{ "type": "Domain", "indicator": "sibmbpreinduction.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/sibmbpreinduction.com", "alexa": "http://www.alexa.com/siteinfo/sibmbpreinduction.com", "indicator": "sibmbpreinduction.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2907040257, "indicator": "sibmbpreinduction.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "65d23925f64351b49da548a8", "name": "Sality found in DGA unspecified phishing campaign. Immigration", "description": "\u2022A domain generation algorithm (DGA) is a subroutine adversaries implement to dynamically identify a destination domain for CnC traffic as opposed to usage of a list of static IP addresses or domains. Generates large numbers of new domain names. Cybercriminals and botnet operators use (DGA) evading detection, generated volumes of domains & IP addresses for malware CnC servers. \n\u2022Sality is an appending polymorphic file infector virus that uses an Entry Point Obscuring (EPO) technique. Unlike other file infectors that modify the entry point of the host file to point to the virus code, Sality.", "modified": "2024-03-19T16:02:09.246000", "created": "2024-02-18T17:06:45.853000", "tags": [ "filehashmd5", "domain", "iocs", "all octoseek", "create new", "pdf report", "pcap", "ipv4", "domain xn", "alienvault", "open threat", "contact", "contacted", "phishing", "trojan", "sality", "worm", "dga", "malware", "regsetvalueexa", "read c", "entries", "search", "regdword", "medium", "show", "pe32", "intel", "ms windows", "copy", "write", "win32", "malware", "next", "unknown", "dead host", "malware infection", "floxif", "cnc checkin", "nids malware", "network cnc", "cisco umbrella", "site", "safe site", "alexa top", "million", "hostnames", "detection list", "alexa", "team top", "blacklist", "evasive", "immigration" ], "references": [ "https://myurologyclinic.com/ret/GU7oiR/akometz@deerfield.com?toWww=1&redig=AA6137947E9541C0A0DB667324AA394E (moved)", "https://attack.mitre.org/techniques/T1568/002/", "http://www.junefabrics.com/android/activate.php", "Backdoor.PcClient" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Cyprus", "Ireland", "Spain", "Sweden" ], "malware_families": [ { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win32.Floxif.A Checkin", "display_name": "Win32.Floxif.A Checkin", "target": null }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 574, "FileHash-MD5": 339, "FileHash-SHA1": 329, "FileHash-SHA256": 1161, "domain": 524, "email": 9, "hostname": 650, "SSLCertFingerprint": 2 }, "indicator_count": 3588, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d3ad3fefbf45e46c34190f", "name": "Sality found in DGA unspecified phishing campaign. Immigration", "description": "", "modified": "2024-03-19T16:02:09.246000", "created": "2024-02-19T19:34:23.355000", "tags": [ "filehashmd5", "domain", "iocs", "all octoseek", "create new", "pdf report", "pcap", "ipv4", "domain xn", "alienvault", "open threat", "contact", "contacted", "phishing", "trojan", "sality", "worm", "dga", "malware", "regsetvalueexa", "read c", "entries", "search", "regdword", "medium", "show", "pe32", "intel", "ms windows", "copy", "write", "win32", "malware", "next", "unknown", "dead host", "malware infection", "floxif", "cnc checkin", "nids malware", "network cnc", "cisco umbrella", "site", "safe site", "alexa top", "million", "hostnames", "detection list", "alexa", "team top", "blacklist", "evasive", "immigration" ], "references": [ "https://myurologyclinic.com/ret/GU7oiR/akometz@deerfield.com?toWww=1&redig=AA6137947E9541C0A0DB667324AA394E (moved)", "https://attack.mitre.org/techniques/T1568/002/", "http://www.junefabrics.com/android/activate.php", "Backdoor.PcClient" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Cyprus", "Ireland", "Spain", "Sweden" ], "malware_families": [ { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win32.Floxif.A Checkin", "display_name": "Win32.Floxif.A Checkin", "target": null }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" } ], "industries": [], "TLP": "white", "cloned_from": "65d23925f64351b49da548a8", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 574, "FileHash-MD5": 339, "FileHash-SHA1": 329, "FileHash-SHA256": 1161, "domain": 524, "email": 9, "hostname": 650, "SSLCertFingerprint": 2 }, "indicator_count": 3588, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61ee7e8829b5ffe854076a41", "name": "Phish and Scamthreats", "description": "These domains have been checked and found to contain malware/phishing or other content on websites or in emails that is harmful to users and their data in our company.\nMost of the domains have been found sending spam/scam/phishing mails.\nThese domains/email have been blocked due to security risks.", "modified": "2023-08-15T17:52:09.703000", "created": "2022-01-24T10:25:12.684000", "tags": [ "email", "spam", "scam", "phishing", "europe" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "France", "Germany", "Austria" ], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "p.lechner", "id": "177533", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_177533/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 549, "email": 50, "hostname": 66, "URL": 25 }, "indicator_count": 690, "is_author": false, "is_subscribing": null, "subscriber_count": 8, "modified_text": "1023 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "http://www.junefabrics.com/android/activate.php", "https://myurologyclinic.com/ret/GU7oiR/akometz@deerfield.com?toWww=1&redig=AA6137947E9541C0A0DB667324AA394E (moved)", "https://attack.mitre.org/techniques/T1568/002/", "Backdoor.PcClient" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "", "Virus:win32/floxif.h", "Win32.floxif.a