{ "type": "Domain", "indicator": "tableofcolorize.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/tableofcolorize.com", "alexa": "http://www.alexa.com/siteinfo/tableofcolorize.com", "indicator": "tableofcolorize.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2601816960, "indicator": "tableofcolorize.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "63a5a3d0765aef678afbc794", "name": "Fin7 Unveiled: A deep dive into notorious cybercrime gang", "description": "The highly active threat group FIN7 has been continuously broadening their cybercrime horizons and recently added ransomware to its attack arsenal. FIN7 group is known to hold a notorious status due to their achievement in deploying extensive backdoors in leveraging software supply chains, distributing malicious USB sticks, and cooperating with other groups.\n\nPTI team obtained visibility into the inner workings of the FIN7 threat group and managed to gain information about their organizational structures, identities, attack vectors, infrastructures, proof-supported affiliations with other ransomware groups (such as DarkSide, who were behind the Colonial Pipeline attack in 2021), victim targeting, and other relevant observations. All of the findings are supported by translated conversations among the members of FIN7, including screenshots of their infrastructures.", "modified": "2022-12-23T12:49:19.867000", "created": "2022-12-23T12:49:19.867000", "tags": [ "Fin7", "APT" ], "references": [ "https://www.prodaft.com/resource/detail/fin7-unveiled-deep-dive-notorious-cybercrime-gang" ], "public": 1, "adversary": "FIN7", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 417, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 224, "FileHash-MD5": 6, "FileHash-SHA1": 6, "domain": 18 }, "indicator_count": 254, "is_author": false, "is_subscribing": null, "subscriber_count": 387182, "modified_text": "1258 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5f4fd46ac0f4e7ee5448bd40", "name": "OpBlueRaven: Unveiling Fin7/Carbanak - Part II: BadUSB Attacks", "description": "This article aims to provide its readers with the details about PRODAFT & INVICTUS Threat Intelligence (PTI) team's latest operation on different threat actors; who have been detected to be working in cooperation with the notorious FIN7 APT group.\n\nWe appreciate all your support after the first part of this series. Before disclosing the relationship between Fin7 and REvil groups, we are trying to reach the ransomware victims. Until reaching all necessary parties, we will continue to publish articles about FIN7 attackers' tools.", "modified": "2020-10-02T00:04:12.395000", "created": "2020-09-02T17:20:42.241000", "tags": [ "FIN7", "Carbanak", "BadUSB", "Bella RAT", "Tirion Loader", "macOS" ], "references": [ "https://threatintel.blog/OPBlueRaven-Part2/", "https://threatintel.blog/OPBlueRaven-Part1/", "https://github.com/kdaoudieh/Bella" ], "public": 1, "adversary": "FIN7", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Russian Federation", "Spain", "Sweden", "Switzerland", "Israel", "Italy", "Mexico", "Netherlands", "Panama", "Poland", "Chile", "Slovakia" ], "malware_families": [ { "id": "Carbanak - S0030", "display_name": "Carbanak - S0030", "target": null }, { "id": "Bella RAT", "display_name": "Bella RAT", "target": null }, { "id": "BadUSB", "display_name": "BadUSB", "target": null }, { "id": "Tirion Loader", "display_name": "Tirion Loader", "target": null } ], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1544", "name": "Remote File Copy", "display_name": "T1544 - Remote File Copy" }, { "id": "T1021.005", "name": "VNC", "display_name": "T1021.005 - VNC" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 106, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 16 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 387187, "modified_text": "2070 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a95fe06cf530cc818c1d", "name": "telus", "description": "", "modified": "2023-12-06T17:03:27.122000", "created": "2023-12-06T17:03:27.122000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 165, "FileHash-SHA256": 1395, "domain": 335, "FileHash-MD5": 211, "CVE": 2, "URL": 288, "email": 2, "FileHash-SHA1": 210 }, "indicator_count": 2608, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "910 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6536fe7706b7eeaa7ab5c271", "name": "CVE-2005-0068", "description": "A summary of the major vulnerabilities in the ICMP software, published by the Australian government on 1 January 2008.. the first such vulnerability to be identified in this year's Security Research Review (SSR).", "modified": "2023-11-28T06:04:19.908000", "created": "2023-10-23T23:15:03.507000", "tags": [ "icmp", "icmp error", "split", "files", "exploits", "targeted", "cve overview", "source quench", "path mtu", "cve20040791" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "URL": 1768, "hostname": 1200, "FileHash-SHA256": 6469, "domain": 2139, "email": 25, "FileHash-MD5": 1296, "FileHash-SHA1": 1287, "JA3": 2 }, "indicator_count": 14193, "is_author": false, "is_subscribing": null, "subscriber_count": 88, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "652b3919f60aaaa67d88549a", "name": "telus", "description": "", "modified": "2023-11-14T03:02:47.742000", "created": "2023-10-15T00:58:01.569000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "hostname": 176, "domain": 352, "URL": 299, "email": 4, "FileHash-SHA256": 2403, "FileHash-MD5": 411, "FileHash-SHA1": 410 }, "indicator_count": 