{ "type": "Domain", "indicator": "intellectproactive.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/intellectproactive.com", "alexa": "http://www.alexa.com/siteinfo/intellectproactive.com", "indicator": "intellectproactive.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2296205648, "indicator": "intellectproactive.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "64a2e37e2ed3cb6e66de1d49", "name": "PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID", "description": "A new strain of Bumblebee and IcedID, a modular banking malware designed to steal financial information, has been spotted in the wild.", "modified": "2023-07-03T15:04:30.051000", "created": "2023-07-03T15:04:30.051000", "tags": [ "bumblebee", "icedid", "pindos", "javascript", "powershell", "dll payload", "bazarloader", "emotet", "malware", "rundll32.exe" ], "references": [ "https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "IcedID", "display_name": "IcedID", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 389, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 10, "domain": 10, "hostname": 1 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 377573, "modified_text": "1021 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655950034e6ae4650a6b02ce", "name": "Python Initiated Connection | Spyware | Remote Attacks | | Part 4", "description": "Apple, Mac, iOS, phishing, frauds services, malware, trojan.allesgreh/trojan.allesgreh/respat, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and possibly others. Python Initiated Connection, WScriptShell_Case_Anomaly.\nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-19T00:00:03.258000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655aef8a8cc2e0929f2aa5ea", "name": "Python Initiated Connection | Spyware | Remote Attacks |", "description": "", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-20T05:32:58.400000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "655950034e6ae4650a6b02ce", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65109e4452cd4f44ab531a03", "name": "URLHaus Malicious URL Blocklist 2023-09-24", "description": "1.4% of the world's population now lives in the UK, but that doesn't mean that it is the only one that has made a significant impact on the way we all live.\nhttps://malware-filter.gitlab.io/malware-filter/urlhaus-filter-online.txt", "modified": "2023-10-24T20:02:37.137000", "created": "2023-09-24T20:38:28.173000", "tags": [ "urlhaus", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 76, "FileHash-MD5": 65, "FileHash-SHA1": 83, "FileHash-SHA256": 50, "URL": 75, "domain": 303 }, "indicator_count": 652, "is_author": false, "is_subscribing": null, "subscriber_count": 179, "modified_text": "908 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6510a2dd9c7acab85a26f978", "name": "Phishing sites 2023-09-24", "description": "https://github.com/olbat/ut1-blacklists/blob/master/blacklists/phishing/domains", "modified": "2023-10-24T20:02:37.137000", "created": "2023-09-24T20:58:05.025000", "tags": [ "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "France" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "URL": 5, "domain": 37579, "hostname": 3238 }, "indicator_count": 40832, "is_author": false, "is_subscribing": null, "subscriber_count": 190, "modified_text": "908 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64a3da92a99336f27ba1c9b8", "name": "PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID", "description": "", "modified": "2023-07-04T08:38:42.106000", "created": "2023-07-04T08:38:42.106000", "tags": [ "bumblebee", "icedid", "pindos", "javascript", "powershell", "dll payload", "bazarloader", "emotet", "malware", "rundll32.exe" ], "references": [ "https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "IcedID", "display_name": "IcedID", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": "64a2e37e2ed3cb6e66de1d49", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 10, "domain": 10, "hostname": 1 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "1020 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64a2af81fc9157df238deb3e", "name": "Bumblebee", "description": "", "modified": "2023-07-03T11:22:41.164000", "created": "2023-07-03T11:22:41.164000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-SHA256": 19, "domain": 10, "hostname": 1 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "1021 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "646804b36c7302e36c38d862", "name": "URLHaus data - 19-05-2023", "description": "", "modified": "2023-06-23T22:14:17.716000", "created": "2023-05-19T23:22:27.705000", "tags": [ "32-bit", "arm", "elf", "Mozi", "mips", "mirai", "dropped-by-amadey", "Kaiji", "bumblebee", "geofenced", "USA", "RedLineStealer", "dll", "exe", "njRAT", "encrypted", "RecordBreaker", "hajime", "ascii", "NetSupport", "powershell", "ps", "rat", "zip", "AgentTesla", "zgRAT", "CoinMiner", "dropped-by-PrivateLoader", "Bancos", "1234", "7z", "Password-protected", "Vidar", "RedLine", "Amadey", "Formbook", "opendir", "32", "Gh0stRAT", "Loki", "GuLoader", "ps1", "LummaStealer", "Stealc", "dropped-by-SmokeLoader", "additionalpayloads", "raccoonv2", "RemoteManipulator", "RaccoonStealer", "script", "Lumma", "Gozi", "ISFB", "ITA", "js", "ursnif" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 