{ "type": "Domain", "indicator": "robertmchilespe.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/robertmchilespe.com", "alexa": "http://www.alexa.com/siteinfo/robertmchilespe.com", "indicator": "robertmchilespe.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3372949744, "indicator": "robertmchilespe.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "6227531703661292c2cb5673", "name": "MS Office Files Involved Again in Recent Emotet Trojan Campaign", "description": "Recently, Fortinet\u2019s FortiGuard Labs captured more than 500 Microsoft Excel files that were involved in a campaign to deliver a fresh Emotet Trojan onto the victim\u2019s device.\nEmotet, known as a modular Trojan, was first discovered in the middle of 2014. Since then, it has become very active, continually updating itself. It has also been highlighted in cybersecurity news from time to time. Emotet uses social engineering, like email, to lure recipients into opening attached document files (including Word, Excel, PDF, etc.) or clicking links within the content of the email that download Emotet\u2019s latest variant onto the victim\u2019s device and then execute it.", "modified": "2022-04-07T00:04:02.553000", "created": "2022-03-08T12:59:02.707000", "tags": [ "Emotet", "Trojan", "MS Office", "Malicious document", "VBS", "PowerShell" ], "references": [ "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 425, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 14, "URL": 56, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 6 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 386544, "modified_text": "1515 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "60c3e4bddafe62faca46c121", "name": "Valyria - Malware Domain Feed V2", "description": "Command and Control domains for Valyria. These domains are extracted from a number of sources, and are suspicious.", "modified": "2025-09-03T14:31:59.149000", "created": "2021-06-11T22:33:33.629000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 10, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 1082, "modified_text": "270 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66dafec6fc6cae465ed44fdf", "name": "URLhaus Country Feed (Canada) enriched", "description": "", "modified": "2025-06-18T23:40:53.759000", "created": "2024-09-06T13:08:22.353000", "tags": [], "references": [ "https://urlhaus.abuse.ch/feeds/country/CA/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 3, "URL": 83203, "domain": 26579, "email": 1, "hostname": 40137, "FileHash-SHA256": 5936, "CVE": 6 }, "indicator_count": 155869, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "346 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "60c410a14d01ea2e08355efc", "name": "Valyria - Malware Domain Feed V2", "description": "Command and Control domains for Valyria. These domains are extracted from a number of sources, and are suspicious.", "modified": "2025-01-05T05:30:20.052000", "created": "2021-06-12T01:40:49.936000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 138, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo_testing", "id": "83138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 10 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 572, "modified_text": "511 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570811a101af38d2fb539fb", "name": "Conti Ransomware - updated IOCs March 2022", "description": "", "modified": "2023-12-06T14:11:37.055000", "created": "2023-12-06T14:11:37.055000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 92, "FileHash-SHA1": 92, "FileHash-SHA256": 104, "URL": 67, "domain": 123, "hostname": 2 }, "indicator_count": 480, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707ee38c2c82ccca038ab3", "name": "C2 Servers & Virus Providers & Malware Hashes", "description": "", "modified": "2023-12-06T14:02:11.248000", "created": "2023-12-06T14:02:11.248000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3678, "FileHash-SHA256": 4085, "FileHash-SHA1": 745, "FileHash-MD5": 789, "domain": 400, "hostname": 181 }, "indicator_count": 9878, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "622884497146fe3218ce8aab", "name": "Excel Files Involved in a Campaign to Deliver a Fresh Emotet Trojan onto the Victim\u2019s Device via Emails", "description": "Researchers captured over 500 MS Excel files that were involved in a campaign to deliver a fresh Emotet Trojan onto the victim\u2019s device. Emotet, a modular Trojan, was first discovered in the middle of 2014. Since then, it has been continually updated. \n\nEmotet uses social engineering\nEmotet uses social engineering techniques to lure recipients into opening attached document files like Word, Excel, PDF, etc. Or it could be clicking links within the content of the email that download Emotet\u2019s latest variant onto the victim\u2019s device and then execute it.", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-09T10:41:13.547000", "tags": [ "iocs urls", "sample sha256", "Emotet Trojan" ], "references": [ "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one" ], "public": 1, "adversary": "Malware Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 