4057, "is_author": false, "is_subscribing": null, "subscriber_count": 81, "modified_text": "932 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a5853cb404df6b28317dcd", "name": "FIN7 Group IOC", "description": "These IOCs were released as part of our threat intelligence research on the FIN7 Group. The PRODAFT Threat Intelligence team detected and gained visibility into FIN7 Group's infrastructure and analyzed its findings to gain insight into how the criminal operation works. The data captured by the PTI team contains information about attack tools used by the FIN7 group, various backup files, and conversation history.", "modified": "2023-01-22T10:00:21.736000", "created": "2022-12-23T10:38:52.603000", "tags": [ "FIN7", "Trion", "Lizar", "Carbanak", "Cobalt-Strike" ], "references": [ "https://www.prodaft.com/resource/detail/fin7-unveiled-deep-dive-notorious-cybercrime-gang" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PRODAFT_", "id": "176319", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_176319/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 224, "domain": 18 }, "indicator_count": 254, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "1228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a578863e371eed4c2c7b3d", "name": "FIN7 Unveiled A deep dive into notorious cybercrime gang", "description": "The highly active threat group FIN7 has been continuously broadening their cybercrime\nhorizons and recently added ransomware to its attack arsenal.", "modified": "2023-01-22T09:03:12.640000", "created": "2022-12-23T09:44:38.015000", "tags": [ "fin7" ], "references": [ "https://www.prodaft.com/m/reports/FIN7_TLPCLEAR.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "CVE": 5, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 224, "domain": 19, "hostname": 2 }, "indicator_count": 266, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a4ca5cb994048c0093832d", "name": "FIN7 Unveiled A deep dive into notorious cybercrime gang", "description": "The highly active threat group FIN7 has been continuously broadening their cybercrime horizons and recently added ransomware to its attack arsenal. They are known to hold a notorious status due to their achievement in deploying extensive backdoors in leveraging software supply chains, distributing malicious USB sticks, and cooperating with other groups. Nowadays, its initial approach is to carefully pick high-value companies from the pool of\nalready compromised enterprise systems and force them to pay large ransoms to restore their data or seek unique ways to monetize the data and remote access.", "modified": "2023-01-21T21:02:50.642000", "created": "2022-12-22T21:21:32.769000", "tags": [ "threatactor/fin7" ], "references": [ "[FIN7] Fin7 Unveiled_ A deep dive into notorious cybercrime gang.pdf" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 224, "URL": 6, "domain": 19, "hostname": 3 }, "indicator_count": 269, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "1228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a558530bba6d960539402f", "name": "FIN7 Unveiled A deep dive into notorious cybercrime gang", "description": "", "modified": "2023-01-21T21:02:50.642000", "created": "2022-12-23T07:27:15.789000", "tags": [ "threatactor/fin7" ], "references": [ "[FIN7] Fin7 Unveiled_ A deep dive into notorious cybercrime gang.pdf" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "63a4ca5cb994048c0093832d", "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "santravault1", "id": "217419", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217419/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 224, "URL": 6, "domain": 19, "hostname": 3 }, "indicator_count": 269, "is_author": false, "is_subscribing": null, "subscriber_count": 76, "modified_text": "1228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61d615a3fa213074f805deaa", "name": "OpBlueRaven IOC", "description": "These IOCs were released as part of our threat intelligence research on the OpBlueRaven. Between the months of May and July 2020; four members of PRODAFT Threat Intelligence team have conducted operation BlueRaven. A case study which originated from discovering a minor OpSec failure of a seemingly unimportant group of threat actors. Of course these threat actors have later been found to have ties with the notorious Fin7 / Carbanak threat actors. The full report will be available in references.", "modified": "2022-02-04T00:00:10.799000", "created": "2022-01-05T22:03:15.460000", "tags": [ "carbanak", "backdoor" ], "references": [ "https://threatintel.blog/OPBlueRaven-Part1/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Carbanak", "display_name": "Carbanak", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PRODAFT_", "id": "176319", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_176319/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 425, "domain": 16 }, "indicator_count": 441, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "1580 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.prodaft.com/m/reports/FIN7_TLPCLEAR.pdf", "https://github.com/kdaoudieh/Bella", "https://threatintel.blog/OPBlueRaven-Part1/", "https://www.prodaft.com/resource/detail/fin7-unveiled-deep-dive-notorious-cybercrime-gang", "https://threatintel.blog/OPBlueRaven-Part2/", "[FIN7] Fin7 Unveiled_ A deep dive into notorious cybercrime gang.pdf" ], "related": { "alienvault": { "adversary": [ "FIN7" ], "malware_families": [ "Tirion loader", "Bella rat", "Badusb", "Carbanak - s0030" ], "industries": [ "Finance" ] }, "other": { "adversary": [ "FIN7" ], "malware_families": [ "Carbanak" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "63a5a3d0765aef678afbc794", "name": "Fin7 Unveiled: A deep dive into notorious cybercrime gang", "description": "The highly active threat group FIN7 has been continuously broadening their cybercrime horizons and recently added ransomware to its attack arsenal. FIN7 group is known to hold a notorious status due to their achievement in deploying extensive backdoors in leveraging software supply chains, distributing malicious USB sticks, and cooperating with other groups.