{ "type": "Domain", "indicator": "my-sharepoints.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/my-sharepoints.com", "alexa": "http://www.alexa.com/siteinfo/my-sharepoints.com", "indicator": "my-sharepoints.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2117775813, "indicator": "my-sharepoints.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "5cefdae12f7645afa995961e", "name": "Continued activity by APT28", "description": "Upon execution, nbmssl.dll (MD5: d51d485f98810ab1278df4e41b692761) decrypts strings and URLs utilizing two observed encryption keys. One for string decryption and another for URL decryption. Strings are decrypted and then concatenated to build URLs which may be backup C2 nodes. Additionally, three URLs are decrypted to test for network connectivity. First, google.com is decrypted followed by yahoo.com. A DNS request is then generated for google.com, if that fails it attempts to reach yahoo.com. If an attempt succeeds, the file calls out to what appears to be a C2 node named maylaytravelgroup.com with multiple GET requests.", "modified": "2019-10-02T15:46:24.866000", "created": "2019-05-30T13:30:08.887000", "tags": [ "apt28", "fancy bear" ], "references": [ "https://www.virustotal.com/#/file/b40909ac0b70b7bd82465dfc7761a6b4e0df55b894dd42290e3f72cb4280fa44/community", "https://twitter.com/ClearskySec/status/1139160272755744774", "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/StrontiumIOCs.yaml" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 27, "FileHash-SHA256": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 386541, "modified_text": "2432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5d1a7372b1a28587d7455b04", "name": "Spoofed Microsoft domains - June 2019", "description": "Spoofed Microsoft domains, identified primarily from sinkholes.", "modified": "2019-07-16T22:50:50.926000", "created": "2019-07-01T20:56:18.455000", "tags": [ "infrastructure", "microsoft", "spoofed" ], "references": [ "https://twitter.com/kyleehmke/status/1144683885684563968", "https://otx.alienvault.com/indicator/ip/185.245.85.182", "https://twitter.com/daphiel/status/1148128770014011392", "https://otx.alienvault.com/indicator/ip/157.56.161.162" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 77, "hostname": 62, "FileHash-SHA256": 1 }, "indicator_count": 140, "is_author": false, "is_subscribing": null, "subscriber_count": 386521, "modified_text": "2510 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://otx.alienvault.com/indicator/ip/157.56.161.162", "https://twitter.com/daphiel/status/1148128770014011392", "https://otx.alienvault.com/indicator/ip/185.245.85.182", "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/StrontiumIOCs.yaml", "https://twitter.com/ClearskySec/status/1139160272755744774", "https://twitter.com/kyleehmke/status/1144683885684563968", "https://www.virustotal.com/#/file/b40909ac0b70b7bd82465dfc7761a6b4e0df55b894dd42290e3f72cb4280fa44/community" ], "related": { "alienvault": { "adversary": [ "Sofacy" ], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "5cefdae12f7645afa995961e", "name": "Continued activity by APT28", "description": "Upon execution, nbmssl.dll (MD5: d51d485f98810ab1278df4e41b692761) decrypts strings and URLs utilizing two observed encryption keys. One for string decryption and another for URL decryption. Strings are decrypted and then concatenated to build URLs which may be backup C2 nodes. Additionally, three URLs are decrypted to test for network connectivity. First, google.com is decrypted followed by yahoo.com. A DNS request is then generated for google.com, if that fails it attempts to reach yahoo.com. If an attempt succeeds, the file calls out to what appears to be a C2 node named maylaytravelgroup.com with multiple GET requests.", "modified": "2019-10-02T15:46:24.866000", "created": "2019-05-30T13:30:08.887000", "tags": [ "apt28", "fancy bear" ], "references": [ "https://www.virustotal.com/#/file/b40909ac0b70b7bd82465dfc7761a6b4e0df55b894dd42290e3f72cb4280fa44/community", "https://twitter.com/ClearskySec/status/1139160272755744774", "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/StrontiumIOCs.yaml" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 27, "FileHash-SHA256": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 386541, "modified_text": "2432 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5d1a7372b1a28587d7455b04", "name": "Spoofed Microsoft domains - June 2019", "description": "Spoofed Microsoft domains, identified primarily from sinkholes.", "modified": "2019-07-16T22:50:50.926000", "created": "2019-07-01T20:56:18.455000", "tags": [ "infrastructure", "microsoft", "spoofed" ], "references": [ "https://twitter.com/kyleehmke/status/1144683885684563968", "https://otx.alienvault.com/indicator/ip/185.245.85.182", "https://twitter.com/daphiel/status/1148128770014011392", "https://otx.alienvault.com/indicator/ip/157.56.161.162" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 77, "hostname": 62, "FileHash-SHA256": 1 }, "indicator_count": 140, "is_author": false, "is_subscribing": null, "subscriber_count": 386521, "modified_text": "2510 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "my-sharepoints.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "my-sharepoints.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780200627.7586253 }