{ "type": "Domain", "indicator": "infntio.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/infntio.com", "alexa": "http://www.alexa.com/siteinfo/infntio.com", "indicator": "infntio.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3464439141, "indicator": "infntio.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "62da79e8ce00d5eb8497f01c", "name": "EvilNum Targets Cryptocurrency, Forex, Commodities", "description": "Since late 2021 through the present, Proofpoint Threat Research observed the group Proofpoint calls TA4563 targeting various European financial and investment entities with the malware known as EvilNum. The actor exclusively targeted entities in the Decentralized Finance (DeFi) industry in recently observed campaigns. The identified campaigns delivered an updated version of the EvilNum backdoor using a varied mix of ISO, Microsoft Word and Shortcut (LNK) files in late 2021 and early 2022, presumably as a method of testing the efficacy of the delivery methods. This malware can be used for reconnaissance, data theft, and to deploy additional payloads.", "modified": "2022-07-22T10:20:23.613000", "created": "2022-07-22T10:20:23.613000", "tags": [ "evilnum", "ta4563", "apt" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "TA4563", "targeted_countries": [], "malware_families": [ { "id": "EvilNum", "display_name": "EvilNum", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [ "Finance", "Investment" ], "TLP": "white", "cloned_from": null, "export_count": 371, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 5, "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 15 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 386541, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62f429716a78bbd65470a1dd", "name": "DeathStalker\u2019s VileRAT continues attacks", "description": "", "modified": "2022-09-10T00:03:24.542000", "created": "2022-08-10T21:56:01.458000", "tags": [], "references": [ "August 10th, 2022 - CryptoGen Cyber Threat Intelligence - DeathStalker\u2019s VileRAT continues attacks.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 23, "FileHash-SHA256": 23, "domain": 289 }, "indicator_count": 479, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1359 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62f39bea761e100053d4b6b1", "name": "VileRAT: DeathStalker\u2019s continuous strike at foreign and cryptocurrency exchanges | Securelist", "description": "Kaspersky has identified and identified the VileRAT malware used in a series of attacks against foreign exchange and cryptocurrency trading companies, as part of a multi-million dollar global cyber-attack campaign.", "modified": "2022-09-09T00:01:45.877000", "created": "2022-08-10T11:52:10.044000", "tags": [ "vileloader", "deathstalker", "python3", "evilnum", "maui", "stonefly", "cryptocurrencies", "malware descriptions", "malware technologies", "rat trojan", "targeted attacks", "vilerat", "viledropper", "0x1dbcbb", "figure", "c2 server", "generaltext", "win64", "khtml", "june", "powerpepper", "august", "pyvil", "target", "python", "back", "next", "term" ], "references": [ "https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/" ], "public": 1, "adversary": "", "targeted_countries": [ "Afghanistan", "United Arab Emirates", "Malta", "Kuwait", "Germany", "Cyprus", "Bulgaria" ], "malware_families": [ { "id": "VileLoader", "display_name": "VileLoader", "target": null }, { "id": "DeathStalker", "display_name": "DeathStalker", "target": null }, { "id": "Stonefly", "display_name": "Stonefly", "target": null }, { "id": "Maui", "display_name": "Maui", "target": null }, { "id": "EVILNUM", "display_name": "EVILNUM", "target": null }, { "id": "Python3", "display_name": "Python3", "target": null } ], "attack_ids": [ { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [ "Ics" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "shaliniverma", "id": "160811", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 104, "FileHash-SHA1": 23, "FileHash-SHA256": 23, "URL": 5, "domain": 238, "hostname": 1 }, "indicator_count": 394, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "1360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62f3b0ce9eba3566a337a0b7", "name": "DeathStalker\u2019s VileRAT continues attacks", "description": "", "modified": "2022-09-09T00:01:45.877000", "created": "2022-08-10T13:21:18.565000", "tags": [], "references": [ "August 10th, 2022 - CryptoGen Cyber Threat Intelligence - DeathStalker\u2019s VileRAT continues attacks.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 23, "FileHash-SHA256": 23, "domain": 289 }, "indicator_count": 479, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62daf40054474d0014485ef5", "name": "EvilNum", "description": "IOCs associated with EvilNum", "modified": "2022-07-22T19:01:20.504000", "created": "2022-07-22T19:01:20.504000", "tags": [], "references": [ "IOCs_7.22.22.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "lsong@perimeterwatch.com", "id": "191915", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "domain": 11 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "1408 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62da8e4c993b2bbfe3a74d25", "name": "EvilNum IOCs", "description": "Indicator-based results for all of the key indicators used by the BBC in the 2016/17 TV and radio seasons. and for the 2017/18 TV season, as well as the 2015/16 season.", "modified": "2022-07-22T11:47:24.158000", "created": "2022-07-22T11:47:24.158000", "tags": [ "command", "march", "december", "control domain", "control url", "sender email", "word doc", "payload domain", "june", "sha256 sample", "april" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 14, "email": 4 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62da839f9c68eaa4ae361633", "name": "EvilNum IOCs", "description": "Indicator-based results for all of the key indicators used by the BBC in the 2016/17 TV and radio seasons. and for the 2017/18 TV season, as well as the 2015/16 