{ "type": "Domain", "indicator": "prosoftitservices.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/prosoftitservices.com", "alexa": "http://www.alexa.com/siteinfo/prosoftitservices.com", "indicator": "prosoftitservices.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3678802052, "indicator": "prosoftitservices.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "6580d422fb57aab8e21c1f39", "name": "Witchetty Cyber Espionage| BlueShell | Capture Wi-Fi password", "description": "Deeply hidden inRallypoint.com. \nWitchetty cyber espionage: Witchetty's activity was characterized by the use of two pieces of malware, a first-stage backdoor known as X4 and a second-stage payload.\n\nBlueShell is a backdoor malware developed in Go language, published on Github, and it supports Windows, Linux, and \nDalbit APT Group targets vulnerable servers to breach information including internal data from companies or encrypts files may demand money.", "modified": "2024-01-17T23:03:40.729000", "created": "2023-12-18T23:22:10.482000", "tags": [ "contacted", "ssl certificate", "group", "toolset", "attacks", "governments", "middle east", "dalbit", "march", "witchetty", "blueshell", "execution", "lockbit", "malware", "backdoor", "tsara brashears", "octoseek", "steganographic technique", "proxylogon", "lookback", "lookingfrog", "anonfiles", "publishing", "music", "torrent", "critical", "hallrender", "ttp", "uae", "protection", "macmalware", "linux malware", "apple", "proxyshell", "x4", "zero trust", "youtube", "safebae", "rallypoint", "poemhunter", "eazy client", "africa", "united states", "ta410", "second stage", "Capture Wi-Fi password", "password stealer", "whois whois", "agent tesla", "love", "mirai", "satacom", "miner", "dtrack", "nebula", "cobalt strike", "nanocore", "core", "hacktool" ], "references": [ "EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint", "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "discord.com", "api.anonfiles.com", "checkip.dyndns.org", "checkip.dyndns.com", "DNS Query for Anonfiles.com Domain", "INDICATOR SUSPICIOUS_EXE_WirelessNetReccon", "INDICATOR SUSPICIOUS_EXE_CC_Regex", "DNS Query for Anonfiles.com Domain", "Traffic 13.107.4.52:80 (TCP)", "MALWARE_Win_StormKitty", "qbittorrent.exe", "EaZy Client.exe", "https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community" ], "public": 1, "adversary": "Witchetty APT Group", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Witchetty", "display_name": "Witchetty", "target": null }, { "id": "BlueShell", "display_name": "BlueShell", "target": null }, { "id": "Lokbit", "display_name": "Lokbit", "target": null }, { "id": "Mac.Malware", "display_name": "Mac.Malware", "target": null }, { "id": "trojan.msil/stealer", "display_name": "trojan.msil/stealer", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1541, "URL": 3782, "domain": 1067, "hostname": 1297, "FileHash-MD5": 110, "FileHash-SHA1": 110, "CVE": 3 }, "indicator_count": 7910, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "865 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6581d83bfd115be1f92d75a9", "name": "Witchetty Cyber Espionage| BlueShell | Capture Wi-Fi password [Octoseek]", "description": "", "modified": "2024-01-17T23:03:40.729000", "created": "2023-12-19T17:51:55.338000", "tags": [ "contacted", "ssl certificate", "group", "toolset", "attacks", "governments", "middle east", "dalbit", "march", "witchetty", "blueshell", "execution", "lockbit", "malware", "backdoor", "tsara brashears", "octoseek", "steganographic technique", "proxylogon", "lookback", "lookingfrog", "anonfiles", "publishing", "music", "torrent", "critical", "hallrender", "ttp", "uae", "protection", "macmalware", "linux malware", "apple", "proxyshell", "x4", "zero trust", "youtube", "safebae", "rallypoint", "poemhunter", "eazy client", "africa", "united states", "ta410", "second stage", "Capture Wi-Fi password", "password stealer", "whois whois", "agent tesla", "love", "mirai", "satacom", "miner", "dtrack", "nebula", "cobalt strike", "nanocore", "core", "hacktool" ], "references": [ "EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint", "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "discord.com", "api.anonfiles.com", "checkip.dyndns.org", "checkip.dyndns.com", "DNS Query for Anonfiles.com Domain", "INDICATOR SUSPICIOUS_EXE_WirelessNetReccon", "INDICATOR SUSPICIOUS_EXE_CC_Regex", "DNS Query for Anonfiles.com Domain", "Traffic 13.107.4.52:80 (TCP)", "MALWARE_Win_StormKitty", "qbittorrent.exe", "EaZy Client.exe", "https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community" ], "public": 1, "adversary": "Witchetty APT Group", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Witchetty", "display_name": "Witchetty", "target": null }, { "id": "BlueShell", "display_name": "BlueShell", "target": null }, { "id": "Lokbit", "display_name": "Lokbit", "target": null }, { "id": "Mac.Malware", "display_name": "Mac.Malware", "target": null }, { "id": "trojan.msil/stealer", "display_name": "trojan.msil/stealer", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": "6580d422fb57aab8e21c1f39", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1541, "URL": 3782, "domain": 1067, "hostname": 1297, "FileHash-MD5": 110, "FileHash-SHA1": 110, "CVE": 3 }, "indicator_count": 7910, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "865 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6581d83e20634ac0d58ceca9", "name": "Witchetty Cyber Espionage| BlueShell | Capture Wi-Fi password [Octoseek]", "description": "", "modified": "2024-01-17T23:03:40.729000", "created": "2023-12-19T17:51:58.995000", "tags": [ "contacted", "ssl certificate", "group", "toolset", "attacks", "governments", "middle east", "dalbit", "march", "witchetty", "blueshell", "execution", "lockbit", "malware", "backdoor", "tsara brashears", "octoseek", "steganographic technique", "proxylogon", "lookback", "lookingfrog", "anonfiles", "publishing", "music", "torrent", "critical", "hallrender", "ttp", "uae", "protection", "macmalware", "linux malware", "apple", "proxyshell", "x4", "zero trust", "youtube", "safebae", "rallypoint", "poemhunter", "eazy client", "africa", "united states", "ta410", "second stage", "Capture Wi-Fi password", "password stealer", "whois whois", "agent tesla", "love", "mirai", "satacom", "miner", "dtrack", "nebula", "cobalt strike", "nanocore", "core", "hacktool" ], "references": [ "EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint", "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "discord.com", "api.anonfiles.com", "checkip.dyndns.org", "checkip.dyndns.com", "DNS Query for Anonfiles.com Domain", "INDICATOR SUSPICIOUS_EXE_WirelessNetReccon", "INDICATOR SUSPICIOUS_EXE_CC_Regex", "DNS Query for Anonfiles.com Domain", "Traffic 13.107.4.52:80 (TCP)", "MALWARE_Win_StormKitty", "qbittorrent.exe", "EaZy Client.exe", "https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community" ], "public": 1, "adversary": "Witchetty APT Group", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Witchetty", "display_name": "Witchetty", "target": null }, { "id": "BlueShell", "display_name": "BlueShell", "target": null }, { "id": "Lokbit", "display_name": "Lokbit", "target": null }, { "id": "Mac.Malware", "display_name": "Mac.Malware", "target": null }, { "id": "trojan.msil/stealer", "display_name": "trojan.msil/stealer", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": "6580d422fb57aab8e21c1f39", "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1541, "URL": 3782, "domain": 1067, "hostname": 1297, "FileHash-MD5": 110, "FileHash-SHA1": 110, "CVE": 3 }, "indicator_count": 7910, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "865 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "647a7abaa58ae84330f2cbdf", "name": "URLHaus data - 02-06-2023", "description": "", "modified": "2023-07-02T23:03:26.565000", "created": "2023-06-02T23:26:50.082000", "tags": [ "32-bit", "elf", "mips", "Mozi", "hajime", "mirai", "ArkeiStealer", "dropped-by-amadey", "RedLineStealer", "arm", "x86-32", "ddos-bot", "BB30", "geofenced", "js", "Qakbot", "TR", "USA", "zip", "dll", "64", "exe", "zgRAT", "RemcosRAT", "Loki", "opendir", "doc", "pw-1515", "rar", "pw-2023", "pw-2022", "pw-333", "Obama266", "VoidRAT", "Quakbot", "qbot", "AgentTesla", "RTF", "encrypted", "GuLoader", "rat", "Stealc", "2022", "Password-protected", "1234", "7z", "njRAT", "shellscript", "32", "bashlite", "gafgyt", "renesas", "intel", "Rhadamanthys", "payloads", "viaSmokeLoader", "Smoke