{ "type": "Domain", "indicator": "neskrab2.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/neskrab2.com", "alexa": "http://www.alexa.com/siteinfo/neskrab2.com", "indicator": "neskrab2.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3653713989, "indicator": "neskrab2.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "642d7b77efa67e9afda0f0ea", "name": "New OpcJacker Malware Distributed via Fake VPN Malvertising", "description": "Researchers at TrendMicro have discovered a new malware, named \"OpcJacker\", that has been distributed in the wild since the second half of 2022. OpcJacker\u2019s operator is motivated by financial gain since the malware\u2019s primary purpose is stealing cryptocurrency funds from wallets.", "modified": "2023-05-05T13:03:51.236000", "created": "2023-04-05T13:45:26.949000", "tags": [ "opcjacker", "rat", "infostealer", "cryptocurrencies" ], "references": [ "https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising/ioc-new-opcJacker-malware-distributed-via-fake-vpn-malvertising.txt" ], "public": 1, "adversary": "", "targeted_countries": [ "Iran, Islamic Republic of" ], "malware_families": [ { "id": "OpcJacker", "display_name": "OpcJacker", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 369, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 81, "FileHash-SHA256": 102, "URL": 17, "domain": 30 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 386662, "modified_text": "1122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6424417d4f7e34fdcc85af29", "name": "New OpcJacker Malware Distributed via Fake VPN Malvertising", "description": "Researchers discovered a new malware, which we named \u201cOpcJacker\u201d (due to its opcode configuration design and its cryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022. OpcJacker is an interesting piece of malware, since its configuration file uses a custom file format to define the stealer\u2019s behavior. Specifically, the format resembles custom virtual machine code, where numeric hexadecimal identifiers present in the configuration file make the stealer run desired functions. The purpose of using such a design is likely to make understanding and analyzing the malware\u2019s code flow more difficult for researchers.", "modified": "2023-03-29T13:47:41.091000", "created": "2023-03-29T13:47:41.091000", "tags": [ "netsupport rat", "rat downloader", "fake vpn", "opcjacker", "phobos", "Babadeda" ], "references": [ "https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising/ioc-new-opcJacker-malware-distributed-via-fake-vpn-malvertising.txt" ], "public": 1, "adversary": "", "targeted_countries": [ "Iran, Islamic Republic of" ], "malware_families": [ { "id": "OpcJacker", "display_name": "OpcJacker", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 401, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 38, "FileHash-SHA1": 38, "FileHash-SHA256": 102, "URL": 14, "domain": 30 }, "indicator_count": 222, "is_author": false, "is_subscribing": null, "subscriber_count": 386662, "modified_text": "1159 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678aa23dfce9a3d3819821b0", "name": "NetSupport RAT c2", "description": "NetSupport RAT C2 Servers", "modified": "2025-05-28T11:48:56.371000", "created": "2025-01-17T18:32:29.882000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "nalbright", "id": "356", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_356/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14, "domain": 109, "hostname": 10 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 101, "modified_text": "369 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "647738f1cd2f59e171e89ec3", "name": "New OpcJacker Malware Distributed via Fake VPN Malvertising", "description": "", "modified": "2023-05-31T12:09:21.385000", "created": "2023-05-31T12:09:21.385000", "tags": [ "opcjacker", "rat", "infostealer", "cryptocurrencies" ], "references": [ "https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising/ioc-new-opcJacker-malware-distributed-via-fake-vpn-malvertising.txt" ], "public": 1, "adversary": "", "targeted_countries": [ "Iran, Islamic Republic of" ], "malware_families": [ { "id": "OpcJacker", "display_name": "OpcJacker", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": "642d7b77efa67e9afda0f0ea", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 81, "FileHash-SHA256": 102, "URL": 17, "domain": 30 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1097 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642ab114188399ff9a77a4b4", "name": "New OpcJacker Malware Distributed via Fake VPN Malvertising", "description": "New OpcJacker Malware, published by Microsoft, is available to download on the Microsoft website and app for use in the US and UK. and can be accessed via Skype or Google.", "modified": "2023-05-03T10:00:17.991000", "created": "2023-04-03T10:57:24.399000", "tags": [ "installer", "netsupoort rat", "c domain", "netsupport rat", "iso file", "delivery server", "rat downloader", "description", "new opcjacker", "fake vpn" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising/ioc-new-opcJacker-malware-distributed-via-fake-vpn-malvertising.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 81, "FileHash-SHA256": 102, "URL": 17, "domain": 30 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6426e8de70a9872b94c3082c", "name": "OpcJacker Malware", "description": "", "modified": "2023-04-30T14:01:21.014000", "created": "2023-03-31T14:06:22.604000", "tags": [], "references": [ "March 30th, 2023 - CryptoGen Cyber Threat Intelligence - OpcJacker Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 81, "FileHash-SHA256": 102, "URL": 17, "domain": 30 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6426e8eaec533392635d944c", "name": "OpcJacker Malware", "description": "", "modified": "2023-04-30T14:01:21.014000", "created": "2023-03-31T14:06:34.928000", "tags": [], "references": [ "March 30th, 2023 - CryptoGen Cyber Threat Intelligence - OpcJacker Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 81, "FileHash-SHA256": 102, "URL": 17, "domain": 30 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642518dc4cdf9e8575fdff57", "name": "OpcJacker Malware", "description": "", "modified": "2023-04-29T05:02:56.488000", "created": "2023-03-30T05:06:36.483000", "tags": [], "references": [ "March 30th, 2023 - CryptoGen Cyber Threat Intelligence - OpcJacker Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 81, "FileHash-SHA256": 102, "URL": 17, "domain": 30 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1129 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html", "March 30th, 2023 - CryptoGen Cyber Threat Intelligence - OpcJacker Malware.