season.", "modified": "2022-07-22T11:01:51.311000", "created": "2022-07-22T11:01:51.311000", "tags": [ "command", "march", "december", "control domain", "control url", "sender email", "word doc", "payload domain", "june", "sha256 sample", "april" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 14, "email": 4 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62da57b9c047da0555eb3985", "name": "Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and brand from the latest security threats and the deep and dark web. the company's products and services are on sale across the world.", "modified": "2022-07-22T07:54:33.504000", "created": "2022-07-22T07:54:33.504000", "tags": [ "evilnum", "proofpoint", "javascript", "golden chickens", "ta4563", "command", "march", "december", "learn", "control domain", "sell", "steal", "june", "powershell", "ransomware", "stop ransomware", "protect", "small", "tools", "april", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "EvilNum", "targeted_countries": [], "malware_families": [ { "id": "EvilNum", "display_name": "EvilNum", "target": null }, { "id": "Golden Chickens", "display_name": "Golden Chickens", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "Proofpoint", "display_name": "Proofpoint", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Investment", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 5, "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 15 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62d9a05ffd1e72495f03f7e6", "name": "Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and brand from the latest security threats and the deep and dark web. the company's products and services are on sale across the world.", "modified": "2022-07-21T18:52:15.315000", "created": "2022-07-21T18:52:15.315000", "tags": [ "evilnum", "proofpoint", "javascript", "golden chickens", "ta4563", "command", "march", "december", "learn", "control domain", "sell", "steal", "june", "powershell", "ransomware", "stop ransomware", "protect", "small", "tools", "april", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "EvilNum", "targeted_countries": [], "malware_families": [ { "id": "EvilNum", "display_name": "EvilNum", "target": null }, { "id": "Golden Chickens", "display_name": "Golden Chickens", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "Proofpoint", "display_name": "Proofpoint", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Investment", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 15, "email": 4 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 356, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs_7.22.22.txt", "https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/", "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities", "August 10th, 2022 - CryptoGen Cyber Threat Intelligence - DeathStalker\u2019s VileRAT continues attacks.pdf" ], "related": { "alienvault": { "adversary": [ "TA4563" ], "malware_families": [ "Evilnum" ], "industries": [ "Finance", "Investment" ] }, "other": { "adversary": [ "EvilNum" ], "malware_families": [ "Vileloader", "Maui", "Python3", "Stonefly", "Deathstalker", "Evilnum", "Golden chickens", "Javascript", "Proofpoint" ], "industries": [ "Finance", "Investment", "Financial", "Ics" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "62da79e8ce00d5eb8497f01c", "name": "EvilNum Targets Cryptocurrency, Forex, Commodities", "description": "Since late 2021 through the present, Proofpoint Threat Research observed the group Proofpoint calls TA4563 targeting various European financial and investment entities with the malware known as EvilNum. The actor exclusively targeted entities in the Decentralized Finance (DeFi) industry in recently observed campaigns. The identified campaigns delivered an updated version of the EvilNum backdoor using a varied mix of ISO, Microsoft Word and Shortcut (LNK) files in late 2021 and early 2022, presumably as a method of testing the efficacy of the delivery methods. This malware can be used for reconnaissance, data theft, and to deploy additional payloads.", "modified": "2022-07-22T10:20:23.613000", "created": "2022-07-22T10:20:23.613000", "tags": [ "evilnum", "ta4563", "apt" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "TA4563", "targeted_countries": [], "malware_families": [ { "id": "EvilNum", "display_name": "EvilNum", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [ "Finance", "Investment" ], "TLP": "white", "cloned_from": null, "export_count": 371, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 5, "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 15 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 386541, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62f429716a78bbd65470a1dd", "name": "DeathStalker\u2019s VileRAT continues attacks", "description": "", "modified": "2022-09-10T00:03:24.542000", "created": "2022-08-10T21:56:01.458000", "tags": [], "references": [ "August 10th, 2022 - CryptoGen Cyber Threat Intelligence - DeathStalker\u2019s VileRAT continues attacks.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 23, "FileHash-SHA256": 23, "domain": 289 }, "indicator_count": 479, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1359 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62f39bea761e100053d4b6b1", "name": "VileRAT: DeathStalker\u2019s continuous strike at foreign and cryptocurrency exchanges | Securelist", "description": "Kaspersky has identified and identified the VileRAT malware used in a series of attacks against foreign exchange and cryptocurrency trading companies, as part of a multi-million dollar global cyber-attack campaign.", "modified": "2022-09-09T00:01:45.877000", "created": "2022-08-10T11:52:10.044000", "tags": [ "vileloader", "deathstalker", "python3", "evilnum", "maui", "stonefly", "cryptocurrencies", "malware descriptions", "malware technologies", "rat trojan", "targeted attacks", "vilerat", "viledropper", "0x1dbcbb", "figure", "c2 