8 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 193, "modified_text": "1514 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6228c39bc815bf09334a6b40", "name": "CERT-UA", "description": "The Emotet Trojan, a malware that infects victims' devices and collects sensitive information, has been targeted again in a series of attacks, including one involving Microsoft Office files. \u00c2", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-09T15:11:23.500000", "tags": [ "emotet", "emotet dll", "cybersecurity architect", "threat research", "c2 server", "macro", "excel file", "fortinet", "fortiedr", "excel sample", "emotet core", "resource" ], "references": [ "https://cert.gov.ua/article/37626", "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Emotet Dll", "display_name": "Emotet Dll", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "procircularinc", "id": "70475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_70475/resized/80/avatar_cea1db224b.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "URL": 56, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 6, "CVE": 1 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 102, "modified_text": "1514 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62293b9a646dbc541ea04ba4", "name": "Conti Ransomware - updated IOCs March 2022", "description": "Here are the latest IOCs released from CISA, Fortinet, and some other security reports. Included are hashes for Trickbot, Emotet, and Bazzarloader.", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-09T23:43:22.541000", "tags": [ "Ransomware" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa21-265a", "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one" ], "public": 1, "adversary": "Conti Group", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Emotet", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Emotet", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Emotet", "display_name": "ALF:HeraklezEval:Trojan:Win32/Emotet", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null }, { "id": "Trojan:Win32/Bazzarldr", "display_name": "Trojan:Win32/Bazzarldr", "target": "/malware/Trojan:Win32/Bazzarldr" }, { "id": "Trojan:Win64/Bazzarldr", "display_name": "Trojan:Win64/Bazzarldr", "target": "/malware/Trojan:Win64/Bazzarldr" }, { "id": "ALF:Backdoor:Win64/Bazarldr", "display_name": "ALF:Backdoor:Win64/Bazarldr", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Mitchell.Darnell", "id": "165445", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 67, "hostname": 2, "FileHash-MD5": 92, "FileHash-SHA1": 92, "FileHash-SHA256": 104, "domain": 123 }, "indicator_count": 480, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "1514 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "622742d4408c31c131a033e5", "name": "MS Office Files Involved Again in Recent Emotet Trojan Campaign", "description": "", "modified": "2022-04-07T00:04:02.553000", "created": "2022-03-08T11:49:40.532000", "tags": [ "emotet", "emotet dll", "cybersecurity architect", "threat research", "c2 server", "macro", "excel file", "fortinet", "fortiedr", "excel sample", "emotet core", "resource" ], "references": [ "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Emotet Dll", "display_name": "Emotet Dll", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "demoextraa", "id": "176114", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "URL": 56, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 6, "CVE": 1 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 60, "modified_text": "1515 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "621687826def744b4ae65050", "name": "Emotet Thread Hijacking attacks part II - February 2022", "description": "", "modified": "2022-03-25T00:03:52.440000", "created": "2022-02-23T19:14:10.713000", "tags": [ "emotet", "excel", "xl4 macro", "active malware", "campaign", "zip attachments", "february", "family malware", "data" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 236, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "343GuiltySpark", "id": "91492", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_91492/resized/80/avatar_b7653559df.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "domain": 24, "URL": 115, "hostname": 7 }, "indicator_count": 151, "is_author": false, "is_subscribing": null, "subscriber_count": 553, "modified_text": "1528 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6216889b94671c887169f589", "name": "Emotet Thread Hijacking attacks part III - February 2022", "description": "", "modified": "2022-03-25T00:03:52.440000", "created": "2022-02-23T19:18:51.028000", "tags": [ "html", "powershell", "emotet" ], "references": [], "public": 1, "adversary": "TA542", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 235, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "343GuiltySpark", "id": "91492", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_91492/resized/80/avatar_b7653559df.