{ "type": "Domain", "indicator": "shemsut.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/shemsut.com", "alexa": "http://www.alexa.com/siteinfo/shemsut.com", "indicator": "shemsut.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3283629795, "indicator": "shemsut.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6261890733726ec0b81f6e58", "name": "IoC Cobaltstrike", "description": "IoC Cobaltstrike related with security event that occurred in Costa Rica on April 20, 2022", "modified": "2022-05-21T00:03:44.725000", "created": "2022-04-21T16:40:39.973000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 10, "domain": 568, "hostname": 276 }, "indicator_count": 855, "is_author": false, "is_subscribing": null, "subscriber_count": 209, "modified_text": "1474 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6261890d9c48ff6dd7f6db15", "name": "IoC Cobaltstrike", "description": "IoC Cobaltstrike related with security event that occurred in Costa Rica on April 20, 2022", "modified": "2022-05-21T00:03:44.725000", "created": "2022-04-21T16:40:45.990000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 10, "domain": 568, "hostname": 276 }, "indicator_count": 855, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "1474 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61ddaf0cb0cf4a1c8b0234f0", "name": "threatfox", "description": "This is the full text of the report on the cyber-attack on Hario Menkel, which took place on 22 January 2016:. and here is a full summary of all the key points.", "modified": "2022-02-10T00:05:02.163000", "created": "2022-01-11T16:23:40.790000", "tags": [ "virusdeck", "raccoon", "mirai mirai", "lokibot", "loki password", "stealer", "bashlite gafgyt", "ave maria", "cobalt strike", "njrat", "loki", "formbook", "agent tesla", "cobaltstrike", "redline stealer", "redlinestealer", "nanocore rat", "date", "cryptolaemus1", "emotet", "emotet epoch4", "emotet doc", "asyncrat", "smokeloader", "hariomenkel", "ioc malware", "tags reporter" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ElastZris", "id": "176027", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 7, "FileHash-SHA256": 167, "URL": 115, "domain": 11, "hostname": 9 }, "indicator_count": 319, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "1574 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61d466e9d72c77e8e0f008eb", "name": "Cobalt Strike Beacon profiles", "description": "Servers at all of these IP addresses provided a Cobalt Strike Beacon stager profile. Many of them used stolen or pirated copies of Cobalt Strike. That doesn't mean they are all threat actors, but it is worth investigating any communication with these IP addresses coming from your network.", "modified": "2022-02-03T00:04:00.660000", "created": "2022-01-04T15:25:29.922000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BinaryDefense", "id": "111374", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_111374/resized/80/avatar_ca13c2b840.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 25, "domain": 7, "URL": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 271, "modified_text": "1581 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Cobalt strike" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6261890733726ec0b81f6e58", "name": "IoC Cobaltstrike", "description": "IoC Cobaltstrike related with security event that occurred in Costa Rica on April 20, 2022", "modified": "2022-05-21T00:03:44.725000", "created": "2022-04-21T16:40:39.973000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 10, "domain": 568, "hostname": 276 }, "indicator_count": 855, "is_author": false, "is_subscribing": null, "subscriber_count": 209, "modified_text": "1474 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6261890d9c48ff6dd7f6db15", "name": "IoC Cobaltstrike", "description": "IoC Cobaltstrike related with security event that occurred in Costa Rica on April 20, 2022", "modified": "2022-05-21T00:03:44.725000", "created": "2022-04-21T16:40:45.990000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "soc_columbus", "id": "2084", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2084/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 10, "domain": 568, "hostname": 276 }, "indicator_count": 855, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "1474 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61ddaf0cb0cf4a1c8b0234f0", "name": "threatfox", "description": "This is the full text of the report on the cyber-attack on Hario Menkel, which took place on 22 January 2016:. and here is a full summary of all the key points.", "modified": "2022-02-10T00:05:02.163000", "created": "2022-01-11T16:23:40.790000", "tags": [ "virusdeck", "raccoon", "mirai mirai", "lokibot", "loki password", "stealer", "bashlite gafgyt", "ave maria", "cobalt strike", "njrat", "loki", "formbook", "agent tesla", "cobaltstrike", "redline stealer", "redlinestealer", "nanocore rat", "date", "cryptolaemus1", "emotet", "emotet epoch4", "emotet doc", "asyncrat", "smokeloader", "hariomenkel", "ioc malware", "tags reporter" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ElastZris", "id": "176027", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 7, "FileHash-SHA256": 167, "URL": 115, "domain": 11, "hostname": 9 }, "indicator_count": 319, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "1574 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61d466e9d72c77e8e0f008eb", "name": "Cobalt Strike Beacon profiles", "description": "Servers at all of these IP addresses provided a Cobalt Strike Beacon stager profile. Many of them used stolen or pirated copies of Cobalt Strike. That doesn't mean they are all threat actors, but it is worth investigating any communication with these IP addresses coming from your network.", "modified": "2022-02-03T00:04:00.660000", "created": "2022-01-04T15:25:29.922000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BinaryDefense", "id": "111374", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_111374/resized/80/avatar_ca13c2b840.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 25, "domain": 7, "URL": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 271, "modified_text": "1581 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "shemsut.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "shemsut.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780529832.198056 }