted", "exe", "remcos", "dropped-by-SmokeLoader", "Formbook", "32", "gcleaner", "doc", "ascii", "Encoded", "geofenced", "USA", "GuLoader", "AgentTesla", "DBatLoader", "powershell", "ps1", "hta", "rat", "RemcosRAT", "Loki", "PureLogStealer", "xworm", "CoinMiner", "byob", "bat", "cmd", "hajime", "AsyncRAT", "lnk", "VenomRAT", "CVE-2021-44228", "java-bytecode", "log4j", "log4shell", "vbs", "trojan", "msi", "Ousaban", "zip", "kryptik", "mp4", "powershelldropper", "vbs-dropper", "zbot", "kaji", "64", "CobaltStrike", "adbape", "Gh0stRAT", "zusy", "baseloader", "marte", "orcus", "orcusrat", "blamon", "tag:farfli", "shellscript", "Autogenerated-phishing", "pw-123", "scr", "QuasarRAT", "Metasploit", "meterpreter", "CVE-2022-0847", "netcat", "discord", "github", "npm", "supplychain", "dll", "HyperBro", "DarkGate", "64-bit", "x86-64", "downloader", "script", "powedon", "gafgyt" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 62, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 999, "domain": 19, "hostname": 23 }, "indicator_count": 1041, "is_author": false, "is_subscribing": null, "subscriber_count": 1620, "modified_text": "714 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6662d357439f5f13ac888b7a", "name": "Warning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V) - ASEC BLOG", "description": "", "modified": "2024-06-07T09:31:03.677000", "created": "2024-06-07T09:31:03.677000", "tags": [ "figure", "ctrlv", "autoit", "ahnlab", "ahnlab security", "center", "asec", "html", "html file", "ms word" ], "references": [ "https://asec.ahnlab.com/en/66300/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "URL": 9, "domain": 5, "hostname": 1 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "722 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.rockcreekdds.com/wp-content/1.hta", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.rockcreekdds.com/wp-content/1.hta", "type": "URL", "found": true, "verdict": "malicious", "url_status": "offline", "threat": "malware_download", "tags": [ "DarkGate", "hta" ], "date_added": "2024-05-16", "last_online": "2024-10-09", "reporter": "NDA0E", "host": "www.rockcreekdds.com", "payloads": [ { "filename": null, "file_type": "hta", "md5": "a77becccca5571c00ebc9e516fd96ce8", "sha256": "5c204217d48f2565990dfdf2269c26113bd14c204484d8f466fb873312da80cf", "signature": "DarkGate", "first_seen": "2024-05-16" } ], "error": null }, "from_cache": true, "_cached_at": 1780205747.8283134 }