\n\nPTI team obtained visibility into the inner workings of the FIN7 threat group and managed to gain information about their organizational structures, identities, attack vectors, infrastructures, proof-supported affiliations with other ransomware groups (such as DarkSide, who were behind the Colonial Pipeline attack in 2021), victim targeting, and other relevant observations. All of the findings are supported by translated conversations among the members of FIN7, including screenshots of their infrastructures.", "modified": "2022-12-23T12:49:19.867000", "created": "2022-12-23T12:49:19.867000", "tags": [ "Fin7", "APT" ], "references": [ "https://www.prodaft.com/resource/detail/fin7-unveiled-deep-dive-notorious-cybercrime-gang" ], "public": 1, "adversary": "FIN7", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1427", "name": "Attack PC via USB Connection", "display_name": "T1427 - Attack PC via USB Connection" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 417, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 224, "FileHash-MD5": 6, "FileHash-SHA1": 6, "domain": 18 }, "indicator_count": 254, "is_author": false, "is_subscribing": null, "subscriber_count": 387182, "modified_text": "1258 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5f4fd46ac0f4e7ee5448bd40", "name": "OpBlueRaven: Unveiling Fin7/Carbanak - Part II: BadUSB Attacks", "description": "This article aims to provide its readers with the details about PRODAFT & INVICTUS Threat Intelligence (PTI) team's latest operation on different threat actors; who have been detected to be working in cooperation with the notorious FIN7 APT group.\n\nWe appreciate all your support after the first part of this series. Before disclosing the relationship between Fin7 and REvil groups, we are trying to reach the ransomware victims. Until reaching all necessary parties, we will continue to publish articles about FIN7 attackers' tools.", "modified": "2020-10-02T00:04:12.395000", "created": "2020-09-02T17:20:42.241000", "tags": [ "FIN7", "Carbanak", "BadUSB", "Bella RAT", "Tirion Loader", "macOS" ], "references": [ "https://threatintel.blog/OPBlueRaven-Part2/", "https://threatintel.blog/OPBlueRaven-Part1/", "https://github.com/kdaoudieh/Bella" ], "public": 1, "adversary": "FIN7", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Germany", "Russian Federation", "Spain", "Sweden", "Switzerland", "Israel", "Italy", "Mexico", "Netherlands", "Panama", "Poland", "Chile", "Slovakia" ], "malware_families": [ { "id": "Carbanak - S0030", "display_name": "Carbanak - S0030", "target": null }, { "id": "Bella RAT", "display_name": "Bella RAT", "target": null }, { "id": "BadUSB", "display_name": "BadUSB", "target": null }, { "id": "Tirion Loader", "display_name": "Tirion Loader", "target": null } ], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1544", "name": "Remote File Copy", "display_name": "T1544 - Remote File Copy" }, { "id": "T1021.005", "name": "VNC", "display_name": "T1021.005 - VNC" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1503", "name": "Credentials from Web Browsers", "display_name": "T1503 - Credentials from Web Browsers" }, { "id": "T1555.001", "name": "Keychain", "display_name": "T1555.001 - Keychain" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 106, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 16 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 387187, "modified_text": "2070 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a95fe06cf530cc818c1d", "name": "telus", "description": "", "modified": "2023-12-06T17:03:27.122000", "created": "2023-12-06T17:03:27.122000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 165, "FileHash-SHA256": 1395, "domain": 335, "FileHash-MD5": 211, "CVE": 2, "URL": 288, "email": 2, "FileHash-SHA1": 210 }, "indicator_count": 2608, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "910 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6536fe7706b7eeaa7ab5c271", "name": "CVE-2005-0068", "description": "A summary of the major vulnerabilities in the ICMP software, published by the Australian government on 1 January 2008.. the first such vulnerability to be identified in this year's Security Research Review (SSR).", "modified": "2023-11-28T06:04:19.908000", "created": "2023-10-23T23:15:03.507000", "tags": [ "icmp", "icmp error", "split", "files", "exploits", "targeted", "cve overview", "source quench", "path mtu", "cve20040791" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 7, "URL": 1768, "hostname": 1200, "FileHash-SHA256": 6469, "domain": 2139, "email": 25, "FileHash-MD5": 1296, "FileHash-SHA1": 1287, "JA3": 2 }, "indicator_count": 14193, "is_author": false, "is_subscribing": null, "subscriber_count": 88, "modified_text": "918 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "652b3919f60aaaa67d88549a", "name": "telus", "description": "", "modified": "2023-11-14T03:02:47.742000", "created": "2023-10-15T00:58:01.569000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "ellenmmm", "id": "233693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "hostname": 