Loader", "dropped-by-PrivateLoader", "RedLine", "dcrat", "additionalpayloads", "raccoonv2", "RecordBreaker", "xworm", "Formbook" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 999, "domain": 228, "hostname": 3 }, "indicator_count": 1230, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1064 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "646562323df8ec74e628e6a0", "name": "URLHaus data - 17-05-2023", "description": "", "modified": "2023-06-23T22:19:18.469000", "created": "2023-05-17T23:24:34.238000", "tags": [ "32-bit", "elf", "mips", "Mozi", "zip", "arm", "mirai", "shellscript", "1234", "7z", "Password-protected", "ascii", "NetSupport", "powershell", "ps", "rat", "dropped-by-PrivateLoader", "encrypted", "exe", "Formbook", "PowerShellDiscordKeyLogger", "BB28", "geofenced", "js", "Qakbot", "Quakbot", "USA", "qbot", "dropped-by-SmokeLoader", "Loki", "opendir", "RedLine", "RemcosRAT", "Arechclient2", "AgentTesla", "doc", "RedLineStealer", "LummaStealer", "ArkeiStealer", "dll", "Stealc", "dropped-by-amadey", "hajime", "ua-ps", "32", "gafgyt", "Lumma", "Amadey", "AsyncRAT", "lnk", "Vidar", "quasar", "64-bit", "x86-64" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 880, "hostname": 8, "domain": 355 }, "indicator_count": 1243, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1073 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6466b35675126d41269a7e39", "name": "URLHaus data - 18-05-2023", "description": "", "modified": "2023-06-23T22:14:17.716000", "created": "2023-05-18T23:23:02.123000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "mirai", "x86-32", "32", "exe", "RedLineStealer", "64-bit", "x86-64", "hajime", "ddos-bot", "BB28", "geofenced", "js", "Qakbot", "USA", "njRAT", "ua-ps", "1234", "7z", "Password-protected", "dropped-by-SmokeLoader", "dropped-by-PrivateLoader", "encrypted", "RedLine", "Amadey", "RTF" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 611, "domain": 221 }, "indicator_count": 832, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1073 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "645c261ad41f7c286ea912d8", "name": "URLHaus data - 10-05-2023", "description": "", "modified": "2023-05-10T23:17:46.346000", "created": "2023-05-10T23:17:46.346000", "tags": [ "32", "exe", "32-bit", "elf", "mips", "Mozi", "arm", "hajime", "mirai", "SocGholish", "BB27", "geofenced", "js", "Qakbot", "qbot", "Quakbot", "TR", "USA", "obama262", "wsf", "zip", "obama262", "dll", "sparc", "bashlite", "gafgyt", "PowerPC", "njRAT", "intel", "64", "renesas", "motorola", "kinsing", "script", "NanoCore", "1212", "Password-protected", "rar", "1515" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "IPv4": 157, "domain": 593, "hostname": 22 }, "indicator_count": 1772, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1117 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "Traffic 13.107.4.52:80 (TCP)", "https://urlhaus.abuse.ch/browse/", "api.anonfiles.com", "checkip.dyndns.org", "qbittorrent.exe", "INDICATOR SUSPICIOUS_EXE_CC_Regex", "discord.com", "MALWARE_Win_StormKitty", "https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community", "checkip.dyndns.com", "INDICATOR SUSPICIOUS_EXE_WirelessNetReccon", "DNS Query for Anonfiles.com Domain", "EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint", "EaZy Client.exe" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Witchetty APT Group" ], "malware_families": [ "Witchetty", "Blueshell", "Mac.malware", "Lokbit", "Trojan.msil/stealer" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "6580d422fb57aab8e21c1f39", "name": "Witchetty Cyber Espionage| BlueShell | Capture Wi-Fi password", "description": "Deeply hidden inRallypoint.com. \nWitchetty cyber espionage: Witchetty's activity was characterized by the use of two pieces of malware, a first-stage backdoor known as X4 and a second-stage payload.