{ "type": "Domain", "indicator": "plugin4free.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/plugin4free.com", "alexa": "http://www.alexa.com/siteinfo/plugin4free.com", "indicator": "plugin4free.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3715825205, "indicator": "plugin4free.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6510a2dd9c7acab85a26f978", "name": "Phishing sites 2023-09-24", "description": "https://github.com/olbat/ut1-blacklists/blob/master/blacklists/phishing/domains", "modified": "2023-10-24T20:02:37.137000", "created": "2023-09-24T20:58:05.025000", "tags": [ "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "France" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "URL": 5, "domain": 37579, "hostname": 3238 }, "indicator_count": 40832, "is_author": false, "is_subscribing": null, "subscriber_count": 190, "modified_text": "909 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64b786eeb6e2822347737a95", "name": "CustomerLoader: a new malware distributing a wide variety of payloads", "description": "CustomerLoader is a .Net-based loader that drops more than 40 different malware families. It appeared in June 2023 and is being distributed via phishing, YouTube videos and malicious websites.", "modified": "2023-08-18T06:02:19.784000", "created": "2023-07-19T06:47:10.445000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vtomljanovic", "id": "78099", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 7, "URL": 2, "domain": 50 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "976 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64b5503cbe0392c3fb17f617", "name": "CustomerLoader: A Multifaceted Malware Unleashing Diverse Payloads", "description": "Sekoia identified an undocumented .NET loader, dubbed CustomerLoader, that can retrieve, decrypt, and execute subsequent payloads. Beginning in early June, numerous threat actors actively distributed this loader through deceptive phishing emails, YouTube videos, and web pages that mimicked genuine websites. \n\nThe name CustomerLoader was assigned to this malware due to its utilization of the term \"customer\" within its C2 communications and loading functionalities.", "modified": "2023-08-16T14:02:38.335000", "created": "2023-07-17T14:29:16.205000", "tags": [ "customerloader", "june", "c2 server", "july", "slack website", "iocs", "customer", "ck ttps", "youtube videos", "loader", "formbook", "vidar", "stealc", "quasar", "remcos", "code", "malware", "redline", "raccoon", "stormkitty", "agenttesla", "rats", "asyncrat", "xworm", "warzonerat", "bitrat", "nanocore", "sectoprat", "lgoogloader", "amadey", "wannacry", "powershell", "redline stealer", "encrypt", "contact", "trojans", "tzw" ], "references": [ "https://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers", "https://cyware.com/news/meet-customerloader-a-multifaceted-malware-unleashing-diverse-payloads-ab2b92b9" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojans", "display_name": "Trojans", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "TZW", "display_name": "TZW", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 310, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 7, "domain": 50 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 431, "modified_text": "978 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64b13de0fd84ff19fcef08f4", "name": "Insights on New .NET Loader Malware Dubbed \u201cCustomerLoader\u201d", "description": "The following is a full list of names, characters and links:-1.5-2.4.9.6.1, which were published on 5 June 2017, and which are subject to copyright.", "modified": "2023-08-13T12:04:01.959000", "created": "2023-07-14T12:21:52.839000", "tags": [ "c2customer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 7, "URL": 6, "domain": 50 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 487, "modified_text": "981 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://cyware.com/news/meet-customerloader-a-multifaceted-malware-unleashing-diverse-payloads-ab2b92b9", "https://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Tzw", "Stealc", "Vidar", "Trojans" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6510a2dd9c7acab85a26f978", "name": "Phishing sites 2023-09-24", "description": "https://github.com/olbat/ut1-blacklists/blob/master/blacklists/phishing/domains", "modified": "2023-10-24T20:02:37.137000", "created": "2023-09-24T20:58:05.025000", "tags": [ "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "France" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "URL": 5, "domain": 37579, "hostname": 3238 }, "indicator_count": 40832, "is_author": false, "is_subscribing": null, "subscriber_count": 190, "modified_text": "909 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64b786eeb6e2822347737a95", "name": "CustomerLoader: a new malware distributing a wide variety of payloads", "description": "CustomerLoader is a .Net-based loader that drops more than 40 different malware families. It appeared in June 2023 and is being distributed via phishing, YouTube videos and malicious websites.", "modified": "2023-08-18T06:02:19.784000", "created": "2023-07-19T06:47:10.445000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vtomljanovic", "id": "78099", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 7, "URL": 2, "domain": 50 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "976 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64b5503cbe0392c3fb17f617", "name": "CustomerLoader: A Multifaceted Malware Unleashing Diverse Payloads", "description": "Sekoia identified an undocumented .NET loader, dubbed CustomerLoader, that can retrieve, decrypt, and execute subsequent payloads. Beginning in early June, numerous threat actors actively distributed this loader through deceptive phishing emails, YouTube videos, and web pages that mimicked genuine websites. \n\nThe name CustomerLoader was assigned to this malware due to its utilization of the term \"customer\" within its C2 communications and loading functionalities.", "modified": "2023-08-16T14:02:38.335000", "created": "2023-07-17T14:29:16.205000", "tags": [ "customerloader", "june", "c2 server", "july", "slack website", "iocs", "customer", "ck ttps", "youtube videos", "loader", "formbook", "vidar", "stealc", "quasar", "remcos", "code", "malware", "redline", "raccoon", "stormkitty", "agenttesla", "rats", "asyncrat", "xworm", "warzonerat", "bitrat", "nanocore", "sectoprat", "lgoogloader", "amadey", "wannacry", "powershell", "redline stealer", "encrypt", "contact", "trojans", "tzw" ], "references": [ "https://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers", "https://cyware.com/news/meet-customerloader-a-multifaceted-malware-unleashing-diverse-payloads-ab2b92b9" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojans", "display_name": "Trojans", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "TZW", "display_name": "TZW", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 310, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 7, "domain": 50 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 431, "modified_text": "978 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64b13de0fd84ff19fcef08f4", "name": "Insights on New .NET Loader Malware Dubbed \u201cCustomerLoader\u201d", "description": "The following is a full list of names, characters and links:-1.5-2.4.9.6.1, which were published on 5 June 2017, and which are subject to copyright.", "modified": "2023-08-13T12:04:01.959000", "created": "2023-07-14T12:21:52.839000", "tags": [ "c2customer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 7, "URL": 6, "domain": 50 }, "indicator_count": 65, "is_author": false, "is_subscribing": null, "subscriber_count": 487, "modified_text": "981 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "plugin4free.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "plugin4free.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776716369.7069929 }