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 34, "URL": 122, "hostname": 2, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 554, "modified_text": "1528 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6214c4c07ad648745afd57ba", "name": "C2 Servers & Virus Providers & Malware Hashes", "description": "Cobalt Strike, njRAT, Wjw0rm, Loki, AsyncRAT, Vidar, Mirai, Emotet", "modified": "2022-03-24T00:00:00.271000", "created": "2022-02-22T11:10:56.319000", "tags": [ "valhalla", "kill4rnix", "rspich", "lilocc", "mniami", "kirpich", "qmashton", "k1llerni2x", "anapa", "prophef6" ], "references": [ "https://bazaar.abuse.ch/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluewatcher", "id": "174522", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 789, "FileHash-SHA1": 745, "FileHash-SHA256": 4085, "URL": 3678, "domain": 400, "hostname": 181 }, "indicator_count": 9878, "is_author": false, "is_subscribing": null, "subscriber_count": 119, "modified_text": "1529 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one", "https://bazaar.abuse.ch/", "https://urlhaus.abuse.ch/feeds/country/CA/", "https://cert.gov.ua/article/37626", "https://www.cisa.gov/uscert/ncas/alerts/aa21-265a" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Emotet" ], "industries": [] }, "other": { "adversary": [ "Conti Group", "Malware Advisory", "TA542" ], "malware_families": [ "Trojan:win32/bazzarldr", "Alf:backdoor:win64/bazarldr", "Trickbot", "Alf:heraklezeval:trojan:win32/emotet", "Emotet dll", "Trojan:win64/bazzarldr", "Alf:heraklezeval:trojandownloader:win32/emotet", "Emotet" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "6227531703661292c2cb5673", "name": "MS Office Files Involved Again in Recent Emotet Trojan Campaign", "description": "Recently, Fortinet\u2019s FortiGuard Labs captured more than 500 Microsoft Excel files that were involved in a campaign to deliver a fresh Emotet Trojan onto the victim\u2019s device.\nEmotet, known as a modular Trojan, was first discovered in the middle of 2014. Since then, it has become very active, continually updating itself. It has also been highlighted in cybersecurity news from time to time. Emotet uses social engineering, like email, to lure recipients into opening attached document files (including Word, Excel, PDF, etc.) or clicking links within the content of the email that download Emotet\u2019s latest variant onto the victim\u2019s device and then execute it.", "modified": "2022-04-07T00:04:02.553000", "created": "2022-03-08T12:59:02.707000", "tags": [ "Emotet", "Trojan", "MS Office", "Malicious document", "VBS", "PowerShell" ], "references": [ "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 425, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 14, "URL": 56, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 6 }, "indicator_count": 84, "is_author": false, "is_subscribing": null, "subscriber_count": 386544, "modified_text": "1515 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "60c3e4bddafe62faca46c121", "name": "Valyria - Malware Domain Feed V2", "description": "Command and Control domains for Valyria. These domains are extracted from a number of sources, and are suspicious.", "modified": "2025-09-03T14:31:59.149000", "created": "2021-06-11T22:33:33.629000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 10, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 1082, "modified_text": "270 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66dafec6fc6cae465ed44fdf", "name": "URLhaus Country Feed (Canada) enriched", "description": "", "modified": "2025-06-18T23:40:53.759000", "created": "2024-09-06T13:08:22.353000", "tags": [], "references": [ "https://urlhaus.abuse.ch/feeds/country/CA/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 3, "URL": 83203, "domain": 26579, "email": 1, "hostname": 40137, "FileHash-SHA256": 5936, "CVE": 6 }, "indicator_count": 155869, "is_author": false, "is_subscribing": null, "subscriber_count": 197, "modified_text": "346 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "60c410a14d01ea2e08355efc", "name": "Valyria - Malware Domain Feed V2", "description": "Command and Control domains for Valyria. These domains are extracted from a number of sources, and are suspicious.", "modified": "2025-01-05T05:30:20.052000", "created": "2021-06-12T01:40:49.936000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 138, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo_testing", "id": "83138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 10 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 572, "modified_text": "511 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570811a101af38d2fb539fb", "name": "Conti Ransomware - updated IOCs March 2022", "description": "", "modified": "2023-12-06T14:11:37.055000", "created": "2023-12-06T14:11:37.055000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 92, "FileHash-SHA1": 92, "FileHash-SHA256": 104, "URL": 67, "domain": 123, "hostname": 2 }, "indicator_count": 480, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707ee38c2c82ccca038ab3", "name": "C2 Servers & Virus Providers & Malware Hashes", "description": "", "modified": "2023-12-06T14:02:11.248000", "created": "2023-12-06T14:02:11.248000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3678, "FileHash-SHA256": 4085, "FileHash-SHA1": 745, "FileHash-MD5": 789, "domain": 