544, "domain": 15, "hostname": 3 }, "indicator_count": 562, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "1031 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64935238294f00e0b9b8ab79", "name": "PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID | Deep Instinct", "description": "PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID", "modified": "2023-06-21T20:01:30.722000", "created": "2023-06-21T19:40:40.128000", "tags": [ "bumblebee", "icedid", "pindos", "javascript", "malware" ], "references": [ "https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "IcedID", "display_name": "IcedID", "target": null }, { "id": "PindOS", "display_name": "PindOS", "target": null }, { "id": "BumbleBee", "display_name": "BumbleBee", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Shaul_VP", "id": "47782", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_47782/resized/80/avatar_14a32d2e73.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-SHA256": 19, "domain": 10, "hostname": 1 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "1033 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://urlhaus.abuse.ch/browse/", "https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Icedid" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Et", "Pindos", "Bumblebee", "Gc", "Icedid" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "64a2e37e2ed3cb6e66de1d49", "name": "PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID", "description": "A new strain of Bumblebee and IcedID, a modular banking malware designed to steal financial information, has been spotted in the wild.", "modified": "2023-07-03T15:04:30.051000", "created": "2023-07-03T15:04:30.051000", "tags": [ "bumblebee", "icedid", "pindos", "javascript", "powershell", "dll payload", "bazarloader", "emotet", "malware", "rundll32.exe" ], "references": [ "https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "IcedID", "display_name": "IcedID", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 389, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 10, "domain": 10, "hostname": 1 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 377573, "modified_text": "1021 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655950034e6ae4650a6b02ce", "name": "Python Initiated Connection | Spyware | Remote Attacks | | Part 4", "description": "Apple, Mac, iOS, phishing, frauds services, malware, trojan.allesgreh/trojan.allesgreh/respat, spyware, Google abuse, used to obsessively spy and stalk SA victim Tsara Brashears and possibly others. Python Initiated Connection, WScriptShell_Case_Anomaly.\nPulse: http://secure-appleid-com-uh2hdgo2m7pjuusohde19c8tqs.sssa79.com/\n[Concerning Pre populated content: A security alert has been sent to a secure Apple account in the US, but what exactly is it and what does it mean? and how did it end up in this post-mortem?\u2190((threat?))Let me tell you a]", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-19T00:00:03.258000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655aef8a8cc2e0929f2aa5ea", "name": "Python Initiated Connection | Spyware | Remote Attacks |", "description": "", "modified": "2023-12-18T23:03:18.732000", "created": "2023-11-20T05:32:58.400000", "tags": [ "http response", "final url", "serving ip", "address", "status code", "body length", "b body", "sha256", "contenttype", "phpsessid", "cisco umbrella", "alexa top", "million", "safe site", "site", "whois record", "ssl certificate", "execution", "dropped", "whois whois", "historical ssl", "copy", "tsara brashears", "communicating", "referrer", "cobalt strike", "hacktool", "emotet", "download", "malware", "malicious", "critical", "relic", "monitoring", "installer", "android", "agent tesla", "et", "october", "contacted", "threat roundup", "january", "cyberstalking", "attack", "icmp", "banker", "keylogger", "google llc", "gc abuse", "orgid", "direct", "whois lookup", "netrange", "nethandle", "net34", "net340000", "googl2", "comment", "gc", "dns replication", "date", "domain", "win32 exe", "driver pro", "files", "detections type", "name", "optimizer pro", "javascript", "text", "text ip", "aacr", "type name", "email", "email delivery", "email fwd", "delivery status", "notification", "name verdict", "runtime process", "sha1", "size", "localappdata", "temp", "prefetch8", "unicode text", "type data", "programfiles", "win64", "hybrid", "click", "strings", "youth", "pe resource", "apple private", "data collection", "hidden privacy", "threats https", "legal", "amazon aws", "wife happy", "vhash", "authentihash", "ssdeep", "file type", "magic pe32", "intel", "ms windows", "trid windows", "os2 executable", "compiler", "delphi", "sections", "md5 code", "data", "children", "file size", "dropped files", "google update", "setup sha256", "kb file" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ET", "display_name": "ET", "target": null }, { "id": "GC", "display_name": "GC", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "green", "cloned_from": "655950034e6ae4650a6b02ce", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12901, "hostname": 4445, "domain": 3685, "FileHash-MD5": 197, "FileHash-SHA256": 5136, "FileHash-SHA1": 170, "CIDR": 1, "email": 2, "CVE": 4 }, "indicator_count": 26541, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65109e4452cd4f44ab531a03", "name": "URLHaus Malicious URL Blocklist 2023-09-24", "description": "1.4% of the world's population now lives in the UK, but that doesn't mean that it is the only one that has made a significant impact on the way we all live.