{ "type": "Domain", "indicator": "nlasandbox.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/nlasandbox.com", "alexa": "http://www.alexa.com/siteinfo/nlasandbox.com", "indicator": "nlasandbox.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3484291544, "indicator": "nlasandbox.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "636bcf00a10e2af3275eb9af", "name": "Emotet coming in hot", "description": "Emotet is back again with a new campaign displaying many characteristics of older runs, including the use of Auto Open macros inside XLS documents. Cisco Talos has observed an increased activity of spam distributing this new strain beginning in early November 2022, and the volume of spam and Emotet infrastructure has been increasing since then to target multiple geographies around the world.", "modified": "2022-12-09T13:00:49.050000", "created": "2022-11-09T16:02:08.058000", "tags": [ "emotet", "phishing", "maldoc", "xls documents", "office macros", "social engineering", "banking trojan" ], "references": [ "https://blog.talosintelligence.com/emotet-coming-in-hot/", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_contacted_URLs.txt", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_hashes.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": "636bb8de4eb9290f5cc657ae", "export_count": 470, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 59, "domain": 26, "hostname": 11, "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 2328 }, "indicator_count": 2462, "is_author": false, "is_subscribing": null, "subscriber_count": 386482, "modified_text": "1268 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "636ce56b5861d61a50c11523", "name": "Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns", "description": "New technologies like the InterPlanetary File System (IPFS) are being used by cybercriminals to host malicious content, including malware and phishing kit, according to Cisco Talos Intelligence.", "modified": "2022-12-10T11:02:24.049000", "created": "2022-11-10T11:50:03.310000", "tags": [ "grabber", "securex", "top story", "threat spotlight", "threats", "ipfs", "ipfs network", "ipfs gateway", "python", "system", "appliance", "talos", "web3 technology", "web3", "pe32 executable", "discord", "swift", "powershell" ], "references": [ "https://blog.talosintelligence.com/ipfs-abuse/", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_URLs.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_domains.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_ips.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_emails.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_hashes.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_parents.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/ipfs-abuse.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Grabber", "display_name": "Grabber", "target": null } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 28, "URL": 70, "domain": 66, "FileHash-SHA256": 2427, "FileHash-MD5": 302, "FileHash-SHA1": 302 }, "indicator_count": 3195, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1267 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "636bb8de4eb9290f5cc657ae", "name": "Emotet coming in hot", "description": "Emotet is back again with a new campaign displaying many characteristics of older runs, including the use of Auto_Open macros inside XLS documents. Cisco Talos has observed an increased activity of spam distributing this new strain beginning in early November 2022, and the volume of spam and Emotet infrastructure has been increasing since then to target multiple geographies around the world.", "modified": "2022-12-09T13:00:49.050000", "created": "2022-11-09T14:27:42.407000", "tags": [ "emotet", "phishing", "maldoc", "xls documents", "office macros", "social engineering", "banking trojan" ], "references": [ "https://blog.talosintelligence.com/emotet-coming-in-hot/", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_contacted_URLs.txt", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_hashes.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Sampson.thong", "id": "210149", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 67, "domain": 26, "hostname": 11, "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 2328 }, "indicator_count": 2470, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "1268 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c7fb0f8ab654b1c8ebb621", "name": "jintingtingtesttest", "description": "A look back at some of the most eye-catching stories of recent weeks, as compiled by the BBC News website, with the help of a handful of key characters:..com.-", "modified": "2022-08-07T00:05:43.824000", "created": "2022-07-08T09:38:23.587000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jtt12345", "id": "194112", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4268, "URL": 101, "FileHash-MD5": 13, "FileHash-SHA256": 1, "domain": 283 }, "indicator_count": 4666, "is_author": false, "is_subscribing": null, "subscriber_count": 30, "modified_text": "1393 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c7fb0ff1ead7d85fad5e43", "name": "jintingtingtesttest", "description": "A look back at some of the most eye-catching stories of recent weeks, as compiled by the BBC News website, with the help of a handful of key characters:..com.