{ "type": "Domain", "indicator": "ozcontests.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ozcontests.com", "alexa": "http://www.alexa.com/siteinfo/ozcontests.com", "indicator": "ozcontests.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3411171225, "indicator": "ozcontests.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "6408e41498a0d60be89c252e", "name": "A Noteworthy Threat: How Cybercriminals are Abusing OneNote", "description": "Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files. Once clicked, an attacker can use the embedded code for various malicious purposes, such as stealing data or installing ransomware on victims' systems.", "modified": "2023-04-08T18:02:38.257000", "created": "2023-03-08T19:37:56.109000", "tags": [ "OneNote", "AsyncRAT", "Qakbot", "Remcos RAT" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 419, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 10, "URL": 26, "domain": 29 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 386660, "modified_text": "1149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63e4d73e21ebe04801fe9386", "name": "URLHaus data - 08-02-2023", "description": "", "modified": "2023-04-13T13:14:56.711000", "created": "2023-02-09T11:21:34.210000", "tags": [ "32-bit", "elf", "mips", "hajime", "arm", "mirai", "Mozi", "BB14", "dll", "Qakbot", "qbot", "Quakbot", "TR", "SocGholish", "vjw0rm", "exe", "opendir", "SnakeKeylogger", "Loki", "Formbook", "AgentTesla", "AsyncRAT", "encrypted", "rat", "lnk", "geofenced", "min-headers", "Obama238", "USA", "Smoke Loader", "zip", "dropby", "PrivateLoader", "dropped-by-amadey", "x86-32", "PowerShellDiscordKeyLogger", "njRAT", "BRA", "x86", "rar", "Amadey", "DDoS Bot", "32", "sparc", "bashlite", "gafgyt", "motorola", "renesas", "intel", "shellscript", "PowerPC", "eternitystealer", "iso", "79-137-199-206", "FakeAlchemicWorld", "MagicalWorld", "pw Magical2013", "RedLineStealer", "script" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 565, "domain": 11, "hostname": 10 }, "indicator_count": 586, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1144 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640b221e2fcac4a5ed5aa56b", "name": "OneNote Spear-Phishing Campaign | Trustwave", "description": "Trustwave SpiderLabs \u201cnoted\u201d in Part 1 and Part 2 of our OneNote research that OneNote has been used as a malware delivery mechanism now we will shift gears and focus on several OneNote decoy notes SpiderLabs has discovered that deliver malware families like Qakbot, XWorm, Icedid, and AsyncRAT. While the malware payload can change, the techniques have generally been the same. The recent uptrend of the OneNote spear phishing campaign that SpiderLabs has observed since December 2022 has led us to additional investigations on this threat.", "modified": "2023-04-09T12:04:28.431000", "created": "2023-03-10T12:27:10.885000", "tags": [ "phishing", "onenote", "malware", "spiderlabs", "mitre", "qakbot", "rundll32", "xworm", "icedid", "powershell", "part", "onenote decoy", "asyncrat", "wind", "inject", "qbot", "strings", "persistence", "tools", "path", "span", "script", "button", "link", "header dropdown", "github", "footer", "meta", "product", "template", "form", "code", "copy", "enterprise", "open", "reload", "body", "find", "write", "star", "close", "desktop", "main" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/onenote-spear-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jeffchandy", "id": "215558", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_215558/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 105, "domain": 40, "FileHash-SHA1": 2, "FileHash-SHA256": 24 }, "indicator_count": 171, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "1148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63e58c962467132583467566", "name": "URLHaus data - 09-02-2023", "description": "", "modified": "2023-03-24T12:03:59.613000", "created": "2023-02-10T00:15:18.662000", "tags": [ "32-bit", "elf", "mips", "Mozi", "mirai", "hajime", "arm", "drop-by-malware", "encrypted", "PrivateLoader", "exe", "x86-32", "blackcap-grabber", "js", "1234", "Password-protected", "zip", "agenziaentrate", "Gozi", "hta", "ISFB", "ITA", "ursnif", "Loader", "DDoS Bot", "SocGholish", "url", "Formbook", "Vidar", "Amadey", "RedLineStealer", "dropped-by-amadey", "AgentTesla", "AveMariaRAT", "dll", "geofenced", "min-headers", "Qakbot", "qbot", "Quakbot", "USA", "android", "aok", "malware", "ascii", "mekotio", "opendir", "sh", "LaplasClipper", "AuroraStealer", "32", "SnakeKeylogger", "RemcosRAT", "shellscript", "RTF", "gafgyt" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 973, "hostname": 20, "domain": 26 }, "indicator_count": 1019, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1164 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63ea9064603013c612197aca", "name": "Qakbot IOCs - @pr0xylife - 2/8/23 - BB14", "description": "Qakbot IOCs - @pr0xylife - 2/8/23 - BB14\nhttps://twitter.com/pr0xylife/status/1623378563880652826\nhttps://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB14_08.02.2023.txt", "modified": "2023-03-15T19:01:34.087000", "created": "2023-02-13T19:32:52.649000", "tags": [ "qakbot" ], "references": [ "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB14_08.02.2023.