{ "type": "Domain", "indicator": "patchlinks.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/patchlinks.com", "alexa": "http://www.alexa.com/siteinfo/patchlinks.com", "indicator": "patchlinks.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2752100246, "indicator": "patchlinks.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "6334443264821a04f52170e1", "name": "NullMixer drops Redline Stealer, SmokeLoader and other malware", "description": "NullMixer is a dropper leading to an infection chain of a wide variety of malware families. NullMixer spreads via malicious websites that can be found mainly via search engines. These websites are often related to crack, keygen and activators for downloading software illegally, and while they may pretend to be legitimate software, they actually contain a malware dropper.", "modified": "2022-10-28T12:02:33.186000", "created": "2022-09-28T12:55:13.306000", "tags": [ "Vidar", "Smokeloader", "Redline", "Exodus", "Nullmixer", "Disbuk", "Malware", "Trojan" ], "references": [ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Egypt", "France", "Germany", "Italy", "Russian Federation", "India", "Brazil" ], "malware_families": [ { "id": "Maui", "display_name": "Maui", "target": null }, { "id": "Satacom", "display_name": "Satacom", "target": null }, { "id": "SgnitLoader", "display_name": "SgnitLoader", "target": null }, { "id": "ClipBanker", "display_name": "ClipBanker", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Disbuk", "display_name": "Disbuk", "target": null }, { "id": "Fabookie", "display_name": "Fabookie", "target": null }, { "id": "Glupteba", "display_name": "Glupteba", "target": null }, { "id": "NullMixer", "display_name": "NullMixer", "target": null }, { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "ShortLoader", "display_name": "ShortLoader", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "FormatLoader", "display_name": "FormatLoader", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Military", "Industrial" ], "TLP": "white", "cloned_from": null, "export_count": 546, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "hostname": 10, "FileHash-MD5": 40, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 47 }, "indicator_count": 127, "is_author": false, "is_subscribing": null, "subscriber_count": 377597, "modified_text": "1269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6510a2dd9c7acab85a26f978", "name": "Phishing sites 2023-09-24", "description": "https://github.com/olbat/ut1-blacklists/blob/master/blacklists/phishing/domains", "modified": "2023-10-24T20:02:37.137000", "created": "2023-09-24T20:58:05.025000", "tags": [ "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "France" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "URL": 5, "domain": 37579, "hostname": 3238 }, "indicator_count": 40832, "is_author": false, "is_subscribing": null, "subscriber_count": 190, "modified_text": "908 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "633528c3690c2c7b7c91634f", "name": "NullMixer drops Redline Stealer, SmokeLoader and other malware", "description": "", "modified": "2022-10-28T12:02:33.186000", "created": "2022-09-29T05:10:27.152000", "tags": [ "Vidar", "Smokeloader", "Redline", "Exodus", "Nullmixer", "Disbuk", "Malware", "Trojan" ], "references": [ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Egypt", "France", "Germany", "Italy", "Russian Federation", "India", "Brazil" ], "malware_families": [ { "id": "Maui", "display_name": "Maui", "target": null }, { "id": "Satacom", "display_name": "Satacom", "target": null }, { "id": "SgnitLoader", "display_name": "SgnitLoader", "target": null }, { "id": "ClipBanker", "display_name": "ClipBanker", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Disbuk", "display_name": "Disbuk", "target": null }, { "id": "Fabookie", "display_name": "Fabookie", "target": null }, { "id": "Glupteba", "display_name": "Glupteba", "target": null }, { "id": "NullMixer", "display_name": "NullMixer", "target": null }, { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "ShortLoader", "display_name": "ShortLoader", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "FormatLoader", "display_name": "FormatLoader", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Military", "Industrial" ], "TLP": "white", "cloned_from": "6334443264821a04f52170e1", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 10, "FileHash-MD5": 40, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 47 }, "indicator_count": 127, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "1269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "633528dcb917a24316d20214", "name": "NullMixer drops Redline Stealer, SmokeLoader and other malware", "description": "", "modified": "2022-10-28T12:02:33.186000", "created": "2022-09-29T05:10:52.036000", "tags": [ "Vidar", "Smokeloader", "Redline", "Exodus", "Nullmixer", "Disbuk", "Malware", "Trojan" ], "references": [ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Egypt", "France", "Germany", "Italy", "Russian Federation", "India", "Brazil" ], "malware_families": [ { "id": "Maui", "display_name": "Maui", "target": null }, { "id": "Satacom", "display_name": "Satacom", "target": null }, { "id": "SgnitLoader", "display_name": "SgnitLoader", "target": null }, { "id": "ClipBanker", "display_name": "ClipBanker", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Disbuk", "display_name": "Disbuk", "target": null }, { "id": "Fabookie", "display_name": "Fabookie", "target": null }, { "id": "Glupteba", "display_name": "Glupteba", "target": null }, { "id": "NullMixer", "display_name": "NullMixer", "target": null }, { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "ShortLoader", "display_name": "ShortLoader", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "FormatLoader", "display_name": "FormatLoader", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Military", "Industrial" ], "TLP": "white", "cloned_from": "633528c3690c2c7b7c91634f", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 10, "FileHash-MD5": 40, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 47 }, "indicator_count": 127, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "1269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6334233e80197cd5a8f2af39", "name": "NullMixer: oodles of Trojans in a single dropper", "description": "A description of a malware dropper that drops malware files from websites that do not appear to be related to crack, keygen and activators has been posted online by CyberHunter_NL, a Dutch security firm.", "modified": "2022-10-28T10:02:13.929000", "created": "2022-09-28T10:34:38.274000", "tags": [ "ulrs https", "malware c", "coldstealer", "formatloader", "lgoogloader", "racealer", "redline", "satacom", "sgnitloader", "shortloader", "vidar", "nullmixer", "smokeloader", "information", "capture", "redline stealer", "securelist", "created", "hours ago", "white nullmixer", "industries", "azorult", "clipbanker", "danabot", "fabookie", "glupteba", "exodus", "manipulation" ], "references": [ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 55, "hostname": 10, "FileHash-MD5": 40, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 46 }, "indicator_count": 181, "is_author": false, "is_subscribing": null, "subscriber_count": 241, "modified_text": "1269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6333fff79e5307a165d8e3d6", "name": "NullMixer drops Redline Stealer, SmokeLoader and other malware | Securelist", "description": "NullMixer is a malware dropper that drops malware files from websites that appear to be related to crack, keygen and activators, but which can be found only if the user clicks on them.", "modified": "2022-10-28T08:02:45.572000", "created": "2022-09-28T08:04:07.946000", "tags": [ "vidar", "smokeloader", "formatloader", "redline", "shortloader", "exodus", "nullmixer", "glupteba", "fabookie", "disbuk", "danabot", "clipbanker", "sgnitloader", "satacom", "lgoogloader", "legionloader", "azorult", "maui", "stonefly", "malware", "malware descriptions", "malware technologies", "trojan", "trojan-dropper", "trojan-stealer", "urls", "ip address", "redline stealer", "execution", "nsis", "june", "service", "socelar", "nirsoft", "trojanbanker", "delphi", "raccoonstealer", "bitcoin", "obsidium", "logger", "installer", "download", "antivm", "racealer" ], "references": [ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" ], "public": 1, "adversary": "", "targeted_countries": [ "Afghanistan", "Korea, Republic of", "United States of America", "Turkey", "Egypt", "France", "Germany", "Italy", "Russian Federation", "India", "Brazil" ], "malware_families": [ { "id": "Stonefly", "display_name": "Stonefly", "target": null }, { "id": "Maui", "display_name": "Maui", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "LegionLoader", "display_name": "LegionLoader", "target": null }, { "id": "LgoogLoader", "display_name": "LgoogLoader", "target": null }, { "id": "Satacom", "display_name": "Satacom", "target": null }, { "id": "SgnitLoader", "display_name": "SgnitLoader", "target": null }, { "id": "ClipBanker", "display_name": "ClipBanker", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Disbuk", "display_name": "Disbuk", "target": null }, { "id": "Fabookie", "display_name": "Fabookie", "target": null }, { "id": "Glupteba", "display_name": "Glupteba", "target": null }, { "id": "NullMixer", "display_name": "NullMixer", "target": null }, { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "ShortLoader", "display_name": "ShortLoader", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "FormatLoader", "display_name": "FormatLoader", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Ics", "Military", "Government", "Industrial" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "hostname": 