server", "generaltext", "win64", "khtml", "june", "powerpepper", "august", "pyvil", "target", "python", "back", "next", "term" ], "references": [ "https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/" ], "public": 1, "adversary": "", "targeted_countries": [ "Afghanistan", "United Arab Emirates", "Malta", "Kuwait", "Germany", "Cyprus", "Bulgaria" ], "malware_families": [ { "id": "VileLoader", "display_name": "VileLoader", "target": null }, { "id": "DeathStalker", "display_name": "DeathStalker", "target": null }, { "id": "Stonefly", "display_name": "Stonefly", "target": null }, { "id": "Maui", "display_name": "Maui", "target": null }, { "id": "EVILNUM", "display_name": "EVILNUM", "target": null }, { "id": "Python3", "display_name": "Python3", "target": null } ], "attack_ids": [ { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [ "Ics" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "shaliniverma", "id": "160811", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 104, "FileHash-SHA1": 23, "FileHash-SHA256": 23, "URL": 5, "domain": 238, "hostname": 1 }, "indicator_count": 394, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "1360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62f3b0ce9eba3566a337a0b7", "name": "DeathStalker\u2019s VileRAT continues attacks", "description": "", "modified": "2022-09-09T00:01:45.877000", "created": "2022-08-10T13:21:18.565000", "tags": [], "references": [ "August 10th, 2022 - CryptoGen Cyber Threat Intelligence - DeathStalker\u2019s VileRAT continues attacks.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 144, "FileHash-SHA1": 23, "FileHash-SHA256": 23, "domain": 289 }, "indicator_count": 479, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62daf40054474d0014485ef5", "name": "EvilNum", "description": "IOCs associated with EvilNum", "modified": "2022-07-22T19:01:20.504000", "created": "2022-07-22T19:01:20.504000", "tags": [], "references": [ "IOCs_7.22.22.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "lsong@perimeterwatch.com", "id": "191915", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "domain": 11 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "1408 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62da8e4c993b2bbfe3a74d25", "name": "EvilNum IOCs", "description": "Indicator-based results for all of the key indicators used by the BBC in the 2016/17 TV and radio seasons. and for the 2017/18 TV season, as well as the 2015/16 season.", "modified": "2022-07-22T11:47:24.158000", "created": "2022-07-22T11:47:24.158000", "tags": [ "command", "march", "december", "control domain", "control url", "sender email", "word doc", "payload domain", "june", "sha256 sample", "april" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 14, "email": 4 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62da839f9c68eaa4ae361633", "name": "EvilNum IOCs", "description": "Indicator-based results for all of the key indicators used by the BBC in the 2016/17 TV and radio seasons. and for the 2017/18 TV season, as well as the 2015/16 season.", "modified": "2022-07-22T11:01:51.311000", "created": "2022-07-22T11:01:51.311000", "tags": [ "command", "march", "december", "control domain", "control url", "sender email", "word doc", "payload domain", "june", "sha256 sample", "april" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 14, "email": 4 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62da57b9c047da0555eb3985", "name": "Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and brand from the latest security threats and the deep and dark web. the company's products and services are on sale across the world.", "modified": "2022-07-22T07:54:33.504000", "created": "2022-07-22T07:54:33.504000", "tags": [ "evilnum", "proofpoint", "javascript", "golden chickens", "ta4563", "command", "march", "december", "learn", "control domain", "sell", "steal", "june", "powershell", "ransomware", "stop ransomware", "protect", "small", "tools", "april", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "EvilNum", "targeted_countries": [], "malware_families": [ { "id": "EvilNum", "display_name": "EvilNum", "target": null }, { "id": "Golden Chickens", "display_name": "Golden Chickens", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "Proofpoint", "display_name": "Proofpoint", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Investment", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 5, "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 15 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62d9a05ffd1e72495f03f7e6", "name": "Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities | Proofpoint US", "description": "Find out more about Proofpoint and how to protect your people, data and brand from the latest security threats and the deep and dark web. the company's products and services are on sale across the world.", "modified": "2022-07-21T18:52:15.315000", "created": "2022-07-21T18:52:15.315000", "tags": [ "evilnum", "proofpoint", "javascript", "golden chickens", "ta4563", "command", "march", "december", "learn", "control domain", "sell", "steal", "june", "powershell", "ransomware", "stop ransomware", "protect", "small", "tools", "april", "demo" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities" ], "public": 1, "adversary": "EvilNum", "targeted_countries": [], "malware_families": [ { "id": "EvilNum", "display_name": "EvilNum", "target": null }, { "id": "Golden Chickens", "display_name": "Golden Chickens", "target": null }, { "id": "JavaScript", "display_name": "JavaScript", "target": null }, { "id": "Proofpoint", "display_name": "Proofpoint", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Finance", "Investment", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "domain": 15, "email": 4 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 356, "modified_text": "1409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "infntio.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "infntio.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780237776.3961418 }