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "QakBot", "display_name": "QakBot", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 123, "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 17, "domain": 16 }, "indicator_count": 159, "is_author": false, "is_subscribing": null, "subscriber_count": 83, "modified_text": "1173 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63e9eb920f6717de0882232d", "name": "Threat Intel Report - W7-2023.pdf", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2023-03-15T07:01:21.082000", "created": "2023-02-13T07:49:38.950000", "tags": [], "references": [ "Threat Intel Report - W7-2023.pdf", "https://www.dnsbl.info/", "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://valkyrie.comodo.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "FileHash-MD5": 27, "FileHash-SHA1": 27, "FileHash-SHA256": 42, "CVE": 2, "URL": 151, "domain": 102 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "1174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63f8011ca202d455c08e5497", "name": "Malware Filter - Phishing List - 23-02-2023", "description": "", "modified": "2023-02-24T00:13:16.114000", "created": "2023-02-24T00:13:16.114000", "tags": [], "references": [ "https://malware-filter.gitlab.io/malware-filter/phishing-filter-domains.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 317, "hostname": 500 }, "indicator_count": 817, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1193 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6243f536785e5607272c899a", "name": "NewDom-3-20220330", "description": "ICANN-Dom", "modified": "2022-05-14T00:00:15.403000", "created": "2022-03-30T06:14:14.352000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 203, "modified_text": "1479 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/", "https://urlhaus.abuse.ch/browse/", "https://valkyrie.comodo.com/", "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB14_08.02.2023.txt", "https://malware-filter.gitlab.io/malware-filter/phishing-filter-domains.txt", "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://www.dnsbl.info/", "Threat Intel Report - W7-2023.pdf", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/onenote-spear-phishing-campaign/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Remcos", "Asyncrat", "Qakbot" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Qakbot" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "6408e41498a0d60be89c252e", "name": "A Noteworthy Threat: How Cybercriminals are Abusing OneNote", "description": "Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files. Once clicked, an attacker can use the embedded code for various malicious purposes, such as stealing data or installing ransomware on victims' systems.", "modified": "2023-04-08T18:02:38.257000", "created": "2023-03-08T19:37:56.109000", "tags": [ "OneNote", "AsyncRAT", "Qakbot", "Remcos RAT" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 419, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 10, "URL": 26, "domain": 29 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 386660, "modified_text": "1149 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63e4d73e21ebe04801fe9386", "name": "URLHaus data - 08-02-2023", "description": "", "modified": "2023-04-13T13:14:56.711000", "created": "2023-02-09T11:21:34.210000", "tags": [ "32-bit", "elf", "mips", "hajime", "arm", "mirai", "Mozi", "BB14", "dll", "Qakbot", "qbot", "Quakbot", "TR", "SocGholish", "vjw0rm", "exe", "opendir", "SnakeKeylogger", "Loki", "Formbook", "AgentTesla", "AsyncRAT", "encrypted", "rat", "lnk", "geofenced", "min-headers", "Obama238", "USA", "Smoke Loader", "zip", "dropby", "PrivateLoader", "dropped-by-amadey", "x86-32", "PowerShellDiscordKeyLogger", "njRAT", "BRA", "x86", "rar", "Amadey", "DDoS Bot", "32", "sparc", "bashlite", "gafgyt", "motorola", "renesas", "intel", "shellscript", "PowerPC", "eternitystealer", "iso", "79-137-199-206", "FakeAlchemicWorld", "MagicalWorld", "pw Magical2013", "RedLineStealer", "script" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 565, "domain": 11, "hostname": 10 }, "indicator_count": 586, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1144 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "640b221e2fcac4a5ed5aa56b", "name": "OneNote Spear-Phishing Campaign | Trustwave", "description": "Trustwave SpiderLabs \u201cnoted\u201d in Part 1 and Part 2 of our OneNote research that OneNote has been used as a malware delivery mechanism now we will shift gears and focus on several OneNote decoy notes SpiderLabs has discovered that deliver malware families like Qakbot, XWorm, Icedid, and AsyncRAT. While the malware payload can change, the techniques have generally been the same. The recent uptrend of the OneNote spear phishing campaign