{ "type": "Domain", "indicator": "servicoasso.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/servicoasso.com", "alexa": "http://www.alexa.com/siteinfo/servicoasso.com", "indicator": "servicoasso.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3836822087, "indicator": "servicoasso.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 21, "pulses": [ { "id": "65c4e890b1dba3ff53e26380", "name": "A multi-stage banking Trojan abusing the Squirrel installer", "description": "A new banking Trojan called Coyote utilizes the Squirrel installer for distribution and leverages NodeJS and the Nim programming language as a loader to infect victims. It specifically targets users of over 60 banking institutions in Brazil. Coyote achieves persistence by abusing Windows logon scripts and monitors banking applications, sending info to C2 servers which respond with actions like keylogging and screenshots.", "modified": "2024-02-08T14:57:00.597000", "created": "2024-02-08T14:43:28.537000", "tags": [ "brazil", "nim", "coyote", "financial malware", "squirrel", "nodejs", "trojan" ], "references": [ "https://securelist.com/coyote-multi-stage-banking-trojan/111846/" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Coyote", "display_name": "Coyote", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 331, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 7 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 386932, "modified_text": "845 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a394310fbfdf97b0ef0079", "name": "ACTIVIDAD MALICIOSA | Relacionada con troyano bancario \"Coyote\" 05-02-2024", "description": "Coyote es un troyano bancario dise\u00f1ado para robar informaci\u00f3n financiera, espec\u00edficamente de m\u00e1s de 60 bancos brasile\u00f1os. Su infecci\u00f3n comienza con la utilizaci\u00f3n de Squirrel, un instalador leg\u00edtimo, para ejecutar c\u00f3digo JavaScript ofuscado que permite la carga lateral de DLL maliciosas. Una vez en el sistema, el malware establece persistencia y se conecta a su servidor de C&C para monitorear aplicaciones financieras y extraer credenciales mediante t\u00e9cnicas como keylogging, superposiciones de phishing y manipulaci\u00f3n de ventanas.", "modified": "2025-02-05T16:39:13.023000", "created": "2025-02-05T16:39:13.023000", "tags": [ "access", "ta0001 initial", "ta0005 defense", "t1003 os", "t1005 data", "local system", "t1055 process", "injection", "t1056 input", "capture" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Coyote", "https://www.virustotal.com/graph/embed/ga2edcf8873ee488dabfad5df88b99251adcff929e62f465f9de37edcbdf7a923?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Coyote", "display_name": "Coyote", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 7 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "482 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6695abd8da05c504990e0255", "name": "Weekly OSINT Highlights, 15 July 2024", "description": "", "modified": "2024-08-14T23:00:18.722000", "created": "2024-07-15T23:08:08.904000", "tags": [ "OSINT" ], "references": [ "https://community.riskiq.com/article/fdcb22e4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "FileHash-SHA256": 140, "FileHash-MD5": 10, "hostname": 3, "domain": 20 }, "indicator_count": 178, "is_author": false, "is_subscribing": null, "subscriber_count": 1625, "modified_text": "656 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "669e1b70fa179c0e4d264c9c", "name": "Coyote Banking Trojan targets Brazilian Financial Institutions", "description": "", "modified": "2024-07-22T08:42:24.935000", "created": "2024-07-22T08:42:24.935000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 39, "domain": 18 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "680 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "668d00d10c4dc6b2aadfaba3", "name": "Coyote Banking Trojan Targets LATAM with a Focus on Brazilian Financial Institutions", "description": "Researchers have identified the Coyote banking Trojan, which is targeting Brazilian financial institutions, and is believed to be targeting customers in Latin American (LATAM) and the European Union (ECU).", "modified": "2024-07-09T09:20:17.086000", "created": "2024-07-09T09:20:17.086000", "tags": [ "cybersecurity", "trojan", "coyote", "coyote banking", "squirrel", "latam", "sha256", "focus", "trojan targets", "blackberry blog", "research", "february", "python", "execution", "loader", "defense", "modula", "nim" ], "references": [ "https://blogs.blackberry.com/en/2024/07/coyote-banking-trojan-targets-latam-with-a-focus-on-brazilian-financial-institutions" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Modula", "display_name": "Modula", "target": null }, { "id": "Nim", "display_name": "Nim", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Financial", "Government", "Banking", "Banks", "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "JordanPowell@123", "id": "246048", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 28, "YARA": 1, "domain": 50, "hostname": 14 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "693 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "668d00cf66484bb952014261", "name": "Coyote Banking Trojan Targets LATAM with a Focus on Brazilian Financial Institutions", "description": "Researchers have identified the Coyote banking Trojan, which is targeting Brazilian financial