{ "type": "Domain", "indicator": "slashdb.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/slashdb.com", "alexa": "http://www.alexa.com/siteinfo/slashdb.com", "indicator": "slashdb.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2236822693, "indicator": "slashdb.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6a040bf64fe2efef00132467", "name": "AWS.DEV | Ransom REevil | MaaS -Mirai , Makop , Sodinokibi | 6.13.25 Appears ti be ongoing ", "description": "", "modified": "2026-05-13T05:28:22.199000", "created": "2026-05-13T05:28:22.199000", "tags": [ "filehashmd5", "filehashsha1", "showing", "copyright", "levelblue", "packer entropy", "pe features", "pe unknown", "resource name", "allocates rwx", "network icmp", "antivm network", "exe nolookup", "proxy wpad", "dead host", "tools", "generic", "deletes self", "ransom", "evader", "active", "learn", "ck id", "name tactics", "suspicious", "informative", "installs", "adversaries", "windows", "modules", "registry", "persistence", "execution", "service", "united", "path", "flag", "date", "access type", "germany germany", "create", "http header", "tcp traffic", "et info", "entropy", "hybrid", "malicious", "general", "click", "strings", "inject", "remote", "encrypt files", "python", "global", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "overlay", "data", "pe32 executable", "borland delphi", "delphi generic", "md5 code", "empty hash", "file type", "success", "regopenkeyexw", "regopenkeyexa", "hkeycurrentuser", "virtualallocex", "createfilew", "genericread", "hkeyclassesroot", "genericwrite", "regsetvalueexw", "desktop", "webview", "mirai", "russsian data", "reevil", "money doc", "gmt flag", "server", "united kingdom", "france france", "ukraine ukraine", "llc name", "viet nam", "show", "cve", "bad traffic", "false", "error", "tags", "ipv4", "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "monitor", "target", "members", "maas", "attack", "mitre att" ], "references": [ "RANSOM_REvil - https://www.nextron-systems.com/notes-on-virustotal-matches/", "YARA: Matches rule MAL_RANSOM_REvil_Oct20_1 from ruleset crime_ransom_revil by Florian Roth (Nextron Systems)", "YARA: Matches rule Windows_Ransomware_Sodinokibi_83f05fbe from ruleset Windows_Ransomware_Sodinokibi by Elastic Security", "YARA: Matches rule win_revil_auto from ruleset win.revil_auto by Felix Bilstein - yara-signator at cocacoding dot com", "https://otx.alienvault.com/malware/Ransom:Win32/Makop/", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "Permissions requested: SE_DEBUG_PRIVILEGE SE_LOAD_DRIVER_PRIVILEGE", "Behaviour: Extract file to system directory" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Makop.PA!MTB", "display_name": "Ransom:Win32/Makop.PA!MTB", "target": "/malware/Ransom:Win32/Makop.PA!MTB" }, { "id": "Trojan/Win32.BlueCrab.R331768", "display_name": "Trojan/Win32.BlueCrab.R331768", "target": null }, { "id": "Trojan.Ransom.Sodinokibi", "display_name": "Trojan.Ransom.Sodinokibi", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Virus.Neshta", "display_name": "Virus.Neshta", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "RANSOM_REvil", "display_name": "RANSOM_REvil", "target": null }, { "id": "Labeled as: Ransom.Sodinokibi.Generic", "display_name": "Labeled as: Ransom.Sodinokibi.Generic", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1181", "name": "Extra Window Memory Injection", "display_name": "T1181 - Extra Window Memory Injection" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": "684cad9bc64e61ae0e6df4c1", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "URL": 83, "CVE": 1, "domain": 102, "hostname": 36 }, "indicator_count": 516, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a040afa13cf077fedd59f36", "name": "Ransom REevil | AWS.DEV | MaaS -Mirai , Makop , Sodinokibi , FlyStudio + Campaign| Appears to be ongoing ", "description": "", "modified": "2026-05-13T05:24:10.262000", "created": "2026-05-13T05:24:10.262000", "tags": [ "filehashmd5", "filehashsha1", "showing", "copyright", "levelblue", "packer entropy", "pe features", "pe unknown", "resource name", "allocates rwx", "network icmp", "antivm network", "exe nolookup", "proxy wpad", "dead host", "tools", "generic", "deletes self", "ransom", "evader", "active", "learn", "ck id", "name tactics", "suspicious", "informative", "installs", "adversaries", "windows", "modules", "registry", "persistence", "execution", "service", "united", "path", "flag", "date", "access