{ "type": "Domain", "indicator": "session.finance", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/session.finance", "alexa": "http://www.alexa.com/siteinfo/session.finance", "indicator": "session.finance", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3536933126, "indicator": "session.finance", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "63dbd4d4f37c42cdcf975283", "name": "Russian-Backed Gamaredon's Spyware Variants", "description": "\"UAC-0010 group's ongoing activity is characterized by a multi-step download approach and executing payloads of the spyware used to maintain control over infected hosts,\" the SCPC said. \"For now, the UAC-0010 group uses GammaLoad and GammaSteel spyware in their campaigns.\"\n\nGammaLoad is a VBScript dropper malware engineered to download next-stage VBScript from a remote server. GammaSteel is a PowerShell script that's capable of conducting reconnaissance and executing additional commands.\n\nThe goal of the attacks is geared more towards espionage and information theft rather than sabotage, the agency noted. The SCPC also emphasized the \"insistent\" evolution of the group's tactics by redeveloping its malware toolset to stay under the radar, calling Gamaredon a \"key cyber threat.\"", "modified": "2023-03-04T15:04:01.356000", "created": "2023-02-02T15:20:52.194000", "tags": [ "appdata", "public", "userprofile", "getrandom", "username", "outstring", "null", "nol nop", "xorbyte", "newobject", "tools", "msctfmonitor", "path", "powershell" ], "references": [ "https://cert.gov.ua/article/1229152", "https://cert.gov.ua/article/3761023" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 45, "FileHash-SHA256": 45, "URL": 40, "domain": 37, "hostname": 3, "FileHash-SHA1": 3 }, "indicator_count": 173, "is_author": false, "is_subscribing": null, "subscriber_count": 242, "modified_text": "1184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62fe6279154248931870b146", "name": "Gamaredon IOCs", "description": "The full text of the Wikipedia search results will be published on Wednesday, 1 July, at 19:00 BST.. and will appear on the BBC News website, BBC Radio 5 live, and on iPlayer.", "modified": "2022-09-17T00:02:49.667000", "created": "2022-08-18T16:02:01.293000", "tags": [ "userprofile", "getrandom", "xorbyte", "newobject", "username", "vbscript", "runas32", "receivejob", "startsleep s", "agenda", "null", "august", "tools", "path", "powershell" ], "references": [ "https://cert.gov.ua/article/1229152" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 36, "FileHash-SHA256": 36, "URL": 21, "domain": 33, "hostname": 3 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://cert.gov.ua/article/3761023", "https://cert.gov.ua/article/1229152" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "63dbd4d4f37c42cdcf975283", "name": "Russian-Backed Gamaredon's Spyware Variants", "description": "\"UAC-0010 group's ongoing activity is characterized by a multi-step download approach and executing payloads of the spyware used to maintain control over infected hosts,\" the SCPC said. \"For now, the UAC-0010 group uses GammaLoad and GammaSteel spyware in their campaigns.\"\n\nGammaLoad is a VBScript dropper malware engineered to download next-stage VBScript from a remote server. GammaSteel is a PowerShell script that's capable of conducting reconnaissance and executing additional commands.\n\nThe goal of the attacks is geared more towards espionage and information theft rather than sabotage, the agency noted. The SCPC also emphasized the \"insistent\" evolution of the group's tactics by redeveloping its malware toolset to stay under the radar, calling Gamaredon a \"key cyber threat.\"", "modified": "2023-03-04T15:04:01.356000", "created": "2023-02-02T15:20:52.194000", "tags": [ "appdata", "public", "userprofile", "getrandom", "username", "outstring", "null", "nol nop", "xorbyte", "newobject", "tools", "msctfmonitor", "path", "powershell" ], "references": [ "https://cert.gov.ua/article/1229152", "https://cert.gov.ua/article/3761023" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 45, "FileHash-SHA256": 45, "URL": 40, "domain": 37, "hostname": 3, "FileHash-SHA1": 3 }, "indicator_count": 173, "is_author": false, "is_subscribing": null, "subscriber_count": 242, "modified_text": "1184 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62fe6279154248931870b146", "name": "Gamaredon IOCs", "description": "The full text of the Wikipedia search results will be published on Wednesday, 1 July, at 19:00 BST.. and will appear on the BBC News website, BBC Radio 5 live, and on iPlayer.", "modified": "2022-09-17T00:02:49.667000", "created": "2022-08-18T16:02:01.293000", "tags": [ "userprofile", "getrandom", "xorbyte", "newobject", "username", "vbscript", "runas32", "receivejob", "startsleep s", "agenda", "null", "august", "tools", "path", "powershell" ], "references": [ "https://cert.gov.ua/article/1229152" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 36, "FileHash-SHA256": 36, "URL": 21, "domain": 33, "hostname": 3 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "session.finance", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "session.finance", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780276958.166035 }