{ "type": "URL", "indicator": "https://www.winitor.com/A", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.winitor.com/A", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3764857822, "indicator": "https://www.winitor.com/A", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "651e76b00993243fd03be501", "name": "Microsoft Teams Phishing Attack Using Darkgate Malware", "description": "", "modified": "2023-11-04T08:03:56.538000", "created": "2023-10-05T08:41:20.201000", "tags": [ "microsoft teams", "truesec", "darkgate", "darkgate loader", "june", "microsoft", "zerofox", "august", "office", "zip file", "autoit", "chat", "screenshotter", "sophos", "linux", "blog", "response", "cybersecurity", "autoit script", "strong", "lnk file", "sharepoint", "virustotal", "malspam", "emotet", "team", "malware", "teams malspam", "tisifi", "pe file", "c2 server", "windows", "xor key", "msi file", "delphi", "ttps", "discord", "nirsoft", "stub", "jumpsec", "max corbridge", "tom ellson", "red team", "corbridge", "client", "jumpsec red", "teamsphisher", "teams", "post request", "andrea santese", "kanbach" ], "references": [ "September 10th 2023 - CryptoGen Cyber Threat Intelligence - #3215 - Microsoft Teams Phishing Attack Using Darkgate Malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sophos", "display_name": "Sophos", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Teams Malspam", "display_name": "Teams Malspam", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Microsoft Teams", "display_name": "Microsoft Teams", "target": null }, { "id": "Tisifi", "display_name": "Tisifi", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 20, "URL": 37, "email": 3, "hostname": 5, "domain": 7 }, "indicator_count": 83, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "940 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "September 10th 2023 - CryptoGen Cyber Threat Intelligence - #3215 - Microsoft Teams Phishing Attack Using Darkgate Malware" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Emotet", "Teams malspam", "Sophos", "Tisifi", "Linux", "Microsoft teams", "Darkgate" ], "industries": [], "unique_indicators": 92 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/winitor.com", "whois": "http://whois.domaintools.com/winitor.com", "domain": "winitor.com", "hostname": "www.winitor.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "651e76b00993243fd03be501", "name": "Microsoft Teams Phishing Attack Using Darkgate Malware", "description": "", "modified": "2023-11-04T08:03:56.538000", "created": "2023-10-05T08:41:20.201000", "tags": [ "microsoft teams", "truesec", "darkgate", "darkgate loader", "june", "microsoft", "zerofox", "august", "office", "zip file", "autoit", "chat", "screenshotter", "sophos", "linux", "blog", "response", "cybersecurity", "autoit script", "strong", "lnk file", "sharepoint", "virustotal", "malspam", "emotet", "team", "malware", "teams malspam", "tisifi", "pe file", "c2 server", "windows", "xor key", "msi file", "delphi", "ttps", "discord", "nirsoft", "stub", "jumpsec", "max corbridge", "tom ellson", "red team", "corbridge", "client", "jumpsec red", "teamsphisher", "teams", "post request", "andrea santese", "kanbach" ], "references": [ "September 10th 2023 - CryptoGen Cyber Threat Intelligence - #3215 - Microsoft Teams Phishing Attack Using Darkgate Malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sophos", "display_name": "Sophos", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Teams Malspam", "display_name": "Teams Malspam", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Microsoft Teams", "display_name": "Microsoft Teams", "target": null }, { "id": "Tisifi", "display_name": "Tisifi", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 20, "URL": 37, "email": 3, "hostname": 5, "domain": 7 }, "indicator_count": 83, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "940 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.winitor.com/A", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.winitor.com/A", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780303675.9346848 }