that SpiderLabs has observed since December 2022 has led us to additional investigations on this threat.", "modified": "2023-04-09T12:04:28.431000", "created": "2023-03-10T12:27:10.885000", "tags": [ "phishing", "onenote", "malware", "spiderlabs", "mitre", "qakbot", "rundll32", "xworm", "icedid", "powershell", "part", "onenote decoy", "asyncrat", "wind", "inject", "qbot", "strings", "persistence", "tools", "path", "span", "script", "button", "link", "header dropdown", "github", "footer", "meta", "product", "template", "form", "code", "copy", "enterprise", "open", "reload", "body", "find", "write", "star", "close", "desktop", "main" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/onenote-spear-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jeffchandy", "id": "215558", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_215558/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 105, "domain": 40, "FileHash-SHA1": 2, "FileHash-SHA256": 24 }, "indicator_count": 171, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "1148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63e58c962467132583467566", "name": "URLHaus data - 09-02-2023", "description": "", "modified": "2023-03-24T12:03:59.613000", "created": "2023-02-10T00:15:18.662000", "tags": [ "32-bit", "elf", "mips", "Mozi", "mirai", "hajime", "arm", "drop-by-malware", "encrypted", "PrivateLoader", "exe", "x86-32", "blackcap-grabber", "js", "1234", "Password-protected", "zip", "agenziaentrate", "Gozi", "hta", "ISFB", "ITA", "ursnif", "Loader", "DDoS Bot", "SocGholish", "url", "Formbook", "Vidar", "Amadey", "RedLineStealer", "dropped-by-amadey", "AgentTesla", "AveMariaRAT", "dll", "geofenced", "min-headers", "Qakbot", "qbot", "Quakbot", "USA", "android", "aok", "malware", "ascii", "mekotio", "opendir", "sh", "LaplasClipper", "AuroraStealer", "32", "SnakeKeylogger", "RemcosRAT", "shellscript", "RTF", "gafgyt" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 973, "hostname": 20, "domain": 26 }, "indicator_count": 1019, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1164 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63ea9064603013c612197aca", "name": "Qakbot IOCs - @pr0xylife - 2/8/23 - BB14", "description": "Qakbot IOCs - @pr0xylife - 2/8/23 - BB14\nhttps://twitter.com/pr0xylife/status/1623378563880652826\nhttps://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB14_08.02.2023.txt", "modified": "2023-03-15T19:01:34.087000", "created": "2023-02-13T19:32:52.649000", "tags": [ "qakbot" ], "references": [ "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB14_08.02.2023.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "QakBot", "display_name": "QakBot", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 123, "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 17, "domain": 16 }, "indicator_count": 159, "is_author": false, "is_subscribing": null, "subscriber_count": 83, "modified_text": "1173 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63e9eb920f6717de0882232d", "name": "Threat Intel Report - W7-2023.pdf", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2023-03-15T07:01:21.082000", "created": "2023-02-13T07:49:38.950000", "tags": [], "references": [ "Threat Intel Report - W7-2023.pdf", "https://www.dnsbl.info/", "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://valkyrie.comodo.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 80, "FileHash-MD5": 27, "FileHash-SHA1": 27, "FileHash-SHA256": 42, "CVE": 2, "URL": 151, "domain": 102 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "1174 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63f8011ca202d455c08e5497", "name": "Malware Filter - Phishing List - 23-02-2023", "description": "", "modified": "2023-02-24T00:13:16.114000", "created": "2023-02-24T00:13:16.114000", "tags": [], "references": [ "https://malware-filter.gitlab.io/malware-filter/phishing-filter-domains.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 317, "hostname": 500 }, "indicator_count": 817, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1193 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6243f536785e5607272c899a", "name": "NewDom-3-20220330", "description": "ICANN-Dom", "modified": "2022-05-14T00:00:15.403000", "created": "2022-03-30T06:14:14.352000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 203, "modified_text": "1479 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ozcontests.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ozcontests.com", "found": true, "verdict": "malicious", "url_count": 2, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "http://ozcontests.com/tE3xt/01.png", "status": "offline", "threat": "malware_download", "date_added": "2023-02-09", "tags": [ "dll", "geofenced", "Qakbot", "qbot", "Quakbot", "USA" ] }, { "url": "https://ozcontests.com/tE3xt/01.png", "status": "offline", "threat": "malware_download", "date_added": "2023-02-08", "tags": [ "BB14", "dll", "Qakbot", "qbot", "Quakbot", "TR" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780312596.0682213 }