type", "germany germany", "create", "http header", "tcp traffic", "et info", "entropy", "hybrid", "malicious", "general", "click", "strings", "inject", "remote", "encrypt files", "python", "global", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "overlay", "data", "pe32 executable", "borland delphi", "delphi generic", "md5 code", "empty hash", "file type", "success", "regopenkeyexw", "regopenkeyexa", "hkeycurrentuser", "virtualallocex", "createfilew", "genericread", "hkeyclassesroot", "genericwrite", "regsetvalueexw", "desktop", "webview", "mirai", "russsian data", "reevil", "money doc", "gmt flag", "server", "united kingdom", "france france", "ukraine ukraine", "llc name", "viet nam", "show", "cve", "bad traffic", "false", "error", "tags", "ipv4", "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "monitor", "target", "members", "maas", "attack", "mitre att" ], "references": [ "RANSOM_REvil - https://www.nextron-systems.com/notes-on-virustotal-matches/", "YARA: Matches rule MAL_RANSOM_REvil_Oct20_1 from ruleset crime_ransom_revil by Florian Roth (Nextron Systems)", "YARA: Matches rule Windows_Ransomware_Sodinokibi_83f05fbe from ruleset Windows_Ransomware_Sodinokibi by Elastic Security", "YARA: Matches rule win_revil_auto from ruleset win.revil_auto by Felix Bilstein - yara-signator at cocacoding dot com", "https://otx.alienvault.com/malware/Ransom:Win32/Makop/", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "Permissions requested: SE_DEBUG_PRIVILEGE SE_LOAD_DRIVER_PRIVILEGE", "Behaviour: Extract file to system directory" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Makop.PA!MTB", "display_name": "Ransom:Win32/Makop.PA!MTB", "target": "/malware/Ransom:Win32/Makop.PA!MTB" }, { "id": "Trojan/Win32.BlueCrab.R331768", "display_name": "Trojan/Win32.BlueCrab.R331768", "target": null }, { "id": "Trojan.Ransom.Sodinokibi", "display_name": "Trojan.Ransom.Sodinokibi", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Virus.Neshta", "display_name": "Virus.Neshta", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "RANSOM_REvil", "display_name": "RANSOM_REvil", "target": null }, { "id": "Labeled as: Ransom.Sodinokibi.Generic", "display_name": "Labeled as: Ransom.Sodinokibi.Generic", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1181", "name": "Extra Window Memory Injection", "display_name": "T1181 - Extra Window Memory Injection" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": "684cad9bc64e61ae0e6df4c1", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "URL": 83, "CVE": 1, "domain": 102, "hostname": 36 }, "indicator_count": 516, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "617af11f370d993aeff26e71", "name": "Kaseya VSA REvil Indicators", "description": "", "modified": "2025-08-25T16:22:33.668000", "created": "2021-10-28T18:51:11.197000", "tags": [ "REvil", "Kaseya", "VSA Server", "ransomware" ], "references": [ "https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/details", "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/", "https://gist.github.com/fwosar/a63e1249bfccb8395b961d3d780c0354", "https://docs.google.com/spreadsheets/d/11AFPdK5A-7g484lfc0HmXdBrZpYI-Jhx4N1VwFXrcrQ/edit#gid=1201846661", "https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident?utm_campaign=CY21-Q3-RapidResponse-KaseyaVSA&utm_medium=email&_hsmi=138021297&_hsenc=p2ANqtz--HvqdKyS4A0PNoXQXXy44zns31VXVSOFaz97KXwFQMvl-wiRhktYL4l036tl-r5zmeY3RRVzgz2GqtktDCLPLQ8gB8vg&utm_content=138021297&utm_source=hs_email", "https://github.com/Neo23x0/signature-base/blob/master/yara/crime_revil_general.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "REvil", "display_name": "REvil", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "60df80a7a665c1dd6baf7753", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 16, "URL": 1, "domain": 1177, "hostname": 5, "YARA": 4 }, "indicator_count": 1233, "is_author": false, "is_subscribing": null, "subscriber_count": 564, "modified_text": "278 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684cad9bc64e61ae0e6df4c1", "name": "Ransom REevil | AWS.DEV | MaaS", "description": "Malicious campaigners paid to target specific groups and individuals. Large ongoing operation.", "modified": "2025-07-13T22:02:31.447000", "created": "2025-06-13T23:00:43.338000", "tags": [ "filehashmd5", "filehashsha1", "showing", "copyright", "levelblue", "packer entropy", "pe features", "pe unknown", "resource name", "allocates rwx", "network icmp", "antivm network", "exe nolookup", "proxy wpad", "dead host", "tools", "generic", "deletes self", "ransom", "evader", "active", "learn", "ck id", "name tactics", "suspicious", "informative", "installs", "adversaries", "windows", "modules", "registry", "persistence", "execution", "service", "united", "path", "flag", "date", "access type", "germany germany", "create", "http header", "tcp traffic", "et info", "entropy", "hybrid", "malicious", "general", "click", "strings", "inject", "remote", "encrypt files", "python", "global", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "overlay", "data", "pe32 executable", "borland delphi", "delphi generic", "md5 code", "empty hash", "file type", "success", "regopenkeyexw", "regopenkeyexa", "hkeycurrentuser", "virtualallocex", "createfilew", "genericread", "hkeyclassesroot", "genericwrite", "regsetvalueexw", "desktop", "webview", "mirai", "russsian data", "reevil", "money doc", "gmt flag", "server", "united kingdom", "france france", "ukraine ukraine", "llc name", "viet nam", "show", "cve", "bad traffic", "false", "error", "tags", "ipv4", "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "monitor", "target", "members", "maas", "attack", "mitre att" ], "references": [ "RANSOM_REvil - https://www.nextron-systems.com/notes-on-virustotal-matches/", "YARA: Matches rule MAL_RANSOM_REvil_Oct20_1 from ruleset crime_ransom_revil by Florian Roth (Nextron Systems)", "YARA: Matches rule Windows_Ransomware_Sodinokibi_83f05fbe from ruleset Windows_Ransomware_Sodinokibi by Elastic Security", "YARA: Matches rule win_revil_auto from ruleset win.revil_auto by Felix Bilstein - yara-signator at cocacoding dot com", "https://otx.alienvault.com/malware/Ransom:Win32/Makop/", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "Permissions requested: SE_DEBUG_PRIVILEGE SE_LOAD_DRIVER_PRIVILEGE", "Behaviour: Extract file to system directory" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Makop.PA!MTB", "display_name": "Ransom:Win32/Makop.PA!MTB", "target": "/malware/Ransom:Win32/Makop.PA!MTB" }, { "id": "Trojan/Win32.BlueCrab.R331768", "display_name": "Trojan/Win32.BlueCrab.R331768", "target": null }, { "id": "Trojan.Ransom.Sodinokibi", "display_name": "Trojan.Ransom.Sodinokibi", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Virus.Neshta", "display_name": "Virus.Neshta", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "RANSOM_REvil", "display_name": "RANSOM_REvil", "target": null }, { "id": "Labeled as: Ransom.Sodinokibi.Generic", "display_name": "Labeled as: Ransom.Sodinokibi.Generic", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1181", "name": "Extra Window Memory Injection", "display_name": "T1181 - Extra Window Memory Injection" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "URL": 83, "CVE": 1, "domain": 102, "hostname": 36 }, "indicator_count": 516, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707c3be05f3a7ea9e654d4", "name": "Kaseya VSA REvil Indicators", "description": "", "modified": "2023-12-06T13:50:51.719000", "created": "2023-12-06T13:50:51.719000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 16, "URL": 1, "domain": 1178, "hostname": 5, "YARA": 4 }, "indicator_count": 1234, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707bedc2fbc934427f325c", "name": "Kaseya VSA REvil Indicators", "description": "", "modified": "2023-12-06T13:49:33.291000", "created": "2023-12-06T13:49:33.291000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 16, "URL": 1, "domain": 1179, "hostname": 5, "YARA": 4 }, "indicator_count": 1235, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbdddd1fc2e2956bfacda5", "name": "vvvvv", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:22:53.511000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbdde0447b9617f24a8901", "name": "vvvvv", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:22:56.693000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbddf0c4709eb7b4d0fb94", "name": "data of hhh", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:23:12.624000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "60df80a7a665c1dd6baf7753", "name": "Kaseya VSA REvil Indicators", "description": "", "modified": "2022-02-18T14:52:05.251000", "created": "2021-07-02T21:09:59.361000", "tags": [ "REvil", "Kaseya", "VSA Server", "ransomware" ], "references": [ "https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/details", "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/", "https://gist.github.com/fwosar/a63e1249bfccb8395b961d3d780c0354", "https://docs.google.com/spreadsheets/d/11AFPdK5A-7g484lfc0HmXdBrZpYI-Jhx4N1VwFXrcrQ/edit#gid=1201846661", "https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident?utm_campaign=CY21-Q3-RapidResponse-KaseyaVSA&utm_medium=email&_hsmi=138021297&_hsenc=p2ANqtz--HvqdKyS4A0PNoXQXXy44zns31VXVSOFaz97KXwFQMvl-wiRhktYL4l036tl-r5zmeY3RRVzgz2GqtktDCLPLQ8gB8vg&utm_content=138021297&utm_source=hs_email", "https://github.com/Neo23x0/signature-base/blob/master/yara/crime_revil_general.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "REvil", "display_name": "REvil", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vthelpdesk", "id": "1766", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_1766/resized/80/avatar_0be7a35fab.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 16, "URL": 1, "domain": 1179, "hostname": 5, "YARA": 4 }, "indicator_count": 1235, "is_author": false, "is_subscribing": null, "subscriber_count": 624, "modified_text": "1562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/", "https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/", "Behaviour: Extract file to system directory", "Permissions requested: SE_DEBUG_PRIVILEGE SE_LOAD_DRIVER_PRIVILEGE", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", "https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident?utm_campaign=CY21-Q3-RapidResponse-KaseyaVSA&utm_medium=email&_hsmi=138021297&_hsenc=p2ANqtz--HvqdKyS4A0PNoXQXXy44zns31VXVSOFaz97KXwFQMvl-wiRhktYL4l036tl-r5zmeY3RRVzgz2GqtktDCLPLQ8gB8vg&utm_content=138021297&utm_source=hs_email", "RANSOM_REvil - https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/details", "YARA: Matches rule MAL_RANSOM_REvil_Oct20_1 from ruleset crime_ransom_revil by Florian Roth (Nextron Systems)", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "https://otx.alienvault.com/malware/Ransom:Win32/Makop/", "https://docs.google.com/spreadsheets/d/11AFPdK5A-7g484lfc0HmXdBrZpYI-Jhx4N1VwFXrcrQ/edit#gid=1201846661", "https://github.com/Neo23x0/signature-base/blob/master/yara/crime_revil_general.yar", "https://gist.github.com/fwosar/a63e1249bfccb8395b961d3d780c0354", "YARA: Matches rule Windows_Ransomware_Sodinokibi_83f05fbe from ruleset Windows_Ransomware_Sodinokibi by Elastic Security", "YARA: Matches rule win_revil_auto from ruleset win.revil_auto by Felix Bilstein - yara-signator at cocacoding dot com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Emotet", "Trojan/win32.bluecrab.r331768", "Labeled as: ransom.sodinokibi.generic", "Revil", "Trojan.ransom.sodinokibi", "Mirai", "Virus.neshta", "Ransom_revil", "Ransom:win32/makop.pa!mtb" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6a040bf64fe2efef00132467", "name": "AWS.DEV | Ransom REevil | MaaS -Mirai , Makop , Sodinokibi | 6.13.25 Appears ti be ongoing ", "description": "", "modified": "2026-05-13T05:28:22.199000", "created": "2026-05-13T05:28:22.199000", "tags": [ "filehashmd5", "filehashsha1", "showing", "copyright", "levelblue", "packer entropy", "pe features", "pe unknown", "resource name", "allocates rwx", "network icmp", "antivm network", "exe nolookup", "proxy wpad", "dead host", "tools", "generic", "deletes self", "ransom", "evader", "active", "learn", "ck id", "name tactics", "suspicious", "informative", "installs", "adversaries", "windows", "modules", "registry", "persistence", "execution", "service", "united", "path", "flag", "date", "access type", "germany germany", "create", "http header", "tcp traffic", "et info", "entropy", "hybrid", "malicious", "general", "click", "strings", "inject", "remote", "encrypt files", "python", "global", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "overlay", "data", "pe32 executable", "borland delphi", "delphi generic", "md5 code", "empty hash", "file type", "success", "regopenkeyexw", "regopenkeyexa", "hkeycurrentuser", "virtualallocex", "createfilew", "genericread", "hkeyclassesroot", "genericwrite", "regsetvalueexw", "desktop", "webview", "mirai", "russsian data", "reevil", "money doc", "gmt flag", "server", "united kingdom", "france france", "ukraine ukraine", "llc