10, "FileHash-MD5": 40, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 47 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "1269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6333cb67a39bb8c517becf03", "name": "New NullMixer dropper infects PCs with a dozen different malware families", "description": "", "modified": "2022-10-28T04:05:01.349000", "created": "2022-09-28T04:19:51.568000", "tags": [], "references": [ "September 28th, 2022 - CryptoGen Cyber Threat Intelligence - New NullMixer dropper infects PCs with a dozen different malware families (1).pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 55, "hostname": 10, "FileHash-MD5": 40, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 46 }, "indicator_count": 181, "is_author": false, "is_subscribing": null, "subscriber_count": 485, "modified_text": "1269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "633367090d3d65c93681c79d", "name": "NullMixer drops Redline Stealer, SmokeLoader and other malware | Securelist", "description": "NullMixer is a malware dropper that drops malware files from websites that appear to be related to crack, keygen and activators, but which can be found only if the user clicks on them.", "modified": "2022-10-27T21:03:38.408000", "created": "2022-09-27T21:11:37.988000", "tags": [ "vidar", "smokeloader", "formatloader", "redline", "shortloader", "exodus", "nullmixer", "glupteba", "fabookie", "disbuk", "danabot", "clipbanker", "sgnitloader", "satacom", "lgoogloader", "legionloader", "azorult", "maui", "stonefly", "malware", "malware descriptions", "malware technologies", "trojan", "trojan-dropper", "trojan-stealer", "urls", "ip address", "redline stealer", "gcleaner", "coldstealer", "execution", "nsis", "june", "service", "socelar", "nirsoft", "trojanbanker", "delphi", "raccoonstealer", "bitcoin", "obsidium", "logger", "installer", "download", "antivm", "racealer" ], "references": [ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" ], "public": 1, "adversary": "", "targeted_countries": [ "Afghanistan", "Korea, Republic of", "United States of America", "Turkey", "Egypt", "France", "Germany", "Italy", "Russian Federation", "India", "Brazil" ], "malware_families": [ { "id": "Stonefly", "display_name": "Stonefly", "target": null }, { "id": "Maui", "display_name": "Maui", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "LegionLoader", "display_name": "LegionLoader", "target": null }, { "id": "LgoogLoader", "display_name": "LgoogLoader", "target": null }, { "id": "Satacom", "display_name": "Satacom", "target": null }, { "id": "SgnitLoader", "display_name": "SgnitLoader", "target": null }, { "id": "ClipBanker", "display_name": "ClipBanker", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Disbuk", "display_name": "Disbuk", "target": null }, { "id": "Fabookie", "display_name": "Fabookie", "target": null }, { "id": "Glupteba", "display_name": "Glupteba", "target": null }, { "id": "NullMixer", "display_name": "NullMixer", "target": null }, { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "ShortLoader", "display_name": "ShortLoader", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "FormatLoader", "display_name": "FormatLoader", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Ics", "Military", "Government", "Industrial" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "hostname": 10, "FileHash-MD5": 40, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 47 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 561, "modified_text": "1270 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63325d70ea86d858e416e91b", "name": "NullMixer drops Redline Stealer, SmokeLoader and other malware | Securelist", "description": "NullMixer is a malware dropper that drops malware files from websites that appear to be related to crack, keygen and activators, but which can be found only if the user clicks on them.", "modified": "2022-10-27T02:04:22.239000", "created": "2022-09-27T02:18:24.059000", "tags": [ "vidar", "smokeloader", "formatloader", "redline", "shortloader", "exodus", "nullmixer", "glupteba", "fabookie", "disbuk", "danabot", "clipbanker", "sgnitloader", "satacom", "lgoogloader", "legionloader", "azorult", "maui", "stonefly", "malware", "malware descriptions", "malware technologies", "trojan", "trojan-dropper", "trojan-stealer", "urls", "ip address", "redline stealer", "gcleaner", "coldstealer", "execution", "nsis", "june", "service", "socelar", "nirsoft", "trojanbanker", "delphi", "raccoonstealer", "bitcoin", "obsidium", "logger", "installer", "download", "antivm", "racealer" ], "references": [ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" ], "public": 