institutions, and is believed to be targeting customers in Latin American (LATAM) and the European Union (ECU).", "modified": "2024-07-09T09:20:15.197000", "created": "2024-07-09T09:20:15.197000", "tags": [ "cybersecurity", "trojan", "coyote", "coyote banking", "squirrel", "latam", "sha256", "focus", "trojan targets", "blackberry blog", "research", "february", "python", "execution", "loader", "defense", "modula", "nim" ], "references": [ "https://blogs.blackberry.com/en/2024/07/coyote-banking-trojan-targets-latam-with-a-focus-on-brazilian-financial-institutions" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Modula", "display_name": "Modula", "target": null }, { "id": "Nim", "display_name": "Nim", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Financial", "Government", "Banking", "Banks", "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "JordanPowell@123", "id": "246048", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 28, "YARA": 1, "domain": 50, "hostname": 14 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "693 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "668d00cca33031473fdcdc0e", "name": "Coyote Banking Trojan Targets LATAM with a Focus on Brazilian Financial Institutions", "description": "Researchers have identified the Coyote banking Trojan, which is targeting Brazilian financial institutions, and is believed to be targeting customers in Latin American (LATAM) and the European Union (ECU).", "modified": "2024-07-09T09:20:12.074000", "created": "2024-07-09T09:20:12.074000", "tags": [ "cybersecurity", "trojan", "coyote", "coyote banking", "squirrel", "latam", "sha256", "focus", "trojan targets", "blackberry blog", "research", "february", "python", "execution", "loader", "defense", "modula", "nim" ], "references": [ "https://blogs.blackberry.com/en/2024/07/coyote-banking-trojan-targets-latam-with-a-focus-on-brazilian-financial-institutions" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Modula", "display_name": "Modula", "target": null }, { "id": "Nim", "display_name": "Nim", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Financial", "Government", "Banking", "Banks", "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "JordanPowell@123", "id": "246048", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 28, "YARA": 1, "domain": 50, "hostname": 14 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "693 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "668d00cd66484bb952014260", "name": "Coyote Banking Trojan Targets LATAM with a Focus on Brazilian Financial Institutions", "description": "Researchers have identified the Coyote banking Trojan, which is targeting Brazilian financial institutions, and is believed to be targeting customers in Latin American (LATAM) and the European Union (ECU).", "modified": "2024-07-09T09:20:11.132000", "created": "2024-07-09T09:20:11.132000", "tags": [ "cybersecurity", "trojan", "coyote", "coyote banking", "squirrel", "latam", "sha256", "focus", "trojan targets", "blackberry blog", "research", "february", "python", "execution", "loader", "defense", "modula", "nim" ], "references": [ "https://blogs.blackberry.com/en/2024/07/coyote-banking-trojan-targets-latam-with-a-focus-on-brazilian-financial-institutions" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Modula", "display_name": "Modula", "target": null }, { "id": "Nim", "display_name": "Nim", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Financial", "Government", "Banking", "Banks", "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "JordanPowell@123", "id": "246048", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 28, "YARA": 1, "domain": 50, "hostname": 14 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "693 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65dc9f69e8421653f32f5037", "name": "Coyote: A multi-stage banking Trojan abusing the Squirrel installer", "description": "", "modified": "2024-02-26T14:25:45.750000", "created": "2024-02-26T14:25:45.750000", "tags": [ "brazil", "financial malware", "malware descriptions", "malware technologies", "trojan banker", "trojan", "coyote", "squirrel", "show", "delphi", "aes decryption", "trojan malware", "nodejs", "nim language", "python", "donut", "window", "kill", "shut", "nim" ], "references": [ "https://securelist.com/coyote-multi-stage-banking-trojan/111846/" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Nim", "display_name": "Nim", "target": null } ], "attack_ids": [ { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Banking" ], "TLP": "white", "cloned_from": "65c5f044a3743130d8071f7f", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 7 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "827 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d6f1d267282df0a2f634ba", "name": "Coyote: A multi-stage banking Trojan abusing the Squirrel installer", "description": "", "modified": "2024-02-22T07:03:46.398000", "created": "2024-02-22T07:03:46.398000", "tags": [ "brazil", "nim", "coyote", "financial malware", "squirrel", "nodejs", "trojan" ], "references": [ "https://securelist.com/coyote-multi-stage-banking-trojan/111846/" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Coyote", "display_name": "Coyote", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "65c70165131c30ef7345f5c9", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 7 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "831 