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising/ioc-new-opcJacker-malware-distributed-via-fake-vpn-malvertising.txt" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Opcjacker" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Opcjacker" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "642d7b77efa67e9afda0f0ea", "name": "New OpcJacker Malware Distributed via Fake VPN Malvertising", "description": "Researchers at TrendMicro have discovered a new malware, named \"OpcJacker\", that has been distributed in the wild since the second half of 2022. OpcJacker\u2019s operator is motivated by financial gain since the malware\u2019s primary purpose is stealing cryptocurrency funds from wallets.", "modified": "2023-05-05T13:03:51.236000", "created": "2023-04-05T13:45:26.949000", "tags": [ "opcjacker", "rat", "infostealer", "cryptocurrencies" ], "references": [ "https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising/ioc-new-opcJacker-malware-distributed-via-fake-vpn-malvertising.txt" ], "public": 1, "adversary": "", "targeted_countries": [ "Iran, Islamic Republic of" ], "malware_families": [ { "id": "OpcJacker", "display_name": "OpcJacker", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 369, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 81, "FileHash-SHA256": 102, "URL": 17, "domain": 30 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 386662, "modified_text": "1122 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6424417d4f7e34fdcc85af29", "name": "New OpcJacker Malware Distributed via Fake VPN Malvertising", "description": "Researchers discovered a new malware, which we named \u201cOpcJacker\u201d (due to its opcode configuration design and its cryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022. OpcJacker is an interesting piece of malware, since its configuration file uses a custom file format to define the stealer\u2019s behavior. Specifically, the format resembles custom virtual machine code, where numeric hexadecimal identifiers present in the configuration file make the stealer run desired functions. The purpose of using such a design is likely to make understanding and analyzing the malware\u2019s code flow more difficult for researchers.", "modified": "2023-03-29T13:47:41.091000", "created": "2023-03-29T13:47:41.091000", "tags": [ "netsupport rat", "rat downloader", "fake vpn", "opcjacker", "phobos", "Babadeda" ], "references": [ "https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising/ioc-new-opcJacker-malware-distributed-via-fake-vpn-malvertising.txt" ], "public": 1, "adversary": "", "targeted_countries": [ "Iran, Islamic Republic of" ], "malware_families": [ { "id": "OpcJacker", "display_name": "OpcJacker", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 401, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 38, "FileHash-SHA1": 38, "FileHash-SHA256": 102, "URL": 14, "domain": 30 }, "indicator_count": 222, "is_author": false, "is_subscribing": null, "subscriber_count": 386662, "modified_text": "1159 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678aa23dfce9a3d3819821b0", "name": "NetSupport RAT c2", "description": "NetSupport RAT C2 Servers", "modified": "2025-05-28T11:48:56.371000", "created": "2025-01-17T18:32:29.882000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "nalbright", "id": "356", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_356/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14, "domain": 109, "hostname": 10 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 101, "modified_text": "369 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "647738f1cd2f59e171e89ec3", "name": "New OpcJacker Malware Distributed via Fake VPN Malvertising", "description": "", "modified": "2023-05-31T12:09:21.385000", "created": "2023-05-31T12:09:21.385000", "tags": [ "opcjacker", "rat", "infostealer", "cryptocurrencies" ], "references": [ "https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising/ioc-new-opcJacker-malware-distributed-via-fake-vpn-malvertising.txt" ], "public": 1, "adversary": "", "targeted_countries": [ "Iran, Islamic Republic of" ], "malware_families": [ { "id": "OpcJacker", "display_name": "OpcJacker", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": "642d7b77efa67e9afda0f0ea", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 81, "FileHash-SHA256": 102, "URL": 17, "domain": 30 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "1097 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642ab114188399ff9a77a4b4", "name": "New OpcJacker Malware Distributed via Fake VPN Malvertising", "description": "New OpcJacker Malware, published by Microsoft, is available to download on the Microsoft website and app for use in the US and UK. and can be accessed via Skype or Google.", "modified": "2023-05-03T10:00:17.991000", "created": "2023-04-03T10:57:24.399000", "tags": [ "installer", "netsupoort rat", "c domain", "netsupport rat", "iso file", "delivery server", "rat downloader", "description", "new opcjacker", "fake vpn" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising/ioc-new-opcJacker-malware-distributed-via-fake-vpn-malvertising.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 81, "FileHash-SHA256": 102, "URL": 17, "domain": 30 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6426e8de70a9872b94c3082c", "name": "OpcJacker Malware", "description": "", "modified": "2023-04-30T14:01:21.014000", "created": "2023-03-31T14:06:22.604000", "tags": [], "references": [ "March 30th, 2023 - CryptoGen Cyber Threat Intelligence - OpcJacker Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 81, "FileHash-SHA256": 102, "URL": 17, "domain": 30 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6426e8eaec533392635d944c", "name": "OpcJacker Malware", "description": "", "modified": "2023-04-30T14:01:21.014000", "created": "2023-03-31T14:06:34.928000", "tags": [], "references": [ "March 30th, 2023 - CryptoGen Cyber Threat Intelligence - OpcJacker Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 81, "FileHash-SHA256": 102, "URL": 17, "domain": 30 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642518dc4cdf9e8575fdff57", "name": "OpcJacker Malware", "description": "", "modified": "2023-04-29T05:02:56.488000", "created": "2023-03-30T05:06:36.483000", "tags": [], "references": [ "March 30th, 2023 - CryptoGen Cyber Threat Intelligence - OpcJacker Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 81, "FileHash-SHA1": 81, "FileHash-SHA256": 102, "URL": 17, "domain": 30 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1129 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "neskrab2.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "neskrab2.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780316768.3368788 }