{ "type": "Domain", "indicator": "vaultdocker.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/vaultdocker.com", "alexa": "http://www.alexa.com/siteinfo/vaultdocker.com", "indicator": "vaultdocker.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3998845417, "indicator": "vaultdocker.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6722a8e21adc9ea3cc28ec74", "name": "Strela Stealer Targets Europe Stealthily Via WebDav", "description": "Strela Stealer, first identified by DCSO in late 2022, is a type of information-stealing malware primarily designed to exfiltrate email account credentials from widely used email clients, including Microsoft Outlook and Mozilla Thunderbird. This malware initially targeted Spanish-speaking users through spam email campaigns containing malicious ISO attachments, which included a .lnk file and a polyglot file. When executed, the .lnk file triggered the polyglot file, executing both the lure html and Strela stealer DLL using \u201crundll32.exe\u201d.", "modified": "2024-11-29T21:03:08.719000", "created": "2024-10-30T21:45:05.691000", "tags": [ "zip file", "webdav server", "dll file", "javascript code", "powershell", "webdav", "phishing", "strela", "infostealer" ], "references": [ "https://cyble.com/blog/strela-stealer-targets-europe-stealthily-via-webdav/" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "Spain" ], "malware_families": [ { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Healthcare", "Pharmaceuticals", "Financial Services", "Retail", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 131, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 97, "domain": 5 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 387118, "modified_text": "550 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672c1507b2a5f99d7b19a3eb", "name": "Strela Stealer Introduces New Tool for Credential Theft", "description": "Hashes, passwords and other data are the main sources of information on the internet, but what do we know about them and what can we do about their use?-a-gathering?", "modified": "2024-12-07T01:06:02.176000", "created": "2024-11-07T01:16:55.498000", "tags": [ "classification", "confidential", "cyber", "threat", "november", "time", "crypto cyber", "defence", "ipv4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 93, "FileHash-SHA1": 93, "FileHash-SHA256": 93, "domain": 5 }, "indicator_count": 284, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6723083f0bc90f78112446ca", "name": "Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users", "description": "A security researcher discovered an open directory hosting malware that could have been used to target TradingView users, as well as other cyber espionage and data theft campaigns.. . the BBC News website", "modified": "2024-11-30T04:01:05.269000", "created": "2024-10-31T04:31:59.122000", "tags": [ "open directory", "rekoobe", "discovered", "strong", "tradingview", "ip address", "figure", "hunt", "ctg server", "warm", "light", "code", "malware", "august", "python", "noodle", "strela stealer", "zip file", "javascript file", "webdav server", "dll file", "spain", "command", "javascript code", "c server", "germany", "powershell", "webdav", "april", "next", "phishing" ], "references": [ "https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users#Conclusion", "https://cyble.com/blog/strela-stealer-targets-europe-stealthily-via-webdav/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Noodle", "display_name": "Noodle", "target": null }, { "id": "Rekoobe", "display_name": "Rekoobe", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 100, "URL": 1, "domain": 16, "hostname": 1, "CVE": 5 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "550 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672b86f6f66f3b49a862a871", "name": "ACTIVIDAD MALICIOSA | Relacionada con StrelaStealer 04-11-2024", "description": "StrelaStealer es un programa malicioso dise\u00f1ado para robar las credenciales de inicio de sesi\u00f3n de cuentas de correo electr\u00f3nico. Fue identificado por primera vez en noviembre de 2022 por los investigadores de DCSO CyTec. Este malware se dirige principalmente a los clientes de correo electr\u00f3nico Microsoft Outlook y Mozilla Thunderbird, y se distribuye a trav\u00e9s de correos electr\u00f3nicos de spam dirigidos a usuarios hispanohablantes. Una vez que infecta un sistema, StrelaStealer busca y extrae datos confidenciales, como nombres de usuario y contrase\u00f1as, almacenados en archivos y registros espec\u00edficos. La importancia de StrelaStealer radica en su capacidad para comprometer cuentas de correo electr\u00f3nico, lo que puede llevar a robo de identidad, p\u00e9rdidas financieras y acceso no autorizado a otros servicios conectados a trav\u00e9s de los correos electr\u00f3nicos. Para protegerse, se recomienda utilizar un software antivirus actualizado y ser cauteloso con los correos electr\u00f3nicos sospechosos.", "modified": "2024-11-06T15:10:46.144000", "created": "2024-11-06T15:10:46.144000", "tags": [ "access", "ta0001 initial", "ta0005 defense", "t1005 data", "local system", "t1012 query", "registry", "files", "over c2", "channel" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=StrelaStealer", "https://www.virustotal.com/graph/embed/gbfc5ee98efbe46a08b751f0c1a7002163ad889524d574978ac55e2732b07094b?theme=light", "https://www.virustotal.com/gui/collection/b52c94c8a7d2b6ce74a9e7161a9254b34fe686fc69033fc7af6172cef94c629a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Strela Stealer", "display_name": "Strela Stealer", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 19, "domain": 5 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "573 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://cyble.com/blog/strela-stealer-targets-europe-stealthily-via-webdav/", "https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users#Conclusion", "https://www.virustotal.com/graph/embed/gbfc5ee98efbe46a08b751f0c1a7002163ad889524d574978ac55e2732b07094b?theme=light", "https://www.virustotal.com/gui/collection/b52c94c8a7d2b6ce74a9e7161a9254b34fe686fc69033fc7af6172cef94c629a", "https://darfe.es/ciberwiki/index.php?title=StrelaStealer" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Strela" ], "industries": [ "Retail", "Technology", "Healthcare", "Financial services", "Pharmaceuticals" ] }, "other": { "adversary": [], "malware_families": [ "Rekoobe", "Noodle", "Strela stealer" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6722a8e21adc9ea3cc28ec74", "name": "Strela Stealer Targets Europe Stealthily Via WebDav", "description": "Strela Stealer, first identified by DCSO in late 2022, is a type of information-stealing malware primarily designed to exfiltrate email account credentials from widely used email clients, including Microsoft Outlook and Mozilla Thunderbird. This malware initially targeted Spanish-speaking users through spam email campaigns containing malicious ISO attachments, which included a .lnk file and a polyglot file. When executed, the .lnk file triggered the polyglot file, executing both the lure html and Strela stealer DLL using \u201crundll32.exe\u201d.", "modified": "2024-11-29T21:03:08.719000", "created": "2024-10-30T21:45:05.691000", "tags": [ "zip file", "webdav server", "dll file", "javascript code", "powershell", "webdav", "phishing", "strela", "infostealer" ], "references": [ "https://cyble.com/blog/strela-stealer-targets-europe-stealthily-via-webdav/" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "Spain" ], "malware_families": [ { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Healthcare", "Pharmaceuticals", "Financial Services", "Retail", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 131, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 4, "FileHash-SHA256": 97, "domain": 5 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 387118, "modified_text": "550 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672c1507b2a5f99d7b19a3eb", "name": "Strela Stealer Introduces New Tool for Credential Theft", "description": "Hashes, passwords and other data are the main sources of information on the internet, but what do we know about them and what can we do about their use?-a-gathering?", "modified": "2024-12-07T01:06:02.176000", "created": "2024-11-07T01:16:55.498000", "tags": [ "classification", "confidential", "cyber", "threat", "november", "time", "crypto cyber", "defence", "ipv4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 93, "FileHash-SHA1": 93, "FileHash-SHA256": 93, "domain": 5 }, "indicator_count": 284, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6723083f0bc90f78112446ca", "name": "Rekoobe Backdoor Discovered in Open Directory, Possibly Targeting TradingView Users", "description": "A security researcher discovered an open directory hosting malware that could have been used to target TradingView users, as well as other cyber espionage and data theft campaigns.. . the BBC News website", "modified": "2024-11-30T04:01:05.269000", "created": "2024-10-31T04:31:59.122000", "tags": [ "open directory", "rekoobe", "discovered", "strong", "tradingview", "ip address", "figure", "hunt", "ctg server", "warm", "light", "code", "malware", "august", "python", "noodle", "strela stealer", "zip file", "javascript file", "webdav server", "dll file", "spain", "command", "javascript code", "c server", "germany", "powershell", "webdav", "april", "next", "phishing" ], "references": [ "https://hunt.io/blog/rekoobe-backdoor-discovered-in-open-directory-possibly-targeting-tradingview-users#Conclusion", "https://cyble.com/blog/strela-stealer-targets-europe-stealthily-via-webdav/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Noodle", "display_name": "Noodle", "target": null }, { "id": "Rekoobe", "display_name": "Rekoobe", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 5, "FileHash-SHA256": 100, "URL": 1, "domain": 16, "hostname": 1, "CVE": 5 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "550 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672b86f6f66f3b49a862a871", "name": "ACTIVIDAD MALICIOSA | Relacionada con StrelaStealer 04-11-2024", "description": "StrelaStealer es un programa malicioso dise\u00f1ado para robar las credenciales de inicio de sesi\u00f3n de cuentas de correo electr\u00f3nico. Fue identificado por primera vez en noviembre de 2022 por los investigadores de DCSO CyTec. Este malware se dirige principalmente a los clientes de correo electr\u00f3nico Microsoft Outlook y Mozilla Thunderbird, y se distribuye a trav\u00e9s de correos electr\u00f3nicos de spam dirigidos a usuarios hispanohablantes. Una vez que infecta un sistema, StrelaStealer busca y extrae datos confidenciales, como nombres de usuario y contrase\u00f1as, almacenados en archivos y registros espec\u00edficos. La importancia de StrelaStealer radica en su capacidad para comprometer cuentas de correo electr\u00f3nico, lo que puede llevar a robo de identidad, p\u00e9rdidas financieras y acceso no autorizado a otros servicios conectados a trav\u00e9s de los correos electr\u00f3nicos. Para protegerse, se recomienda utilizar un software antivirus actualizado y ser cauteloso con los correos electr\u00f3nicos sospechosos.", "modified": "2024-11-06T15:10:46.144000", "created": "2024-11-06T15:10:46.144000", "tags": [ "access", "ta0001 initial", "ta0005 defense", "t1005 data", "local system", "t1012 query", "registry", "files", "over c2", "channel" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=StrelaStealer", "https://www.virustotal.com/graph/embed/gbfc5ee98efbe46a08b751f0c1a7002163ad889524d574978ac55e2732b07094b?theme=light", "https://www.virustotal.com/gui/collection/b52c94c8a7d2b6ce74a9e7161a9254b34fe686fc69033fc7af6172cef94c629a" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Strela Stealer", "display_name": "Strela Stealer", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 19, "domain": 5 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "573 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "vaultdocker.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "vaultdocker.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780499060.0655227 }