name", "viet nam", "show", "cve", "bad traffic", "false", "error", "tags", "ipv4", "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "monitor", "target", "members", "maas", "attack", "mitre att" ], "references": [ "RANSOM_REvil - https://www.nextron-systems.com/notes-on-virustotal-matches/", "YARA: Matches rule MAL_RANSOM_REvil_Oct20_1 from ruleset crime_ransom_revil by Florian Roth (Nextron Systems)", "YARA: Matches rule Windows_Ransomware_Sodinokibi_83f05fbe from ruleset Windows_Ransomware_Sodinokibi by Elastic Security", "YARA: Matches rule win_revil_auto from ruleset win.revil_auto by Felix Bilstein - yara-signator at cocacoding dot com", "https://otx.alienvault.com/malware/Ransom:Win32/Makop/", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "Permissions requested: SE_DEBUG_PRIVILEGE SE_LOAD_DRIVER_PRIVILEGE", "Behaviour: Extract file to system directory" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Makop.PA!MTB", "display_name": "Ransom:Win32/Makop.PA!MTB", "target": "/malware/Ransom:Win32/Makop.PA!MTB" }, { "id": "Trojan/Win32.BlueCrab.R331768", "display_name": "Trojan/Win32.BlueCrab.R331768", "target": null }, { "id": "Trojan.Ransom.Sodinokibi", "display_name": "Trojan.Ransom.Sodinokibi", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Virus.Neshta", "display_name": "Virus.Neshta", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "RANSOM_REvil", "display_name": "RANSOM_REvil", "target": null }, { "id": "Labeled as: Ransom.Sodinokibi.Generic", "display_name": "Labeled as: Ransom.Sodinokibi.Generic", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1181", "name": "Extra Window Memory Injection", "display_name": "T1181 - Extra Window Memory Injection" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": "684cad9bc64e61ae0e6df4c1", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "URL": 83, "CVE": 1, "domain": 102, "hostname": 36 }, "indicator_count": 516, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a040afa13cf077fedd59f36", "name": "Ransom REevil | AWS.DEV | MaaS -Mirai , Makop , Sodinokibi , FlyStudio + Campaign| Appears to be ongoing ", "description": "", "modified": "2026-05-13T05:24:10.262000", "created": "2026-05-13T05:24:10.262000", "tags": [ "filehashmd5", "filehashsha1", "showing", "copyright", "levelblue", "packer entropy", "pe features", "pe unknown", "resource name", "allocates rwx", "network icmp", "antivm network", "exe nolookup", "proxy wpad", "dead host", "tools", "generic", "deletes self", "ransom", "evader", "active", "learn", "ck id", "name tactics", "suspicious", "informative", "installs", "adversaries", "windows", "modules", "registry", "persistence", "execution", "service", "united", "path", "flag", "date", "access type", "germany germany", "create", "http header", "tcp traffic", "et info", "entropy", "hybrid", "malicious", "general", "click", "strings", "inject", "remote", "encrypt files", "python", "global", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "overlay", "data", "pe32 executable", "borland delphi", "delphi generic", "md5 code", "empty hash", "file type", "success", "regopenkeyexw", "regopenkeyexa", "hkeycurrentuser", "virtualallocex", "createfilew", "genericread", "hkeyclassesroot", "genericwrite", "regsetvalueexw", "desktop", "webview", "mirai", "russsian data", "reevil", "money doc", "gmt flag", "server", "united kingdom", "france france", "ukraine ukraine", "llc name", "viet nam", "show", "cve", "bad traffic", "false", "error", "tags", "ipv4", "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "monitor", "target", "members", "maas", "attack", "mitre att" ], "references": [ "RANSOM_REvil - https://www.nextron-systems.com/notes-on-virustotal-matches/", "YARA: Matches rule MAL_RANSOM_REvil_Oct20_1 from ruleset crime_ransom_revil by Florian Roth (Nextron Systems)", "YARA: Matches rule Windows_Ransomware_Sodinokibi_83f05fbe from ruleset Windows_Ransomware_Sodinokibi by Elastic Security", "YARA: Matches rule win_revil_auto from ruleset win.revil_auto by Felix Bilstein - yara-signator at cocacoding dot com", "https://otx.alienvault.com/malware/Ransom:Win32/Makop/", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "Permissions requested: SE_DEBUG_PRIVILEGE SE_LOAD_DRIVER_PRIVILEGE", "Behaviour: Extract file to system