{ "type": "Domain", "indicator": "rarefood.fun", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/rarefood.fun", "alexa": "http://www.alexa.com/siteinfo/rarefood.fun", "indicator": "rarefood.fun", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3761282532, "indicator": "rarefood.fun", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "651ae4a4171e2bdcd776a3df", "name": "Silent Push maps over 150 new Lumma C2 infostealer IOCs", "description": "Silent Push published a new blog regarding Lumma stealer. Lumma (also known as LummaC2) is an information stealer with strong links to Russian threat activity, that\u2019s been available on the dark web as a MaaS platform since 2022.", "modified": "2023-11-01T15:03:48.863000", "created": "2023-10-02T15:41:24.643000", "tags": [ "infostealers", "lumma", "ecrime" ], "references": [ "https://www.silentpush.com/blog/lummac2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "lumma", "display_name": "lumma", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 397, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 59 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 386539, "modified_text": "941 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655648098a720d43eb5acf99", "name": "Silent Push maps over 150 new Lumma C2 infostealer IOCs", "description": "", "modified": "2023-11-16T16:49:13.103000", "created": "2023-11-16T16:49:13.103000", "tags": [ "infostealers", "lumma", "ecrime" ], "references": [ "https://www.silentpush.com/blog/lummac2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "lumma", "display_name": "lumma", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "651ae4a4171e2bdcd776a3df", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 59 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "926 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65257e446d8d98dd89f31a97", "name": "Silent Push maps over 150 new Lumma C2 infostealer IOCs — Silent Push Threat Intelligence", "description": "As revealed by Silent Push's recent investigation, Lumma, an information stealer, has an extensive command and control infrastructure with over 150 previously unidentified servers. The research also unveiled an interesting, unique connection to the historical Russian poet Sergei Yesenin, which aided the identification of several servers. Threat actors typically deliver Lumma through spear-phishing and malvertisement campaigns. This report delves deep into Lumma's tactics and potential risks and offers actionable recommendations for organizations.", "modified": "2023-11-09T16:03:45.009000", "created": "2023-10-10T16:39:32.747000", "tags": [], "references": [ "https://www.silentpush.com/blog/lummac2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "99gmotor", "id": "234776", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 84, "hostname": 1 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "933 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.silentpush.com/blog/lummac2" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Lumma stealer", "Lumma" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Lumma stealer", "Lumma" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "651ae4a4171e2bdcd776a3df", "name": "Silent Push maps over 150 new Lumma C2 infostealer IOCs", "description": "Silent Push published a new blog regarding Lumma stealer. Lumma (also known as LummaC2) is an information stealer with strong links to Russian threat activity, that\u2019s been available on the dark web as a MaaS platform since 2022.", "modified": "2023-11-01T15:03:48.863000", "created": "2023-10-02T15:41:24.643000", "tags": [ "infostealers", "lumma", "ecrime" ], "references": [ "https://www.silentpush.com/blog/lummac2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "lumma", "display_name": "lumma", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 397, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 59 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 386539, "modified_text": "941 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "655648098a720d43eb5acf99", "name": "Silent Push maps over 150 new Lumma C2 infostealer IOCs", "description": "", "modified": "2023-11-16T16:49:13.103000", "created": "2023-11-16T16:49:13.103000", "tags": [ "infostealers", "lumma", "ecrime" ], "references": [ "https://www.silentpush.com/blog/lummac2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "lumma", "display_name": "lumma", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "651ae4a4171e2bdcd776a3df", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 59 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "926 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65257e446d8d98dd89f31a97", "name": "Silent Push maps over 150 new Lumma C2 infostealer IOCs — Silent Push Threat Intelligence", "description": "As revealed by Silent Push's recent investigation, Lumma, an information stealer, has an extensive command and control infrastructure with over 150 previously unidentified servers. The research also unveiled an interesting, unique connection to the historical Russian poet Sergei Yesenin, which aided the identification of several servers. Threat actors typically deliver Lumma through spear-phishing and malvertisement campaigns. This report delves deep into Lumma's tactics and potential risks and offers actionable recommendations for organizations.", "modified": "2023-11-09T16:03:45.009000", "created": "2023-10-10T16:39:32.747000", "tags": [], "references": [ "https://www.silentpush.com/blog/lummac2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "99gmotor", "id": "234776", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 84, "hostname": 1 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "933 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "rarefood.fun", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "rarefood.fun", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780238081.8681982 }