\n\nBlueShell is a backdoor malware developed in Go language, published on Github, and it supports Windows, Linux, and \nDalbit APT Group targets vulnerable servers to breach information including internal data from companies or encrypts files may demand money.", "modified": "2024-01-17T23:03:40.729000", "created": "2023-12-18T23:22:10.482000", "tags": [ "contacted", "ssl certificate", "group", "toolset", "attacks", "governments", "middle east", "dalbit", "march", "witchetty", "blueshell", "execution", "lockbit", "malware", "backdoor", "tsara brashears", "octoseek", "steganographic technique", "proxylogon", "lookback", "lookingfrog", "anonfiles", "publishing", "music", "torrent", "critical", "hallrender", "ttp", "uae", "protection", "macmalware", "linux malware", "apple", "proxyshell", "x4", "zero trust", "youtube", "safebae", "rallypoint", "poemhunter", "eazy client", "africa", "united states", "ta410", "second stage", "Capture Wi-Fi password", "password stealer", "whois whois", "agent tesla", "love", "mirai", "satacom", "miner", "dtrack", "nebula", "cobalt strike", "nanocore", "core", "hacktool" ], "references": [ "EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint", "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "discord.com", "api.anonfiles.com", "checkip.dyndns.org", "checkip.dyndns.com", "DNS Query for Anonfiles.com Domain", "INDICATOR SUSPICIOUS_EXE_WirelessNetReccon", "INDICATOR SUSPICIOUS_EXE_CC_Regex", "DNS Query for Anonfiles.com Domain", "Traffic 13.107.4.52:80 (TCP)", "MALWARE_Win_StormKitty", "qbittorrent.exe", "EaZy Client.exe", "https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community" ], "public": 1, "adversary": "Witchetty APT Group", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Witchetty", "display_name": "Witchetty", "target": null }, { "id": "BlueShell", "display_name": "BlueShell", "target": null }, { "id": "Lokbit", "display_name": "Lokbit", "target": null }, { "id": "Mac.Malware", "display_name": "Mac.Malware", "target": null }, { "id": "trojan.msil/stealer", "display_name": "trojan.msil/stealer", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1541, "URL": 3782, "domain": 1067, "hostname": 1297, "FileHash-MD5": 110, "FileHash-SHA1": 110, "CVE": 3 }, "indicator_count": 7910, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "865 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6581d83bfd115be1f92d75a9", "name": "Witchetty Cyber Espionage| BlueShell | Capture Wi-Fi password [Octoseek]", "description": "", "modified": "2024-01-17T23:03:40.729000", "created": "2023-12-19T17:51:55.338000", "tags": [ "contacted", "ssl certificate", "group", "toolset", "attacks", "governments", "middle east", "dalbit", "march", "witchetty", "blueshell", "execution", "lockbit", "malware", "backdoor", "tsara brashears", "octoseek", "steganographic technique", "proxylogon", "lookback", "lookingfrog", "anonfiles", "publishing", "music", "torrent", "critical", "hallrender", "ttp", "uae", "protection", "macmalware", "linux malware", "apple", "proxyshell", "x4", "zero trust", "youtube", "safebae", "rallypoint", "poemhunter", "eazy client", "africa", "united states", "ta410", "second stage", "Capture Wi-Fi password", "password stealer", "whois whois", "agent tesla", "love", "mirai", "satacom", "miner", "dtrack", "nebula", "cobalt strike", "nanocore", "core", "hacktool" ], "references": [ "EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint", "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "discord.com", "api.anonfiles.com", "checkip.dyndns.org", "checkip.dyndns.com", "DNS Query for Anonfiles.com Domain", "INDICATOR SUSPICIOUS_EXE_WirelessNetReccon", "INDICATOR SUSPICIOUS_EXE_CC_Regex", "DNS Query for Anonfiles.com Domain", "Traffic 13.107.4.52:80 (TCP)", "MALWARE_Win_StormKitty", "qbittorrent.exe", "EaZy Client.exe", "https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community" ], "public": 1, "adversary": "Witchetty APT Group", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Witchetty", "display_name": "Witchetty", "target": null }, { "id": "BlueShell", "display_name": "BlueShell", "target": null }, { "id": "Lokbit", "display_name": "Lokbit", "target": null }, { "id": "Mac.Malware", "display_name": "Mac.Malware", "target": null }, { "id": "trojan.msil/stealer", "display_name": "trojan.msil/stealer", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": "6580d422fb57aab8e21c1f39", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1541, "URL": 3782, "domain": 1067, "hostname": 1297, "FileHash-MD5": 110, "FileHash-SHA1": 110, "CVE": 3 }, "indicator_count": 7910, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "865 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6581d83e20634ac0d58ceca9", "name": "Witchetty Cyber Espionage| BlueShell | Capture Wi-Fi password [Octoseek]", "description": "", "modified": "2024-01-17T23:03:40.729000", "created": "2023-12-19T17:51:58.995000", "tags": [ "contacted", "ssl certificate", "group", "toolset", "attacks", "governments", "middle east", "dalbit", "march", "witchetty", "blueshell", "execution", "lockbit", "malware", "backdoor", "tsara brashears", "octoseek", "steganographic technique", "proxylogon", "lookback", "lookingfrog", "anonfiles", "publishing", "music", "torrent", "critical", "hallrender", "ttp", "uae", "protection", "macmalware", "linux malware", "apple", "proxyshell", "x4", "zero trust", "youtube", "safebae", "rallypoint", "poemhunter", "eazy client", "africa", "united states", "ta410", "second stage", "Capture Wi-Fi password", "password stealer", "whois whois", "agent tesla", "love", "mirai", "satacom", "miner", "dtrack", "nebula", "cobalt strike", "nanocore", "core", "hacktool" ], "references": [ "EaZy Client.exe via qbittorrent.exe via AnonFiles origin RallyPoint", "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", "discord.com", "api.anonfiles.com", "checkip.dyndns.org", "checkip.dyndns.com", "DNS Query for Anonfiles.com Domain", "INDICATOR SUSPICIOUS_EXE_WirelessNetReccon", "INDICATOR SUSPICIOUS_EXE_CC_Regex", "DNS Query for Anonfiles.com Domain", "Traffic 13.107.4.52:80 (TCP)", "MALWARE_Win_StormKitty", "qbittorrent.exe", "EaZy Client.exe", "https://www.virustotal.com/gui/file/00047e1c8b4f336c86ed4ef148741c0d7658a0fd1107597acd4f22e5851e24ef/community" ], "public": 1, "adversary": "Witchetty APT Group", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Witchetty", "display_name": "Witchetty", "target": null }, { "id": "BlueShell", "display_name": "BlueShell", "target": null }, { "id": "Lokbit", "display_name": "Lokbit", "target": null }, { "id": "Mac.Malware", "display_name": "Mac.Malware", "target": null }, { "id": "trojan.msil/stealer", "display_name": "trojan.msil/stealer", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": "6580d422fb57aab8e21c1f39", "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1541, "URL": 3782, "domain": 1067, "hostname": 1297, "FileHash-MD5": 110, "FileHash-SHA1": 110, "CVE": 3 }, "indicator_count": 7910, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "865 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "647a7abaa58ae84330f2cbdf", "name": "URLHaus data - 02-06-2023", "description": "", "modified": "2023-07-02T23:03:26.565000", "created": "2023-06-02T23:26:50.082000", "tags": [ "32-bit", "elf", "mips", "Mozi", "hajime", "mirai", "ArkeiStealer", "dropped-by-amadey", "RedLineStealer", "arm", "x86-32", "ddos-bot", "BB30", "geofenced", "js", "Qakbot", "TR", "USA", "zip", "dll", "64", "exe", "zgRAT", "RemcosRAT", "Loki", "opendir", "doc", "pw-1515", "rar", "pw-2023", "pw-2022", "pw-333", "Obama266", "VoidRAT", "Quakbot", "qbot", "AgentTesla", "RTF", "encrypted", "GuLoader", "rat", "Stealc", "2022", "Password-protected", "1234", "7z", "njRAT", "shellscript", "32", "bashlite", "gafgyt", "renesas", "intel", "Rhadamanthys", "payloads", "viaSmokeLoader", "Smoke Loader", "dropped-by-PrivateLoader", "RedLine", "dcrat", "additionalpayloads", "raccoonv2", "RecordBreaker", "xworm", "Formbook" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 999, "domain": 228, "hostname": 3 }, "indicator_count": 1230, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1064 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "646562323df8ec74e628e6a0", "name": "URLHaus data - 17-05-2023", "description": "", "modified": "2023-06-23T22:19:18.469000", "created": "2023-05-17T23:24:34.238000", "tags": [ "32-bit", "elf", "mips", "Mozi", "zip", "arm", "mirai", "shellscript", "1234", "7z", "Password-protected", "ascii", "NetSupport", "powershell", "ps", "rat", "dropped-by-PrivateLoader", "encrypted", "exe", "Formbook", "PowerShellDiscordKeyLogger", "BB28", "geofenced", "js", "Qakbot", "Quakbot", "USA", "qbot", "dropped-by-SmokeLoader", "Loki", "opendir", "RedLine", "RemcosRAT", "Arechclient2", "AgentTesla", "doc", "RedLineStealer", "LummaStealer", "ArkeiStealer", "dll", "Stealc", "dropped-by-amadey", "hajime", "ua-ps", "32", "gafgyt", "Lumma", "Amadey", "AsyncRAT", "lnk", "Vidar", "quasar", "64-bit", "x86-64" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 880, "hostname": 8, "domain": 355 }, "indicator_count": 1243, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1073 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6466b35675126d41269a7e39", "name": "URLHaus data - 18-05-2023", "description": "", "modified": "2023-06-23T22:14:17.716000", "created": "2023-05-18T23:23:02.123000", "tags": [ "32-bit", "elf", "mips", "Mozi", "arm", "mirai", "x86-32", "32", "exe", "RedLineStealer", "64-bit", "x86-64", "hajime", "ddos-bot", "BB28", "geofenced", "js", "Qakbot", "USA", "njRAT", "ua-ps", "1234", "7z", "Password-protected", "dropped-by-SmokeLoader", "dropped-by-PrivateLoader", "encrypted", "RedLine", "Amadey", "RTF" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 611, "domain": 221 }, "indicator_count": 832, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1073 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "645c261ad41f7c286ea912d8", "name": "URLHaus data - 10-05-2023", "description": "", "modified": "2023-05-10T23:17:46.346000", "created": "2023-05-10T23:17:46.346000", "tags": [ "32", "exe", "32-bit", "elf", "mips", "Mozi", "arm", "hajime", "mirai", "SocGholish", "BB27", "geofenced", "js", "Qakbot", "qbot", "Quakbot", "TR", "USA", "obama262", "wsf", "zip", "obama262", "dll", "sparc", "bashlite", "gafgyt", "PowerPC", "njRAT", "intel", "64", "renesas", "motorola", "kinsing", "script", "NanoCore", "1212", "Password-protected", "rar", "1515" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "IPv4": 157, "domain": 593, "hostname": 22 }, "indicator_count": 1772, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1117 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "prosoftitservices.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "prosoftitservices.com", "found": true, "verdict": "malicious", "url_count": 8, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://prosoftitservices.com/lnt/", "status": "offline", "threat": "malware_download", "date_added": "2023-06-02", "tags": [ "BB30", "geofenced", "js", "Qakbot", "TR", "USA", "zip" ] }, { "url": "https://prosoftitservices.com/ns/", "status": "offline", "threat": "malware_download", "date_added": "2023-06-02", "tags": [ "BB30", "geofenced", "js", "Qakbot", "Quakbot", "TR", "USA", "zip" ] }, { "url": "https://prosoftitservices.com/cqe/?1", "status": "offline", "threat": "malware_download", "date_added": "2023-05-30", "tags": [ "BB30", "geofenced", "js", "Qakbot", "Quakbot", "USA", "zip" ] }, { "url": "https://prosoftitservices.com/oodu/?1", "status": "offline", "threat": "malware_download", "date_added": "2023-05-23", "tags": [ "geofenced", "js", "Pikabot", "Qakbot", "USA" ] }, { "url": "https://prosoftitservices.com/siu/?1", "status": "offline", "threat": "malware_download", "date_added": "2023-05-18", "tags": [ "BB28", "geofenced", "js", "Qakbot", "USA" ] }, { "url": "https://prosoftitservices.com/enai/?1", "status": "offline", "threat": "malware_download", "date_added": "2023-05-17", "tags": [ "BB28", "geofenced", "js", "Qakbot", "Quakbot", "USA" ] }, { "url": "https://prosoftitservices.com/ir/", "status": "offline", "threat": "malware_download", "date_added": "2023-05-10", "tags": [ "BB27", "geofenced", "js", "Qakbot", "Quakbot", "USA" ] }, { "url": "https://prosoftitservices.com/ot/", "status": "offline", "threat": "malware_download", "date_added": "2023-05-10", "tags": [ "BB27", "geofenced", "js", "Qakbot", "Quakbot", "USA" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780279095.1082375 }