1, "adversary": "", "targeted_countries": [ "Afghanistan", "Korea, Republic of", "United States of America", "Turkey", "Egypt", "France", "Germany", "Italy", "Russian Federation", "India", "Brazil" ], "malware_families": [ { "id": "Stonefly", "display_name": "Stonefly", "target": null }, { "id": "Maui", "display_name": "Maui", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "LegionLoader", "display_name": "LegionLoader", "target": null }, { "id": "LgoogLoader", "display_name": "LgoogLoader", "target": null }, { "id": "Satacom", "display_name": "Satacom", "target": null }, { "id": "SgnitLoader", "display_name": "SgnitLoader", "target": null }, { "id": "ClipBanker", "display_name": "ClipBanker", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Disbuk", "display_name": "Disbuk", "target": null }, { "id": "Fabookie", "display_name": "Fabookie", "target": null }, { "id": "Glupteba", "display_name": "Glupteba", "target": null }, { "id": "NullMixer", "display_name": "NullMixer", "target": null }, { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "ShortLoader", "display_name": "ShortLoader", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "FormatLoader", "display_name": "FormatLoader", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Ics", "Military", "Government", "Industrial" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "hostname": 10, "FileHash-MD5": 40, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 47 }, "indicator_count": 187, "is_author": false, "is_subscribing": null, "subscriber_count": 354, "modified_text": "1270 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbdddd1fc2e2956bfacda5", "name": "vvvvv", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:22:53.511000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "1349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbdde0447b9617f24a8901", "name": "vvvvv", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:22:56.693000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "1349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbddf0c4709eb7b4d0fb94", "name": "data of hhh", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:23:12.624000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "1349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "September 28th, 2022 - CryptoGen Cyber Threat Intelligence - New NullMixer dropper infects PCs with a dozen different malware families (1).pdf", "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Disbuk", "Redline", "Satacom", "Nullmixer", "Formatloader", "Glupteba", "Shortloader", "Vidar", "Sgnitloader", "Smokeloader", "Danabot", "Clipbanker", "Exodus", "Fabookie", "Maui" ], "industries": [ "Industrial", "Military" ] }, "other": { "adversary": [], "malware_families": [ "Nullmixer", "Formatloader", "Smokeloader", "Clipbanker", "Exodus", "Fabookie", "Maui", "Sgnitloader", "Danabot", "Azorult", "Glupteba", "Shortloader", "Lgoogloader", "Disbuk", "Redline", "Satacom", "Stonefly", "Vidar", "Legionloader" ], "industries": [ "Government", "Industrial", "Military", "Ics" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "6334443264821a04f52170e1", "name": "NullMixer drops Redline Stealer, SmokeLoader and other malware", "description": "NullMixer is a dropper leading to an infection chain of a wide variety of malware families. NullMixer spreads via malicious websites that can be found mainly via search engines. These websites are often related to crack, keygen and activators for downloading software illegally, and while they may pretend to be legitimate software, they actually contain a malware dropper.", "modified": "2022-10-28T12:02:33.186000", "created": "2022-09-28T12:55:13.306000", "tags": [ "Vidar", "Smokeloader", "Redline", "Exodus", "Nullmixer", "Disbuk", "Malware", "Trojan" ], "references": [ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Egypt", "France", "Germany", "Italy", "Russian Federation", "India", "Brazil" ], "malware_families": [ { "id": "Maui", "display_name": "Maui", "target": null }, { "id": "Satacom", "display_name": "Satacom", "target": null }, { "id": "SgnitLoader", "display_name": "SgnitLoader", "target": null }, { "id": "ClipBanker", "display_name": "ClipBanker", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Disbuk", "display_name": "Disbuk", "target": null }, { "id": "Fabookie", "display_name": "Fabookie", "target": null }, { "id": "Glupteba", "display_name": "Glupteba", "target": null }, { "id": "NullMixer", "display_name": "NullMixer", "target": null }, { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "ShortLoader", "display_name": "ShortLoader", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "FormatLoader", "display_name": "FormatLoader", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Military", "Industrial" ], "TLP": "white", "cloned_from": null, "export_count": 546, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "hostname": 10, "FileHash-MD5": 40, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 47 }, "indicator_count": 127, "is_author": false, "is_subscribing": null, "subscriber_count": 377597, "modified_text": "1269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6510a2dd9c7acab85a26f978", "name": "Phishing sites 2023-09-24", "description": "https://github.com/olbat/ut1-blacklists/blob/master/blacklists/phishing/domains", "modified": "2023-10-24T20:02:37.137000", "created": "2023-09-24T20:58:05.025000", "tags": [ "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "France" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "URL": 5, "domain": 37579, "hostname": 3238 }, "indicator_count": 40832, "is_author": false, "is_subscribing": null, "subscriber_count": 190, "modified_text": "908 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "633528c3690c2c7b7c91634f", "name": "NullMixer drops Redline Stealer, SmokeLoader and other malware", "description": "", "modified": "2022-10-28T12:02:33.186000", "created": "2022-09-29T05:10:27.152000", "tags": [ "Vidar", "Smokeloader", "Redline", "Exodus", "Nullmixer", "Disbuk", "Malware", "Trojan" ], "references": [ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Egypt", "France", "Germany", "Italy", "Russian Federation", "India", "Brazil" ], "malware_families": [ { "id": "Maui", "display_name": "Maui", "target": null }, { "id": "Satacom", "display_name": "Satacom", "target": null }, { "id": "SgnitLoader", "display_name": "SgnitLoader", "target": null }, { "id": "ClipBanker", "display_name": "ClipBanker", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Disbuk", "display_name": "Disbuk", "target": null }, { "id": "Fabookie", "display_name": "Fabookie", "target": null }, { "id": "Glupteba", "display_name": "Glupteba", "target": null }, { "id": "NullMixer", "display_name": "NullMixer", "target": null }, { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "ShortLoader", "display_name": "ShortLoader", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "FormatLoader", "display_name": "FormatLoader", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Military", "Industrial" ], "TLP": "white", "cloned_from": "6334443264821a04f52170e1", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 10, "FileHash-MD5": 40, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 47 }, "indicator_count": 127, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "1269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "633528dcb917a24316d20214", "name": "NullMixer drops Redline Stealer, SmokeLoader and other malware", "description": "", "modified": "2022-10-28T12:02:33.186000", "created": "2022-09-29T05:10:52.036000", "tags": [ "Vidar", "Smokeloader", "Redline", "Exodus", "Nullmixer", "Disbuk", "Malware", "Trojan" ], "references": [ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Egypt", "France", "Germany", "Italy", "Russian Federation", "India", "Brazil" ], "malware_families": [ { "id": "Maui", "display_name": "Maui", "target": null }, { "id": "Satacom", "display_name": "Satacom", "target": null }, { "id": "SgnitLoader", "display_name": "SgnitLoader", "target": null }, { "id": "ClipBanker", "display_name": "ClipBanker", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Disbuk", "display_name": "Disbuk", "target": null }, { "id": "Fabookie", "display_name": "Fabookie", "target": null }, { "id": "Glupteba", "display_name": "Glupteba", "target": null }, { "id": "NullMixer", "display_name": "NullMixer", "target": null }, { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "ShortLoader", "display_name": "ShortLoader", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "FormatLoader", "display_name": "FormatLoader", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Military", "Industrial" ], "TLP": "white", "cloned_from": "633528c3690c2c7b7c91634f", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 10, "FileHash-MD5": 40, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 47 }, "indicator_count": 127, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "1269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6334233e80197cd5a8f2af39", "name": "NullMixer: oodles of Trojans in a single dropper", "description": "A description of a malware dropper that drops malware files from websites that do not appear to be related to crack, keygen and activators has been posted online by CyberHunter_NL, a Dutch security firm.", "modified": "2022-10-28T10:02:13.929000", "created": "2022-09-28T10:34:38.274000", "tags": [ "ulrs https", "malware c", "coldstealer", "formatloader", "lgoogloader", "racealer", "redline", "satacom", "sgnitloader", "shortloader", "vidar", "nullmixer", "smokeloader", "information", "capture", "redline stealer", "securelist", "created", "hours