directory" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Makop.PA!MTB", "display_name": "Ransom:Win32/Makop.PA!MTB", "target": "/malware/Ransom:Win32/Makop.PA!MTB" }, { "id": "Trojan/Win32.BlueCrab.R331768", "display_name": "Trojan/Win32.BlueCrab.R331768", "target": null }, { "id": "Trojan.Ransom.Sodinokibi", "display_name": "Trojan.Ransom.Sodinokibi", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Virus.Neshta", "display_name": "Virus.Neshta", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "RANSOM_REvil", "display_name": "RANSOM_REvil", "target": null }, { "id": "Labeled as: Ransom.Sodinokibi.Generic", "display_name": "Labeled as: Ransom.Sodinokibi.Generic", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1181", "name": "Extra Window Memory Injection", "display_name": "T1181 - Extra Window Memory Injection" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": "684cad9bc64e61ae0e6df4c1", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "URL": 83, "CVE": 1, "domain": 102, "hostname": 36 }, "indicator_count": 516, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "617af11f370d993aeff26e71", "name": "Kaseya VSA REvil Indicators", "description": "", "modified": "2025-08-25T16:22:33.668000", "created": "2021-10-28T18:51:11.197000", "tags": [ "REvil", "Kaseya", "VSA Server", "ransomware" ], "references": [ "https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/details", "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/", "https://gist.github.com/fwosar/a63e1249bfccb8395b961d3d780c0354", "https://docs.google.com/spreadsheets/d/11AFPdK5A-7g484lfc0HmXdBrZpYI-Jhx4N1VwFXrcrQ/edit#gid=1201846661", "https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident?utm_campaign=CY21-Q3-RapidResponse-KaseyaVSA&utm_medium=email&_hsmi=138021297&_hsenc=p2ANqtz--HvqdKyS4A0PNoXQXXy44zns31VXVSOFaz97KXwFQMvl-wiRhktYL4l036tl-r5zmeY3RRVzgz2GqtktDCLPLQ8gB8vg&utm_content=138021297&utm_source=hs_email", "https://github.com/Neo23x0/signature-base/blob/master/yara/crime_revil_general.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "REvil", "display_name": "REvil", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "60df80a7a665c1dd6baf7753", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 16, "URL": 1, "domain": 1177, "hostname": 5, "YARA": 4 }, "indicator_count": 1233, "is_author": false, "is_subscribing": null, "subscriber_count": 564, "modified_text": "278 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684cad9bc64e61ae0e6df4c1", "name": "Ransom REevil | AWS.DEV | MaaS", "description": "Malicious campaigners paid to target specific groups and individuals. Large ongoing operation.", "modified": "2025-07-13T22:02:31.447000", "created": "2025-06-13T23:00:43.338000", "tags": [ "filehashmd5", "filehashsha1", "showing", "copyright", "levelblue", "packer entropy", "pe features", "pe unknown", "resource name", "allocates rwx", "network icmp", "antivm network", "exe nolookup", "proxy wpad", "dead host", "tools", "generic", "deletes self", "ransom", "evader", "active", "learn", "ck id", "name tactics", "suspicious", "informative", "installs", "adversaries", "windows", "modules", "registry", "persistence", "execution", "service", "united", "path", "flag", "date", "access type", "germany germany", "create", "http header", "tcp traffic", "et info", "entropy", "hybrid", "malicious", "general", "click", "strings", "inject", "remote", "encrypt files", "python", "global", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "overlay", "data", "pe32 executable", "borland delphi", "delphi generic", "md5 code", "empty hash", "file type", "success", "regopenkeyexw", "regopenkeyexa", "hkeycurrentuser", "virtualallocex", "createfilew", "genericread", "hkeyclassesroot", "genericwrite", "regsetvalueexw", "desktop", "webview", "mirai", "russsian data", "reevil", "money doc", "gmt flag", "server", "united kingdom", "france france", "ukraine ukraine", "llc name", "viet nam", "show", "cve", "bad traffic", "false", "error", "tags", "ipv4", "url https", "url http", "search", "type indicator", "role title", "added active", "related pulses", "entries", "monitor", "target", "members", "maas", "attack", "mitre att" ], "references": [ "RANSOM_REvil - https://www.nextron-systems.com/notes-on-virustotal-matches/", "YARA: Matches rule MAL_RANSOM_REvil_Oct20_1 from ruleset crime_ransom_revil by Florian Roth (Nextron Systems)", "YARA: Matches rule Windows_Ransomware_Sodinokibi_83f05fbe from ruleset Windows_Ransomware_Sodinokibi