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d0a6e6cb897849cc4e9eb2", "name": "Coyote: A Multi-Stage Banking Trojan Abusing the Squirrel Installer", "description": "", "modified": "2024-02-17T12:30:30.995000", "created": "2024-02-17T12:30:30.995000", "tags": [ "OSINT", "Brazil", "Coyote", "T1072 - Software Deployment Tools", "T1574.002 - DLL Side-Loading", "T1566 - Phishing", "T1071 - Application Layer Protocol", "T1113 - Screen Capture", "T1078 - Valid Accounts" ], "references": [ "https://community.riskiq.com/article/4643beae" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65cffaf6caae82f6b8f17cf9", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "domain": 7 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "836 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65cffaf6caae82f6b8f17cf9", "name": "Coyote: A Multi-Stage Banking Trojan Abusing the Squirrel Installer", "description": "", "modified": "2024-02-17T00:16:54.315000", "created": "2024-02-17T00:16:54.315000", "tags": [ "OSINT", "Brazil", "Coyote", "T1072 - Software Deployment Tools", "T1574.002 - DLL Side-Loading", "T1566 - Phishing", "T1071 - Application Layer Protocol", "T1113 - Screen Capture", "T1078 - Valid Accounts" ], "references": [ "https://community.riskiq.com/article/4643beae" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "domain": 7 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "836 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65cee0aac64392f243a4130d", "name": "Squirrel Installer Abused By a Multi-Stage Banking Trojan", "description": "", "modified": "2024-02-16T04:12:25.416000", "created": "2024-02-16T04:12:25.416000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "domain": 7 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "837 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65cb48e26eec040895229ad9", "name": "Coyote Malware Leverage NodeJS to Attack Users of 60+ Banks", "description": "The latest developments in Brazilian banking Trojans use the NodeJS programming language to steal login credentials and one-time passwords, according to Kaspersky Labs. \u00c2\u00a31.5m", "modified": "2024-02-13T10:48:02.465000", "created": "2024-02-13T10:48:02.465000", "tags": [ "coyote", "squirrel", "nodejs", "trojan", "delphi", "javascript web", "kaspersky labs", "coyote malware", "document live", "hackers bypass", "malware", "donut", "twitter" ], "references": [ "https://cybersecuritynews.com/coyote-malware-leverage-nodejs/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Banks" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 7 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "840 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c70165131c30ef7345f5c9", "name": "Coyote: A multi-stage banking Trojan abusing the Squirrel installer", "description": "A new banking Trojan called Coyote utilizes the Squirrel installer for distribution and leverages NodeJS and the Nim programming language as a loader to infect victims. It specifically targets users of over 60 banking institutions in Brazil. Coyote achieves persistence by abusing Windows logon scripts and monitors banking applications, sending info to C2 servers which respond with actions like keylogging and screenshots.", "modified": "2024-02-10T04:54:42.979000", "created": "2024-02-10T04:53:57.422000", "tags": [ "brazil", "nim", "coyote", "financial malware", "squirrel", "nodejs", "trojan" ], "references": [ "https://securelist.com/coyote-multi-stage-banking-trojan/111846/" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Coyote", "display_name": "Coyote", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "65c4e890b1dba3ff53e26380", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 7 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "843 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c5f044a3743130d8071f7f", "name": "Coyote: A multi-stage banking Trojan abusing the Squirrel installer | Securelist", "description": "Security firm Kaspersky has uncovered a new banking Trojan that uses a variety of technologies, including the Delphi language, to distribute and update Windows desktop applications, and uses the Nim language to complete its infection.", "modified": "2024-02-09T09:28:36.056000", "created": "2024-02-09T09:28:36.056000", "tags": [ "brazil", "financial malware", "malware descriptions", "malware technologies", "trojan banker", "trojan", "coyote", "squirrel", "show", "delphi", "aes decryption", "trojan malware", "nodejs", "nim language", "python", "donut", "window", "kill", "shut", "nim" ], "references": [ "https://securelist.com/coyote-multi-stage-banking-trojan/111846/" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Nim", "display_name": "Nim", "target": null } ], "attack_ids": [ { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Banking" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 7 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "844 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://community.riskiq.com/article/fdcb22e4", "https://cybersecuritynews.com/coyote-malware-leverage-nodejs/", "https://blogs.blackberry.com/en/2024/07/coyote-banking-trojan-targets-latam-with-a-focus-on-brazilian-financial-institutions", "https://darfe.es/ciberwiki/index.php?title=Coyote", "https://www.virustotal.com/graph/embed/ga2edcf8873ee488dabfad5df88b99251adcff929e62f465f9de37edcbdf7a923?theme=dark", "https://community.riskiq.com/article/4643beae", "https://securelist.com/coyote-multi-stage-banking-trojan/111846/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Coyote" ], "industries": [ "Finance" ] }, "other": { "adversary": [], "malware_families": [ "Modula", "Nim", "Coyote" ], "industries": [ "Financial", "Finance", "Cryptocurrency", "Banks", "Banking", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 21, "pulses": [ { "id": "65c4e890b1dba3ff53e26380", "name": "A multi-stage banking Trojan abusing the Squirrel installer", "description": "A new banking Trojan called Coyote utilizes the Squirrel installer for distribution and leverages NodeJS and the Nim programming language as a loader to infect victims. It specifically targets users of over 60 banking institutions in Brazil. Coyote achieves persistence by abusing Windows logon scripts and monitors banking applications, sending info to C2 servers which respond with actions like keylogging and screenshots.", "modified": "2024-02-08T14:57:00.597000", "created": "2024-02-08T14:43:28.537000", "tags": [ "brazil", "nim", "coyote", "financial malware", "squirrel", "nodejs", "trojan" ], "references": [ "https://securelist.com/coyote-multi-stage-banking-trojan/111846/" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Coyote", "display_name": "Coyote", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 331, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 7 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 386932, "modified_text": "845 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a394310fbfdf97b0ef0079", "name": "ACTIVIDAD MALICIOSA | Relacionada con troyano bancario \"Coyote\" 05-02-2024", "description": "Coyote es un troyano bancario dise\u00f1ado para robar informaci\u00f3n financiera, espec\u00edficamente de m\u00e1s de 60 bancos brasile\u00f1os. Su infecci\u00f3n comienza con la utilizaci\u00f3n de Squirrel, un instalador leg\u00edtimo, para ejecutar c\u00f3digo JavaScript ofuscado que permite la carga lateral de DLL maliciosas. Una vez en el sistema, el malware establece persistencia y se conecta a su servidor de C&C para monitorear aplicaciones financieras y extraer credenciales mediante t\u00e9cnicas como keylogging, superposiciones de phishing y manipulaci\u00f3n de ventanas.", "modified": "2025-02-05T16:39:13.023000", "created": "2025-02-05T16:39:13.023000", "tags": [ "access", "ta0001 initial", "ta0005 defense", "t1003 os", "t1005 data", "local system", "t1055 process", "injection", "t1056 input", "capture" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Coyote", "https://www.virustotal.com/graph/embed/ga2edcf8873ee488dabfad5df88b99251adcff929e62f465f9de37edcbdf7a923?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Coyote", "display_name": "Coyote", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 7 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "482 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6695abd8da05c504990e0255", "name": "Weekly OSINT Highlights, 15 July 2024", "description": "", "modified": "2024-08-14T23:00:18.722000", "created": "2024-07-15T23:08:08.904000", "tags": [ "OSINT" ], "references": [ "https://community.riskiq.com/article/fdcb22e4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "FileHash-SHA256": 140, "FileHash-MD5": 10, "hostname": 3, "domain": 20 }, "indicator_count": 178, "is_author": false, "is_subscribing": null, "subscriber_count": 1625, "modified_text": "656 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "669e1b70fa179c0e4d264c9c", "name": "Coyote Banking Trojan targets Brazilian Financial Institutions", "description": "", "modified": "2024-07-22T08:42:24.935000", "created": "2024-07-22T08:42:24.935000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 39, "domain": 18 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "680 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "668d00d10c4dc6b2aadfaba3", "name": "Coyote Banking Trojan Targets LATAM with a Focus on Brazilian Financial Institutions", "description": "Researchers have identified the Coyote banking Trojan, which is targeting Brazilian financial institutions, and is believed to be targeting customers in Latin American (LATAM) and the European Union (ECU).", "modified": "2024-07-09T09:20:17.086000", "created": "2024-07-09T09:20:17.086000", "tags": [ "cybersecurity", "trojan", "coyote", "coyote banking", "squirrel", "latam", "sha256", "focus", "trojan targets", "blackberry blog", "research", "february", "python", "execution", "loader", "defense", "modula", "nim" ], "references": [ "https://blogs.blackberry.com/en/2024/07/coyote-banking-trojan-targets-latam-with-a-focus-on-brazilian-financial-institutions" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Modula", "display_name": "Modula", "target": null }, { "id": "Nim", "display_name": "Nim", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Financial", "Government", "Banking", "Banks", "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "JordanPowell@123", "id": "246048", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 28, "YARA": 1, "domain": 50, "hostname": 14 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "693 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "servicoasso.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "servicoasso.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780421742.2818284 }