-", "modified": "2022-08-07T00:05:43.824000", "created": "2022-07-08T09:38:23.273000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jtt12345", "id": "194112", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4268, "URL": 101, "FileHash-MD5": 13, "FileHash-SHA256": 1, "domain": 283 }, "indicator_count": 4666, "is_author": false, "is_subscribing": null, "subscriber_count": 30, "modified_text": "1393 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c7fb128e18ef22262d95d0", "name": "jintingtingtesttest", "description": "A look back at some of the most eye-catching stories of recent weeks, as compiled by the BBC News website, with the help of a handful of key characters:..com.-", "modified": "2022-08-07T00:05:43.824000", "created": "2022-07-08T09:38:26.026000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jtt12345", "id": "194112", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4268, "URL": 101, "FileHash-MD5": 13, "FileHash-SHA256": 1, "domain": 283 }, "indicator_count": 4666, "is_author": false, "is_subscribing": null, "subscriber_count": 30, "modified_text": "1393 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62b47847408a3c6c9eb248bb", "name": "Emotet IOCs", "description": "The results of an investigation into cyber-attack on the European Union (EU) have been published by RGSGK, SRGHRSHSH and the International Institute of Strategic Studies (IISS).", "modified": "2022-07-23T00:04:41.726000", "created": "2022-06-23T14:27:19.541000", "tags": [ "jjccbb", "emotet payload", "hashes", "xls file", "return", "identification", "emotet", "observed", "zip file", "metadata author" ], "references": [ "https://twitter.com/executemalware/status/1539749992323317762" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 71, "domain": 8, "email": 3, "hostname": 4 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1408 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_URLs.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_emails.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/ipfs-abuse.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_parents.txt", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_hashes.txt", "https://blog.talosintelligence.com/ipfs-abuse/", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_ips.txt", "https://twitter.com/executemalware/status/1539749992323317762", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_contacted_URLs.txt", "https://blog.talosintelligence.com/emotet-coming-in-hot/", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_domains.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_hashes.txt" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Emotet" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Grabber", "Emotet" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "636bcf00a10e2af3275eb9af", "name": "Emotet coming in hot", "description": "Emotet is back again with a new campaign displaying many characteristics of older runs, including the use of Auto Open macros inside XLS documents. Cisco Talos has observed an increased activity of spam distributing this new strain beginning in early November 2022, and the volume of spam and Emotet infrastructure has been increasing since then to target multiple geographies around the world.", "modified": "2022-12-09T13:00:49.050000", "created": "2022-11-09T16:02:08.058000", "tags": [ "emotet", "phishing", "maldoc", "xls documents", "office macros", "social engineering", "banking trojan" ], "references": [ "https://blog.talosintelligence.com/emotet-coming-in-hot/", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_contacted_URLs.txt", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_hashes.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": "636bb8de4eb9290f5cc657ae", "export_count": 470, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 59, "domain": 26, "hostname": 11, "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 2328 }, "indicator_count": 2462, "is_author": false, "is_subscribing": null, "subscriber_count": 386482, "modified_text": "1268 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "636ce56b5861d61a50c11523", "name": "Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns", "description": "New technologies like the InterPlanetary File System (IPFS) are being used by cybercriminals to host malicious content, including malware and phishing kit, according to Cisco Talos Intelligence.", "modified": "2022-12-10T11:02:24.049000", "created": "2022-11-10T11:50:03.310000", "tags": [ "grabber", "securex", "top story", "threat spotlight", "threats", "ipfs", "ipfs network", "ipfs gateway", "python", "system", "appliance", "talos", "web3 technology", "web3", "pe32 executable", "discord", "swift", "powershell" ], "references": [ "https://blog.talosintelligence.com/ipfs-abuse/", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_URLs.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_domains.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_contacted_ips.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_emails.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_hashes.