ago", "white nullmixer", "industries", "azorult", "clipbanker", "danabot", "fabookie", "glupteba", "exodus", "manipulation" ], "references": [ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 55, "hostname": 10, "FileHash-MD5": 40, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 46 }, "indicator_count": 181, "is_author": false, "is_subscribing": null, "subscriber_count": 241, "modified_text": "1269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6333fff79e5307a165d8e3d6", "name": "NullMixer drops Redline Stealer, SmokeLoader and other malware | Securelist", "description": "NullMixer is a malware dropper that drops malware files from websites that appear to be related to crack, keygen and activators, but which can be found only if the user clicks on them.", "modified": "2022-10-28T08:02:45.572000", "created": "2022-09-28T08:04:07.946000", "tags": [ "vidar", "smokeloader", "formatloader", "redline", "shortloader", "exodus", "nullmixer", "glupteba", "fabookie", "disbuk", "danabot", "clipbanker", "sgnitloader", "satacom", "lgoogloader", "legionloader", "azorult", "maui", "stonefly", "malware", "malware descriptions", "malware technologies", "trojan", "trojan-dropper", "trojan-stealer", "urls", "ip address", "redline stealer", "execution", "nsis", "june", "service", "socelar", "nirsoft", "trojanbanker", "delphi", "raccoonstealer", "bitcoin", "obsidium", "logger", "installer", "download", "antivm", "racealer" ], "references": [ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" ], "public": 1, "adversary": "", "targeted_countries": [ "Afghanistan", "Korea, Republic of", "United States of America", "Turkey", "Egypt", "France", "Germany", "Italy", "Russian Federation", "India", "Brazil" ], "malware_families": [ { "id": "Stonefly", "display_name": "Stonefly", "target": null }, { "id": "Maui", "display_name": "Maui", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "LegionLoader", "display_name": "LegionLoader", "target": null }, { "id": "LgoogLoader", "display_name": "LgoogLoader", "target": null }, { "id": "Satacom", "display_name": "Satacom", "target": null }, { "id": "SgnitLoader", "display_name": "SgnitLoader", "target": null }, { "id": "ClipBanker", "display_name": "ClipBanker", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Disbuk", "display_name": "Disbuk", "target": null }, { "id": "Fabookie", "display_name": "Fabookie", "target": null }, { "id": "Glupteba", "display_name": "Glupteba", "target": null }, { "id": "NullMixer", "display_name": "NullMixer", "target": null }, { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "ShortLoader", "display_name": "ShortLoader", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "FormatLoader", "display_name": "FormatLoader", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Ics", "Military", "Government", "Industrial" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "hostname": 10, "FileHash-MD5": 40, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 47 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "1269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6333cb67a39bb8c517becf03", "name": "New NullMixer dropper infects PCs with a dozen different malware families", "description": "", "modified": "2022-10-28T04:05:01.349000", "created": "2022-09-28T04:19:51.568000", "tags": [], "references": [ "September 28th, 2022 - CryptoGen Cyber Threat Intelligence - New NullMixer dropper infects PCs with a dozen different malware families (1).pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 55, "hostname": 10, "FileHash-MD5": 40, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 46 }, "indicator_count": 181, "is_author": false, "is_subscribing": null, "subscriber_count": 485, "modified_text": "1269 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "633367090d3d65c93681c79d", "name": "NullMixer drops Redline Stealer, SmokeLoader and other malware | Securelist", "description": "NullMixer is a malware dropper that drops malware files from websites that appear to be related to crack, keygen and activators, but which can be found only if the user clicks on them.", "modified": "2022-10-27T21:03:38.408000", "created": "2022-09-27T21:11:37.988000", "tags": [ "vidar", "smokeloader", "formatloader", "redline", "shortloader", "exodus", "nullmixer", "glupteba", "fabookie", "disbuk", "danabot", "clipbanker", "sgnitloader", "satacom", "lgoogloader", "legionloader", "azorult", "maui", "stonefly", "malware", "malware descriptions", "malware technologies", "trojan", "trojan-dropper", "trojan-stealer", "urls", "ip address", "redline stealer", "gcleaner", "coldstealer", "execution", "nsis", "june", "service", "socelar", "nirsoft", "trojanbanker", "delphi", "raccoonstealer", "bitcoin", "obsidium", "logger", "installer", "download", "antivm", "racealer" ], "references": [ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" ], "public": 