{ "type": "URL", "indicator": "https://x64dbg.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://x64dbg.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3848065464, "indicator": "https://x64dbg.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "65e0cf54bfb52f1ba760d092", "name": "Dissecting DarkGate: Modular Malware Delivery and Persistence as a Service", "description": "This report analyzes a phishing PDF that led to the delivery of a signed MSI file containing layered stages designed to avoid detection and deliver the DarkGate malware for persistence and remote access. The analysis covers extracting and decrypting the stages to uncover the final payload.", "modified": "2024-03-30T18:00:32.423000", "created": "2024-02-29T18:39:16.623000", "tags": [ "extraction", "msi", "evasion", "decryption", "phishing", "darkgate", "pdf" ], "references": [ "https://isc.sans.edu/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DarkGate", "display_name": "DarkGate", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 379, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 11, "URL": 4, "domain": 2 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386531, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://isc.sans.edu/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Darkgate" ], "industries": [], "unique_indicators": 23 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/x64dbg.com", "whois": "http://whois.domaintools.com/x64dbg.com", "domain": "x64dbg.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "65e0cf54bfb52f1ba760d092", "name": "Dissecting DarkGate: Modular Malware Delivery and Persistence as a Service", "description": "This report analyzes a phishing PDF that led to the delivery of a signed MSI file containing layered stages designed to avoid detection and deliver the DarkGate malware for persistence and remote access. The analysis covers extracting and decrypting the stages to uncover the final payload.", "modified": "2024-03-30T18:00:32.423000", "created": "2024-02-29T18:39:16.623000", "tags": [ "extraction", "msi", "evasion", "decryption", "phishing", "darkgate", "pdf" ], "references": [ "https://isc.sans.edu/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "DarkGate", "display_name": "DarkGate", "target": null } ], "attack_ids": [ { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 379, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 11, "URL": 4, "domain": 2 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386531, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://x64dbg.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://x64dbg.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780234571.0436053 }