400, "hostname": 181 }, "indicator_count": 9878, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "622884497146fe3218ce8aab", "name": "Excel Files Involved in a Campaign to Deliver a Fresh Emotet Trojan onto the Victim\u2019s Device via Emails", "description": "Researchers captured over 500 MS Excel files that were involved in a campaign to deliver a fresh Emotet Trojan onto the victim\u2019s device. Emotet, a modular Trojan, was first discovered in the middle of 2014. Since then, it has been continually updated. \n\nEmotet uses social engineering\nEmotet uses social engineering techniques to lure recipients into opening attached document files like Word, Excel, PDF, etc. Or it could be clicking links within the content of the email that download Emotet\u2019s latest variant onto the victim\u2019s device and then execute it.", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-09T10:41:13.547000", "tags": [ "iocs urls", "sample sha256", "Emotet Trojan" ], "references": [ "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one" ], "public": 1, "adversary": "Malware Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 8 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 193, "modified_text": "1514 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6228c39bc815bf09334a6b40", "name": "CERT-UA", "description": "The Emotet Trojan, a malware that infects victims' devices and collects sensitive information, has been targeted again in a series of attacks, including one involving Microsoft Office files. \u00c2", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-09T15:11:23.500000", "tags": [ "emotet", "emotet dll", "cybersecurity architect", "threat research", "c2 server", "macro", "excel file", "fortinet", "fortiedr", "excel sample", "emotet core", "resource" ], "references": [ "https://cert.gov.ua/article/37626", "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Emotet Dll", "display_name": "Emotet Dll", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "procircularinc", "id": "70475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_70475/resized/80/avatar_cea1db224b.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "URL": 56, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 6, "CVE": 1 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 102, "modified_text": "1514 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62293b9a646dbc541ea04ba4", "name": "Conti Ransomware - updated IOCs March 2022", "description": "Here are the latest IOCs released from CISA, Fortinet, and some other security reports. Included are hashes for Trickbot, Emotet, and Bazzarloader.", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-09T23:43:22.541000", "tags": [ "Ransomware" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/aa21-265a", "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one" ], "public": 1, "adversary": "Conti Group", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Emotet", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Emotet", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Emotet", "display_name": "ALF:HeraklezEval:Trojan:Win32/Emotet", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null }, { "id": "Trojan:Win32/Bazzarldr", "display_name": "Trojan:Win32/Bazzarldr", "target": "/malware/Trojan:Win32/Bazzarldr" }, { "id": "Trojan:Win64/Bazzarldr", "display_name": "Trojan:Win64/Bazzarldr", "target": "/malware/Trojan:Win64/Bazzarldr" }, { "id": "ALF:Backdoor:Win64/Bazarldr", "display_name": "ALF:Backdoor:Win64/Bazarldr", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Mitchell.Darnell", "id": "165445", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 67, "hostname": 2, "FileHash-MD5": 92, "FileHash-SHA1": 92, "FileHash-SHA256": 104, "domain": 123 }, "indicator_count": 480, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "1514 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "622742d4408c31c131a033e5", "name": "MS Office Files Involved Again in Recent Emotet Trojan Campaign", "description": "", "modified": "2022-04-07T00:04:02.553000", "created": "2022-03-08T11:49:40.532000", "tags": [ "emotet", "emotet dll", "cybersecurity architect", "threat research", "c2 server", "macro", "excel file", "fortinet", "fortiedr", "excel sample", "emotet core", "resource" ], "references": [ "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Emotet Dll", "display_name": "Emotet Dll", "target": null } ], "attack_ids": [ { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "demoextraa", "id": "176114", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "URL": 56, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 6, "CVE": 1 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 60, "modified_text": "1515 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "robertmchilespe.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "robertmchilespe.com", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "http://robertmchilespe.com/cgi/3f/", "status": "offline", "threat": "malware_download", "date_added": "2022-02-08", "tags": [ "dll", "emotet", "epoch4", "heodo" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780237953.4847424 }