1, "adversary": "", "targeted_countries": [ "Afghanistan", "Korea, Republic of", "United States of America", "Turkey", "Egypt", "France", "Germany", "Italy", "Russian Federation", "India", "Brazil" ], "malware_families": [ { "id": "Stonefly", "display_name": "Stonefly", "target": null }, { "id": "Maui", "display_name": "Maui", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "LegionLoader", "display_name": "LegionLoader", "target": null }, { "id": "LgoogLoader", "display_name": "LgoogLoader", "target": null }, { "id": "Satacom", "display_name": "Satacom", "target": null }, { "id": "SgnitLoader", "display_name": "SgnitLoader", "target": null }, { "id": "ClipBanker", "display_name": "ClipBanker", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Disbuk", "display_name": "Disbuk", "target": null }, { "id": "Fabookie", "display_name": "Fabookie", "target": null }, { "id": "Glupteba", "display_name": "Glupteba", "target": null }, { "id": "NullMixer", "display_name": "NullMixer", "target": null }, { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "ShortLoader", "display_name": "ShortLoader", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "FormatLoader", "display_name": "FormatLoader", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Ics", "Military", "Government", "Industrial" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "hostname": 10, "FileHash-MD5": 40, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 47 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 561, "modified_text": "1270 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63325d70ea86d858e416e91b", "name": "NullMixer drops Redline Stealer, SmokeLoader and other malware | Securelist", "description": "NullMixer is a malware dropper that drops malware files from websites that appear to be related to crack, keygen and activators, but which can be found only if the user clicks on them.", "modified": "2022-10-27T02:04:22.239000", "created": "2022-09-27T02:18:24.059000", "tags": [ "vidar", "smokeloader", "formatloader", "redline", "shortloader", "exodus", "nullmixer", "glupteba", "fabookie", "disbuk", "danabot", "clipbanker", "sgnitloader", "satacom", "lgoogloader", "legionloader", "azorult", "maui", "stonefly", "malware", "malware descriptions", "malware technologies", "trojan", "trojan-dropper", "trojan-stealer", "urls", "ip address", "redline stealer", "gcleaner", "coldstealer", "execution", "nsis", "june", "service", "socelar", "nirsoft", "trojanbanker", "delphi", "raccoonstealer", "bitcoin", "obsidium", "logger", "installer", "download", "antivm", "racealer" ], "references": [ "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" ], "public": 1, "adversary": "", "targeted_countries": [ "Afghanistan", "Korea, Republic of", "United States of America", "Turkey", "Egypt", "France", "Germany", "Italy", "Russian Federation", "India", "Brazil" ], "malware_families": [ { "id": "Stonefly", "display_name": "Stonefly", "target": null }, { "id": "Maui", "display_name": "Maui", "target": null }, { "id": "Azorult", "display_name": "Azorult", "target": null }, { "id": "LegionLoader", "display_name": "LegionLoader", "target": null }, { "id": "LgoogLoader", "display_name": "LgoogLoader", "target": null }, { "id": "Satacom", "display_name": "Satacom", "target": null }, { "id": "SgnitLoader", "display_name": "SgnitLoader", "target": null }, { "id": "ClipBanker", "display_name": "ClipBanker", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Disbuk", "display_name": "Disbuk", "target": null }, { "id": "Fabookie", "display_name": "Fabookie", "target": null }, { "id": "Glupteba", "display_name": "Glupteba", "target": null }, { "id": "NullMixer", "display_name": "NullMixer", "target": null }, { "id": "Exodus", "display_name": "Exodus", "target": null }, { "id": "ShortLoader", "display_name": "ShortLoader", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "FormatLoader", "display_name": "FormatLoader", "target": null }, { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Ics", "Military", "Government", "Industrial" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "hostname": 10, "FileHash-MD5": 40, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 47 }, "indicator_count": 187, "is_author": false, "is_subscribing": null, "subscriber_count": 354, "modified_text": "1270 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbdddd1fc2e2956bfacda5", "name": "vvvvv", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:22:53.511000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "1349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "patchlinks.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "patchlinks.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776649910.1068292 }