176, "domain": 352, "URL": 299, "email": 4, "FileHash-SHA256": 2403, "FileHash-MD5": 411, "FileHash-SHA1": 410 }, "indicator_count": 4057, "is_author": false, "is_subscribing": null, "subscriber_count": 81, "modified_text": "932 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a5853cb404df6b28317dcd", "name": "FIN7 Group IOC", "description": "These IOCs were released as part of our threat intelligence research on the FIN7 Group. The PRODAFT Threat Intelligence team detected and gained visibility into FIN7 Group's infrastructure and analyzed its findings to gain insight into how the criminal operation works. The data captured by the PTI team contains information about attack tools used by the FIN7 group, various backup files, and conversation history.", "modified": "2023-01-22T10:00:21.736000", "created": "2022-12-23T10:38:52.603000", "tags": [ "FIN7", "Trion", "Lizar", "Carbanak", "Cobalt-Strike" ], "references": [ "https://www.prodaft.com/resource/detail/fin7-unveiled-deep-dive-notorious-cybercrime-gang" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 47, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PRODAFT_", "id": "176319", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_176319/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 224, "domain": 18 }, "indicator_count": 254, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "1228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a578863e371eed4c2c7b3d", "name": "FIN7 Unveiled A deep dive into notorious cybercrime gang", "description": "The highly active threat group FIN7 has been continuously broadening their cybercrime\nhorizons and recently added ransomware to its attack arsenal.", "modified": "2023-01-22T09:03:12.640000", "created": "2022-12-23T09:44:38.015000", "tags": [ "fin7" ], "references": [ "https://www.prodaft.com/m/reports/FIN7_TLPCLEAR.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "CVE": 5, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 224, "domain": 19, "hostname": 2 }, "indicator_count": 266, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a4ca5cb994048c0093832d", "name": "FIN7 Unveiled A deep dive into notorious cybercrime gang", "description": "The highly active threat group FIN7 has been continuously broadening their cybercrime horizons and recently added ransomware to its attack arsenal. They are known to hold a notorious status due to their achievement in deploying extensive backdoors in leveraging software supply chains, distributing malicious USB sticks, and cooperating with other groups. Nowadays, its initial approach is to carefully pick high-value companies from the pool of\nalready compromised enterprise systems and force them to pay large ransoms to restore their data or seek unique ways to monetize the data and remote access.", "modified": "2023-01-21T21:02:50.642000", "created": "2022-12-22T21:21:32.769000", "tags": [ "threatactor/fin7" ], "references": [ "[FIN7] Fin7 Unveiled_ A deep dive into notorious cybercrime gang.pdf" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 224, "URL": 6, "domain": 19, "hostname": 3 }, "indicator_count": 269, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "1228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a558530bba6d960539402f", "name": "FIN7 Unveiled A deep dive into notorious cybercrime gang", "description": "", "modified": "2023-01-21T21:02:50.642000", "created": "2022-12-23T07:27:15.789000", "tags": [ "threatactor/fin7" ], "references": [ "[FIN7] Fin7 Unveiled_ A deep dive into notorious cybercrime gang.pdf" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "63a4ca5cb994048c0093832d", "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "santravault1", "id": "217419", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217419/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 224, "URL": 6, "domain": 19, "hostname": 3 }, "indicator_count": 269, "is_author": false, "is_subscribing": null, "subscriber_count": 76, "modified_text": "1228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61d615a3fa213074f805deaa", "name": "OpBlueRaven IOC", "description": "These IOCs were released as part of our threat intelligence research on the OpBlueRaven. Between the months of May and July 2020; four members of PRODAFT Threat Intelligence team have conducted operation BlueRaven. A case study which originated from discovering a minor OpSec failure of a seemingly unimportant group of threat actors. Of course these threat actors have later been found to have ties with the notorious Fin7 / Carbanak threat actors. The full report will be available in references.", "modified": "2022-02-04T00:00:10.799000", "created": "2022-01-05T22:03:15.460000", "tags": [ "carbanak", "backdoor" ], "references": [ "https://threatintel.blog/OPBlueRaven-Part1/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Carbanak", "display_name": "Carbanak", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PRODAFT_", "id": "176319", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_176319/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 425, "domain": 16 }, "indicator_count": 441, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "1580 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "tableofcolorize.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "tableofcolorize.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780518745.0897472 }