by Elastic Security", "YARA: Matches rule win_revil_auto from ruleset win.revil_auto by Felix Bilstein - yara-signator at cocacoding dot com", "https://otx.alienvault.com/malware/Ransom:Win32/Makop/", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "https://www.hybrid-analysis.com/sample/cb33f3d60a715436ab49ab7968c5a31410d0cd6b9d141b41b2362c02b59e2913/5e68effaec3f2e3f0c5237b8", "Permissions requested: SE_DEBUG_PRIVILEGE SE_LOAD_DRIVER_PRIVILEGE", "Behaviour: Extract file to system directory" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Makop.PA!MTB", "display_name": "Ransom:Win32/Makop.PA!MTB", "target": "/malware/Ransom:Win32/Makop.PA!MTB" }, { "id": "Trojan/Win32.BlueCrab.R331768", "display_name": "Trojan/Win32.BlueCrab.R331768", "target": null }, { "id": "Trojan.Ransom.Sodinokibi", "display_name": "Trojan.Ransom.Sodinokibi", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Virus.Neshta", "display_name": "Virus.Neshta", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "RANSOM_REvil", "display_name": "RANSOM_REvil", "target": null }, { "id": "Labeled as: Ransom.Sodinokibi.Generic", "display_name": "Labeled as: Ransom.Sodinokibi.Generic", "target": null } ], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1181", "name": "Extra Window Memory Injection", "display_name": "T1181 - Extra Window Memory Injection" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 99, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "URL": 83, "CVE": 1, "domain": 102, "hostname": 36 }, "indicator_count": 516, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707c3be05f3a7ea9e654d4", "name": "Kaseya VSA REvil Indicators", "description": "", "modified": "2023-12-06T13:50:51.719000", "created": "2023-12-06T13:50:51.719000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 16, "URL": 1, "domain": 1178, "hostname": 5, "YARA": 4 }, "indicator_count": 1234, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707bedc2fbc934427f325c", "name": "Kaseya VSA REvil Indicators", "description": "", "modified": "2023-12-06T13:49:33.291000", "created": "2023-12-06T13:49:33.291000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 16, "URL": 1, "domain": 1179, "hostname": 5, "YARA": 4 }, "indicator_count": 1235, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbdddd1fc2e2956bfacda5", "name": "vvvvv", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:22:53.511000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbdde0447b9617f24a8901", "name": "vvvvv", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:22:56.693000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbddf0c4709eb7b4d0fb94", "name": "data of hhh", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:23:12.624000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "60df80a7a665c1dd6baf7753", "name": "Kaseya VSA REvil Indicators", "description": "", "modified": "2022-02-18T14:52:05.251000", "created": "2021-07-02T21:09:59.361000", "tags": [ "REvil", "Kaseya", "VSA Server", "ransomware" ], "references": [ "https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/details", "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/", "https://gist.github.com/fwosar/a63e1249bfccb8395b961d3d780c0354", "https://docs.google.com/spreadsheets/d/11AFPdK5A-7g484lfc0HmXdBrZpYI-Jhx4N1VwFXrcrQ/edit#gid=1201846661", "https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident?utm_campaign=CY21-Q3-RapidResponse-KaseyaVSA&utm_medium=email&_hsmi=138021297&_hsenc=p2ANqtz--HvqdKyS4A0PNoXQXXy44zns31VXVSOFaz97KXwFQMvl-wiRhktYL4l036tl-r5zmeY3RRVzgz2GqtktDCLPLQ8gB8vg&utm_content=138021297&utm_source=hs_email", "https://github.com/Neo23x0/signature-base/blob/master/yara/crime_revil_general.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "REvil", "display_name": "REvil", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vthelpdesk", "id": "1766", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_1766/resized/80/avatar_0be7a35fab.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 16, "URL": 1, "domain": 1179, "hostname": 5, "YARA": 4 }, "indicator_count": 1235, "is_author": false, "is_subscribing": null, "subscriber_count": 624, "modified_text": "1562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "slashdb.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "slashdb.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780211757.5425162 }