{ "type": "Domain", "indicator": "proexbit.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/proexbit.com", "alexa": "http://www.alexa.com/siteinfo/proexbit.com", "indicator": "proexbit.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3861171984, "indicator": "proexbit.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "67a4decf0ac6d6ed27d27b0d", "name": "Leveraging NetSupport RAT", "description": "NetSupport RAT is frequently exploited by threat actors for various malicious purposes. One common use is data exfiltration, where the RAT is used to locate and extract sensitive information, such as, credentials, financial data, and critical documents. It also enables credential harvesting through keylogging or theft of browser-stored data, which can provide attackers with access to additional systems or accounts. Once inside a network, attackers leverage the RAT\u2019s capabilities to facilitate lateral movement, compromising additional systems and expanding their control. Furthermore, NetSupport RAT often serves as a dropper, deploying other malware such as ransomware or secondary backdoors to escalate the attack\u2019s impact.", "modified": "2025-03-08T16:01:15.391000", "created": "2025-02-06T16:09:51.352000", "tags": [ "path", "span", "button", "link", "script", "template", "github", "form", "footer", "meta", "code", "reload", "find", "close", "download", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "main", "contact", "malware", "RAT" ], "references": [ "https://security.microsoft.com/threatanalytics3/03b28902-53fb-4091-8840-01477263cc44/analystreport", "https://github.com/Cisco-Talos/IOCs/blob/main/2024/08/detecting-evolving-threats-netsupport-rat.txt" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Israel" ], "malware_families": [ { "id": "NetSupportManager RAT", "display_name": "NetSupportManager RAT", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Jnorton16", "id": "281242", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 5, "FileHash-SHA256": 67, "domain": 10 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "448 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670d150169ad6ecc7b41b241", "name": "The Everyman Threat Feed", "description": "", "modified": "2024-11-22T17:02:43.253000", "created": "2024-10-14T12:56:33.350000", "tags": [ "Malware", "Phishing", "Threat Feed", "IOCs" ], "references": [ "https://github.com/df4u1t/The-Everyman-Threat-Feed/raw/refs/heads/main/domain-threats.txt", "https://github.com/df4u1t/The-Everyman-Threat-Feed/raw/refs/heads/main/ipv4-threats.txt", "https://github.com/df4u1t/The-Everyman-Threat-Feed/raw/refs/heads/main/url-threats.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jrussell183", "id": "134208", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 72, "hostname": 54, "URL": 88, "FileHash-MD5": 1 }, "indicator_count": 215, "is_author": false, "is_subscribing": null, "subscriber_count": 3, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b204d8a99c1d2c6cc242e7", "name": "NetSupport RAT campaign", "description": "NetSupport RAT campaign", "modified": "2024-08-06T11:11:24.591000", "created": "2024-08-06T11:11:20.513000", "tags": [ "dns domain", "hash256", "ip jsc", "selectel", "ip llc", "smart ape", "ip timeweb", "ip aeza" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IndoOpenThreatXchange", "id": "286483", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_286483/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 55, "domain": 10 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 89, "modified_text": "663 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fe20d1635c58fd2be328bc", "name": "FAKEUPDATES by ThreatFox", "description": "", "modified": "2024-05-12T20:27:02.873000", "created": "2024-03-23T00:22:41.667000", "tags": [ "virustotal" ], "references": [ "https://www.virustotal.com/gui/collection/threatfox_js_fakeupdates", "https://twitter.com/500mk500/status/1771235578274607201" ], "public": 1, "adversary": "TA569", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1001, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 5, "domain": 426, "hostname": 272 }, "indicator_count": 1708, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "748 