checkin", "Sality", "Worm:win32/autorun" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "65d23925f64351b49da548a8", "name": "Sality found in DGA unspecified phishing campaign. Immigration", "description": "\u2022A domain generation algorithm (DGA) is a subroutine adversaries implement to dynamically identify a destination domain for CnC traffic as opposed to usage of a list of static IP addresses or domains. Generates large numbers of new domain names. Cybercriminals and botnet operators use (DGA) evading detection, generated volumes of domains & IP addresses for malware CnC servers. \n\u2022Sality is an appending polymorphic file infector virus that uses an Entry Point Obscuring (EPO) technique. Unlike other file infectors that modify the entry point of the host file to point to the virus code, Sality.", "modified": "2024-03-19T16:02:09.246000", "created": "2024-02-18T17:06:45.853000", "tags": [ "filehashmd5", "domain", "iocs", "all octoseek", "create new", "pdf report", "pcap", "ipv4", "domain xn", "alienvault", "open threat", "contact", "contacted", "phishing", "trojan", "sality", "worm", "dga", "malware", "regsetvalueexa", "read c", "entries", "search", "regdword", "medium", "show", "pe32", "intel", "ms windows", "copy", "write", "win32", "malware", "next", "unknown", "dead host", "malware infection", "floxif", "cnc checkin", "nids malware", "network cnc", "cisco umbrella", "site", "safe site", "alexa top", "million", "hostnames", "detection list", "alexa", "team top", "blacklist", "evasive", "immigration" ], "references": [ "https://myurologyclinic.com/ret/GU7oiR/akometz@deerfield.com?toWww=1&redig=AA6137947E9541C0A0DB667324AA394E (moved)", "https://attack.mitre.org/techniques/T1568/002/", "http://www.junefabrics.com/android/activate.php", "Backdoor.PcClient" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Cyprus", "Ireland", "Spain", "Sweden" ], "malware_families": [ { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win32.Floxif.A Checkin", "display_name": "Win32.Floxif.A Checkin", "target": null }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 574, "FileHash-MD5": 339, "FileHash-SHA1": 329, "FileHash-SHA256": 1161, "domain": 524, "email": 9, "hostname": 650, "SSLCertFingerprint": 2 }, "indicator_count": 3588, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d3ad3fefbf45e46c34190f", "name": "Sality found in DGA unspecified phishing campaign. Immigration", "description": "", "modified": "2024-03-19T16:02:09.246000", "created": "2024-02-19T19:34:23.355000", "tags": [ "filehashmd5", "domain", "iocs", "all octoseek", "create new", "pdf report", "pcap", "ipv4", "domain xn", "alienvault", "open threat", "contact", "contacted", "phishing", "trojan", "sality", "worm", "dga", "malware", "regsetvalueexa", "read c", "entries", "search", "regdword", "medium", "show", "pe32", "intel", "ms windows", "copy", "write", "win32", "malware", "next", "unknown", "dead host", "malware infection", "floxif", "cnc checkin", "nids malware", "network cnc", "cisco umbrella", "site", "safe site", "alexa top", "million", "hostnames", "detection list", "alexa", "team top", "blacklist", "evasive", "immigration" ], "references": [ "https://myurologyclinic.com/ret/GU7oiR/akometz@deerfield.com?toWww=1&redig=AA6137947E9541C0A0DB667324AA394E (moved)", "https://attack.mitre.org/techniques/T1568/002/", "http://www.junefabrics.com/android/activate.php", "Backdoor.PcClient" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Cyprus", "Ireland", "Spain", "Sweden" ], "malware_families": [ { "id": "Sality", "display_name": "Sality", "target": null }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Win32.Floxif.A Checkin", "display_name": "Win32.Floxif.A Checkin", "target": null }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1483", "name": "Domain Generation Algorithms", "display_name": "T1483 - Domain Generation Algorithms" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" } ], "industries": [], "TLP": "white", "cloned_from": "65d23925f64351b49da548a8", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 574, "FileHash-MD5": 339, "FileHash-SHA1": 329, "FileHash-SHA256": 1161, "domain": 524, "email": 9, "hostname": 650, "SSLCertFingerprint": 2 }, "indicator_count": 3588, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "806 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61ee7e8829b5ffe854076a41", "name": "Phish and Scamthreats", "description": "These domains have been checked and found to contain malware/phishing or other content on websites or in emails that is harmful to users and their data in our company.\nMost of the domains have been found sending spam/scam/phishing mails.\nThese domains/email have been blocked due to security risks.", "modified": "2023-08-15T17:52:09.703000", "created": "2022-01-24T10:25:12.684000", "tags": [ "email", "spam", "scam", "phishing", "europe" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "France", "Germany", "Austria" ], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "p.lechner", "id": "177533", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_177533/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 549, "email": 50, "hostname": 66, "URL": 25 }, "indicator_count": 690, "is_author": false, "is_subscribing": null, "subscriber_count": 8, "modified_text": "1023 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "sibmbpreinduction.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "sibmbpreinduction.com", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://sibmbpreinduction.com/courses.sibmbpreinduction.com/backup/util/helper/tests/UfgFGjO8S.php", "status": "offline", "threat": "malware_download", "date_added": "2021-03-17", "tags": [ "Dridex", "opendir" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780520332.8550541 }