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/Emotet_parents.txt", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2022/11/ipfs-abuse.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Grabber", "display_name": "Grabber", "target": null } ], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 28, "URL": 70, "domain": 66, "FileHash-SHA256": 2427, "FileHash-MD5": 302, "FileHash-SHA1": 302 }, "indicator_count": 3195, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1267 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "636bb8de4eb9290f5cc657ae", "name": "Emotet coming in hot", "description": "Emotet is back again with a new campaign displaying many characteristics of older runs, including the use of Auto_Open macros inside XLS documents. Cisco Talos has observed an increased activity of spam distributing this new strain beginning in early November 2022, and the volume of spam and Emotet infrastructure has been increasing since then to target multiple geographies around the world.", "modified": "2022-12-09T13:00:49.050000", "created": "2022-11-09T14:27:42.407000", "tags": [ "emotet", "phishing", "maldoc", "xls documents", "office macros", "social engineering", "banking trojan" ], "references": [ "https://blog.talosintelligence.com/emotet-coming-in-hot/", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_contacted_URLs.txt", "https://github.com/Cisco-Talos/IOCs/blob/main/2022/11/Emotet_hashes.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Sampson.thong", "id": "210149", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 67, "domain": 26, "hostname": 11, "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 2328 }, "indicator_count": 2470, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "1268 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c7fb0f8ab654b1c8ebb621", "name": "jintingtingtesttest", "description": "A look back at some of the most eye-catching stories of recent weeks, as compiled by the BBC News website, with the help of a handful of key characters:..com.-", "modified": "2022-08-07T00:05:43.824000", "created": "2022-07-08T09:38:23.587000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jtt12345", "id": "194112", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4268, "URL": 101, "FileHash-MD5": 13, "FileHash-SHA256": 1, "domain": 283 }, "indicator_count": 4666, "is_author": false, "is_subscribing": null, "subscriber_count": 30, "modified_text": "1393 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c7fb0ff1ead7d85fad5e43", "name": "jintingtingtesttest", "description": "A look back at some of the most eye-catching stories of recent weeks, as compiled by the BBC News website, with the help of a handful of key characters:..com.-", "modified": "2022-08-07T00:05:43.824000", "created": "2022-07-08T09:38:23.273000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jtt12345", "id": "194112", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4268, "URL": 101, "FileHash-MD5": 13, "FileHash-SHA256": 1, "domain": 283 }, "indicator_count": 4666, "is_author": false, "is_subscribing": null, "subscriber_count": 30, "modified_text": "1393 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c7fb128e18ef22262d95d0", "name": "jintingtingtesttest", "description": "A look back at some of the most eye-catching stories of recent weeks, as compiled by the BBC News website, with the help of a handful of key characters:..com.-", "modified": "2022-08-07T00:05:43.824000", "created": "2022-07-08T09:38:26.026000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jtt12345", "id": "194112", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4268, "URL": 101, "FileHash-MD5": 13, "FileHash-SHA256": 1, "domain": 283 }, "indicator_count": 4666, "is_author": false, "is_subscribing": null, "subscriber_count": 30, "modified_text": "1393 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62b47847408a3c6c9eb248bb", "name": "Emotet IOCs", "description": "The results of an investigation into cyber-attack on the European Union (EU) have been published by RGSGK, SRGHRSHSH and the International Institute of Strategic Studies (IISS).", "modified": "2022-07-23T00:04:41.726000", "created": "2022-06-23T14:27:19.541000", "tags": [ "jjccbb", "emotet payload", "hashes", "xls file", "return", "identification", "emotet", "observed", "zip file", "metadata author" ], "references": [ "https://twitter.com/executemalware/status/1539749992323317762" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 71, "domain": 8, "email": 3, "hostname": 4 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1408 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "nlasandbox.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "nlasandbox.com", "found": true, "verdict": "malicious", "url_count": 2, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "http://nlasandbox.com/facebookpage/JFqg2Aqkl3UPZi6xGz/", "status": "offline", "threat": "malware_download", "date_added": "2022-11-04", "tags": [ "dll", "emotet", "epoch4", "heodo" ] }, { "url": "http://nlasandbox.com/facebookpage/5XVwDnX/", "status": "offline", "threat": "malware_download", "date_added": "2022-06-22", "tags": [ "dll", "emotet", "epoch4", "heodo" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780204442.9033318 }