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://github.com/df4u1t/The-Everyman-Threat-Feed/raw/refs/heads/main/domain-threats.txt", "https://github.com/df4u1t/The-Everyman-Threat-Feed/raw/refs/heads/main/ipv4-threats.txt", "https://security.microsoft.com/threatanalytics3/03b28902-53fb-4091-8840-01477263cc44/analystreport", "https://www.virustotal.com/gui/collection/threatfox_js_fakeupdates", "https://twitter.com/500mk500/status/1771235578274607201", "https://github.com/Cisco-Talos/IOCs/blob/main/2024/08/detecting-evolving-threats-netsupport-rat.txt", "https://github.com/df4u1t/The-Everyman-Threat-Feed/raw/refs/heads/main/url-threats.txt" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "TA569" ], "malware_families": [ "Netsupportmanager rat" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "67a4decf0ac6d6ed27d27b0d", "name": "Leveraging NetSupport RAT", "description": "NetSupport RAT is frequently exploited by threat actors for various malicious purposes. One common use is data exfiltration, where the RAT is used to locate and extract sensitive information, such as, credentials, financial data, and critical documents. It also enables credential harvesting through keylogging or theft of browser-stored data, which can provide attackers with access to additional systems or accounts. Once inside a network, attackers leverage the RAT\u2019s capabilities to facilitate lateral movement, compromising additional systems and expanding their control. Furthermore, NetSupport RAT often serves as a dropper, deploying other malware such as ransomware or secondary backdoors to escalate the attack\u2019s impact.", "modified": "2025-03-08T16:01:15.391000", "created": "2025-02-06T16:09:51.352000", "tags": [ "path", "span", "button", "link", "script", "template", "github", "form", "footer", "meta", "code", "reload", "find", "close", "download", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "main", "contact", "malware", "RAT" ], "references": [ "https://security.microsoft.com/threatanalytics3/03b28902-53fb-4091-8840-01477263cc44/analystreport", "https://github.com/Cisco-Talos/IOCs/blob/main/2024/08/detecting-evolving-threats-netsupport-rat.txt" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Israel" ], "malware_families": [ { "id": "NetSupportManager RAT", "display_name": "NetSupportManager RAT", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Jnorton16", "id": "281242", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 5, "FileHash-SHA256": 67, "domain": 10 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "448 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670d150169ad6ecc7b41b241", "name": "The Everyman Threat Feed", "description": "", "modified": "2024-11-22T17:02:43.253000", "created": "2024-10-14T12:56:33.350000", "tags": [ "Malware", "Phishing", "Threat Feed", "IOCs" ], "references": [ "https://github.com/df4u1t/The-Everyman-Threat-Feed/raw/refs/heads/main/domain-threats.txt", "https://github.com/df4u1t/The-Everyman-Threat-Feed/raw/refs/heads/main/ipv4-threats.txt", "https://github.com/df4u1t/The-Everyman-Threat-Feed/raw/refs/heads/main/url-threats.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jrussell183", "id": "134208", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 72, "hostname": 54, "URL": 88, "FileHash-MD5": 1 }, "indicator_count": 215, "is_author": false, "is_subscribing": null, "subscriber_count": 3, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b204d8a99c1d2c6cc242e7", "name": "NetSupport RAT campaign", "description": "NetSupport RAT campaign", "modified": "2024-08-06T11:11:24.591000", "created": "2024-08-06T11:11:20.513000", "tags": [ "dns domain", "hash256", "ip jsc", "selectel", "ip llc", "smart ape", "ip timeweb", "ip aeza" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IndoOpenThreatXchange", "id": "286483", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_286483/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 55, "domain": 10 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 89, "modified_text": "663 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fe20d1635c58fd2be328bc", "name": "FAKEUPDATES by ThreatFox", "description": "", "modified": "2024-05-12T20:27:02.873000", "created": "2024-03-23T00:22:41.667000", "tags": [ "virustotal" ], "references": [ "https://www.virustotal.com/gui/collection/threatfox_js_fakeupdates", "https://twitter.com/500mk500/status/1771235578274607201" ], "public": 1, "adversary": "TA569", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1001, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 5, "domain": 426, "hostname": 272 }, "indicator_count": 1708, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "748 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "proexbit.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "proexbit.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780235326.327868 }