{ "type": "Domain", "indicator": "treepledeeple.fun", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/treepledeeple.fun", "alexa": "http://www.alexa.com/siteinfo/treepledeeple.fun", "indicator": "treepledeeple.fun", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3754659781, "indicator": "treepledeeple.fun", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6531428c62ae987b76cc3191", "name": "Various actors actively deploying Lumma Stealer in multiple campaigns", "description": "A report on Lumma Stealer, a malware-as-a-service sold through Telegram and Russian-speaking forums, has been published by the European Union's cyber security agency, Intrinsec.", "modified": "2023-11-18T13:04:00.664000", "created": "2023-10-19T14:51:55.979000", "tags": [ "lummac2", "smokeloader", "lumma", "c++" ], "references": [ "https://www.intrinsec.com/wp-content/uploads/2023/10/TLP-CLEAR-Lumma-Stealer-EN-Information-report.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 469, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 3, "FileHash-SHA256": 7 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 386539, "modified_text": "925 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6556482eb25b2b4ee1c8707a", "name": "Various actors actively deploying Lumma Stealer in multiple campaigns", "description": "", "modified": "2023-11-18T13:04:00.664000", "created": "2023-11-16T16:49:50.693000", "tags": [ "lummac2", "smokeloader", "lumma", "c++" ], "references": [ "https://www.intrinsec.com/wp-content/uploads/2023/10/TLP-CLEAR-Lumma-Stealer-EN-Information-report.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "6531428c62ae987b76cc3191", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 3, "FileHash-SHA256": 7 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "925 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65257e446d8d98dd89f31a97", "name": "Silent Push maps over 150 new Lumma C2 infostealer IOCs — Silent Push Threat Intelligence", "description": "As revealed by Silent Push's recent investigation, Lumma, an information stealer, has an extensive command and control infrastructure with over 150 previously unidentified servers. The research also unveiled an interesting, unique connection to the historical Russian poet Sergei Yesenin, which aided the identification of several servers. Threat actors typically deliver Lumma through spear-phishing and malvertisement campaigns. This report delves deep into Lumma's tactics and potential risks and offers actionable recommendations for organizations.", "modified": "2023-11-09T16:03:45.009000", "created": "2023-10-10T16:39:32.747000", "tags": [], "references": [ "https://www.silentpush.com/blog/lummac2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "99gmotor", "id": "234776", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 84, "hostname": 1 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "933 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.intrinsec.com/wp-content/uploads/2023/10/TLP-CLEAR-Lumma-Stealer-EN-Information-report.pdf", "https://www.silentpush.com/blog/lummac2" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Lumma", "Smokeloader" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Lumma", "Smokeloader" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6531428c62ae987b76cc3191", "name": "Various actors actively deploying Lumma Stealer in multiple campaigns", "description": "A report on Lumma Stealer, a malware-as-a-service sold through Telegram and Russian-speaking forums, has been published by the European Union's cyber security agency, Intrinsec.", "modified": "2023-11-18T13:04:00.664000", "created": "2023-10-19T14:51:55.979000", "tags": [ "lummac2", "smokeloader", "lumma", "c++" ], "references": [ "https://www.intrinsec.com/wp-content/uploads/2023/10/TLP-CLEAR-Lumma-Stealer-EN-Information-report.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 469, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 3, "FileHash-SHA256": 7 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 386539, "modified_text": "925 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6556482eb25b2b4ee1c8707a", "name": "Various actors actively deploying Lumma Stealer in multiple campaigns", "description": "", "modified": "2023-11-18T13:04:00.664000", "created": "2023-11-16T16:49:50.693000", "tags": [ "lummac2", "smokeloader", "lumma", "c++" ], "references": [ "https://www.intrinsec.com/wp-content/uploads/2023/10/TLP-CLEAR-Lumma-Stealer-EN-Information-report.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "6531428c62ae987b76cc3191", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "hostname": 3, "FileHash-SHA256": 7 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "925 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65257e446d8d98dd89f31a97", "name": "Silent Push maps over 150 new Lumma C2 infostealer IOCs — Silent Push Threat Intelligence", "description": "As revealed by Silent Push's recent investigation, Lumma, an information stealer, has an extensive command and control infrastructure with over 150 previously unidentified servers. The research also unveiled an interesting, unique connection to the historical Russian poet Sergei Yesenin, which aided the identification of several servers. Threat actors typically deliver Lumma through spear-phishing and malvertisement campaigns. This report delves deep into Lumma's tactics and potential risks and offers actionable recommendations for organizations.", "modified": "2023-11-09T16:03:45.009000", "created": "2023-10-10T16:39:32.747000", "tags": [], "references": [ "https://www.silentpush.com/blog/lummac2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "99gmotor", "id": "234776", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 84, "hostname": 1 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "933 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "treepledeeple.fun", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "treepledeeple.fun", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780237399.0574222 }