\nhttps://malware-filter.gitlab.io/malware-filter/urlhaus-filter-online.txt", "modified": "2023-10-24T20:02:37.137000", "created": "2023-09-24T20:38:28.173000", "tags": [ "urlhaus", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 76, "FileHash-MD5": 65, "FileHash-SHA1": 83, "FileHash-SHA256": 50, "URL": 75, "domain": 303 }, "indicator_count": 652, "is_author": false, "is_subscribing": null, "subscriber_count": 179, "modified_text": "908 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6510a2dd9c7acab85a26f978", "name": "Phishing sites 2023-09-24", "description": "https://github.com/olbat/ut1-blacklists/blob/master/blacklists/phishing/domains", "modified": "2023-10-24T20:02:37.137000", "created": "2023-09-24T20:58:05.025000", "tags": [ "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "France" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "URL": 5, "domain": 37579, "hostname": 3238 }, "indicator_count": 40832, "is_author": false, "is_subscribing": null, "subscriber_count": 190, "modified_text": "908 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64a3da92a99336f27ba1c9b8", "name": "PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID", "description": "", "modified": "2023-07-04T08:38:42.106000", "created": "2023-07-04T08:38:42.106000", "tags": [ "bumblebee", "icedid", "pindos", "javascript", "powershell", "dll payload", "bazarloader", "emotet", "malware", "rundll32.exe" ], "references": [ "https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "IcedID", "display_name": "IcedID", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": "64a2e37e2ed3cb6e66de1d49", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 10, "domain": 10, "hostname": 1 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "1020 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64a2af81fc9157df238deb3e", "name": "Bumblebee", "description": "", "modified": "2023-07-03T11:22:41.164000", "created": "2023-07-03T11:22:41.164000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarinaDiamandis", "id": "206809", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-SHA256": 19, "domain": 10, "hostname": 1 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "1021 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "646804b36c7302e36c38d862", "name": "URLHaus data - 19-05-2023", "description": "", "modified": "2023-06-23T22:14:17.716000", "created": "2023-05-19T23:22:27.705000", "tags": [ "32-bit", "arm", "elf", "Mozi", "mips", "mirai", "dropped-by-amadey", "Kaiji", "bumblebee", "geofenced", "USA", "RedLineStealer", "dll", "exe", "njRAT", "encrypted", "RecordBreaker", "hajime", "ascii", "NetSupport", "powershell", "ps", "rat", "zip", "AgentTesla", "zgRAT", "CoinMiner", "dropped-by-PrivateLoader", "Bancos", "1234", "7z", "Password-protected", "Vidar", "RedLine", "Amadey", "Formbook", "opendir", "32", "Gh0stRAT", "Loki", "GuLoader", "ps1", "LummaStealer", "Stealc", "dropped-by-SmokeLoader", "additionalpayloads", "raccoonv2", "RemoteManipulator", "RaccoonStealer", "script", "Lumma", "Gozi", "ISFB", "ITA", "js", "ursnif" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 544, "domain": 15, "hostname": 3 }, "indicator_count": 562, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "1031 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64935238294f00e0b9b8ab79", "name": "PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID | Deep Instinct", "description": "PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID", "modified": "2023-06-21T20:01:30.722000", "created": "2023-06-21T19:40:40.128000", "tags": [ "bumblebee", "icedid", "pindos", "javascript", "malware" ], "references": [ "https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "IcedID", "display_name": "IcedID", "target": null }, { "id": "PindOS", "display_name": "PindOS", "target": null }, { "id": "BumbleBee", "display_name": "BumbleBee", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Shaul_VP", "id": "47782", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_47782/resized/80/avatar_14a32d2e73.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-SHA256": 19, "domain": 10, "hostname": 1 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "1033 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "intellectproactive.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "intellectproactive.com", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://intellectproactive.com/dist/out/mn.php", "status": "offline", "threat": "malware_download", "date_added": "2023-05-19", "tags": [ "bumblebee", "geofenced", "Mydoom", "USA" ] } ], "error": null }, "from_cache": true, "_cached_at": 1776641856.0897179 }