{ "type": "Domain", "indicator": "vip-space.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/vip-space.com", "alexa": "http://www.alexa.com/siteinfo/vip-space.com", "indicator": "vip-space.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3411967142, "indicator": "vip-space.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "656dedb9d857be544e7d4a04", "name": "Tracking down the cybercriminal infrastructure of infostealer RisePro", "description": "List of IoCs related to RisePro infostealer and EasyLead PPI\n\nSource EN : https://projetfox.com/en/2023/11/tracking-down-the-cybercriminal-infrastructure-of-infostealer-risepro/\nSource FR : https://projetfox.com/2023/11/traque-de-linfrastructure-cybercriminelle-de-linfostealer-risepro/\n\nMore details:\nfrom Crep1x (SEKOIA.IO) https://x.com/crep1x/status/1729908394230686033\nfrom Intrinsec https://x.com/Intrinsec/status/1730212294452260976?s=20", "modified": "2024-08-20T11:25:20.493000", "created": "2023-12-04T15:18:17.977000", "tags": [ "RisePro", "EasyLead PPI", "C2", "Infostealer" ], "references": [ "https://projetfox.com/en/2023/11/tracking-down-the-cybercriminal-infrastructure-of-infostealer-risepro/", "https://projetfox.com/2023/11/traque-de-linfrastructure-cybercriminelle-de-linfostealer-risepro/" ], "public": 1, "adversary": "RisePro", "targeted_countries": [], "malware_families": [ { "id": "RisePro", "display_name": "RisePro", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "FOX_Alb310", "id": "233506", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_233506/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "domain": 27, "email": 4, "hostname": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "648 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63cfbc96323c3904a9cba17e", "name": "RisePro Stealer Distributed By PrivateLoader", "description": "The PrivateLoader Pay-per-install (PPI) malware service was used to drop the RisePro information stealer. The initial infection vector consisted of cracked software distributed through multiple websites. The stealer can exfiltrate a range of data including system information, screenshots, web browser cookies, passwords, credit card numbers, and crypto-wallets.", "modified": "2023-02-23T11:03:31.745000", "created": "2023-01-24T11:10:14.163000", "tags": [ "RisePro", "Stealer", "PrivateLoader" ], "references": [ "https://www.trellix.com/en-us/advanced-research-center/insights-preview.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Chile", "Singapore", "United States of America", "Egypt", "Malaysia", "Peru", "Tunisia", "Brazil", "Colombia", "Algeria", "Spain", "Guatemala", "Sri Lanka", "Nicaragua", "United Arab Emirates", "Argentina", "Australia", "Hong Kong", "Ireland", "Israel", "Iraq", "Jamaica", "Jordan", "Mauritania", "Poland", "T\u00fcrkiye", "Venezuela, Bolivarian Republic of", "Viet Nam", "South Africa" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 22, "FileHash-SHA1": 22, "FileHash-SHA256": 22, "domain": 51, "hostname": 1 }, "indicator_count": 118, "is_author": false, "is_subscribing": null, "subscriber_count": 242, "modified_text": "1192 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63acd8ced68fc15028262679", "name": "New RisePro Stealer Distributed by the Prominent PrivateLoader", "description": "", "modified": "2023-01-28T00:03:01.004000", "created": "2022-12-29T00:01:18.709000", "tags": [ "OSINT", "PrivateLoader", "RisePro Stealer", "Information Stealer", "Crypto", "T1213", "T1113", "T1555.004", "T1129", "T1547.001" ], "references": [ "https://community.riskiq.com/article/2007689c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 19, "FileHash-MD5": 19, "domain": 25 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1219 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62454eff50cc4f88bff49b25", "name": "Quick Update: Kraken Completes Its Rebrand to Anubis | ZeroFox", "description": "A previously unknown botnet targeting Windows has been experimenting with new features, and is attempting to find a brand for itself, according to ZeroFox Intelligence, a security firm based in New York City.", "modified": "2022-04-30T00:00:33.024000", "created": "2022-03-31T06:49:35.626000", "tags": [ "smokeloader", "anubis", "c whoami", "walmart cyber", "intel team", "ezcubepanel", "adminlte", "ui process", "xor routine", "privacy", "january", "february", "kraken", "october", "zerofox", "pepega", "alert", "intelligence as", "figure", "pepe", "redline", "execution" ], "references": [ "https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/", "https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "domain": 14, "FileHash-MD5": 2, "FileHash-SHA1": 2, "URL": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 355, "modified_text": "1492 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://projetfox.com/en/2023/11/tracking-down-the-cybercriminal-infrastructure-of-infostealer-risepro/", "https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/", "https://community.riskiq.com/article/2007689c", "https://www.trellix.com/en-us/advanced-research-center/insights-preview.html", "https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e", "https://projetfox.com/2023/11/traque-de-linfrastructure-cybercriminelle-de-linfostealer-risepro/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "RisePro" ], "malware_families": [ "Smokeloader", "Risepro" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "656dedb9d857be544e7d4a04", "name": "Tracking down the cybercriminal infrastructure of infostealer RisePro", "description": "List of IoCs related to RisePro infostealer and EasyLead PPI\n\nSource EN : https://projetfox.com/en/2023/11/tracking-down-the-cybercriminal-infrastructure-of-infostealer-risepro/\nSource FR : https://projetfox.com/2023/11/traque-de-linfrastructure-cybercriminelle-de-linfostealer-risepro/\n\nMore details:\nfrom Crep1x (SEKOIA.IO) https://x.com/crep1x/status/1729908394230686033\nfrom Intrinsec https://x.com/Intrinsec/status/1730212294452260976?s=20", "modified": "2024-08-20T11:25:20.493000", "created": "2023-12-04T15:18:17.977000", "tags": [ "RisePro", "EasyLead PPI", "C2", "Infostealer" ], "references": [ "https://projetfox.com/en/2023/11/tracking-down-the-cybercriminal-infrastructure-of-infostealer-risepro/", "https://projetfox.com/2023/11/traque-de-linfrastructure-cybercriminelle-de-linfostealer-risepro/" ], "public": 1, "adversary": "RisePro", "targeted_countries": [], "malware_families": [ { "id": "RisePro", "display_name": "RisePro", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "FOX_Alb310", "id": "233506", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_233506/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "domain": 27, "email": 4, "hostname": 1 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "648 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63cfbc96323c3904a9cba17e", "name": "RisePro Stealer Distributed By PrivateLoader", "description": "The PrivateLoader Pay-per-install (PPI) malware service was used to drop the RisePro information stealer. The initial infection vector consisted of cracked software distributed through multiple websites. The stealer can exfiltrate a range of data including system information, screenshots, web browser cookies, passwords, credit card numbers, and crypto-wallets.", "modified": "2023-02-23T11:03:31.745000", "created": "2023-01-24T11:10:14.163000", "tags": [ "RisePro", "Stealer", "PrivateLoader" ], "references": [ "https://www.trellix.com/en-us/advanced-research-center/insights-preview.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Chile", "Singapore", "United States of America", "Egypt", "Malaysia", "Peru", "Tunisia", "Brazil", "Colombia", "Algeria", "Spain", "Guatemala", "Sri Lanka", "Nicaragua", "United Arab Emirates", "Argentina", "Australia", "Hong Kong", "Ireland", "Israel", "Iraq", "Jamaica", "Jordan", "Mauritania", "Poland", "T\u00fcrkiye", "Venezuela, Bolivarian Republic of", "Viet Nam", "South Africa" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 22, "FileHash-SHA1": 22, "FileHash-SHA256": 22, "domain": 51, "hostname": 1 }, "indicator_count": 118, "is_author": false, "is_subscribing": null, "subscriber_count": 242, "modified_text": "1192 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63acd8ced68fc15028262679", "name": "New RisePro Stealer Distributed by the Prominent PrivateLoader", "description": "", "modified": "2023-01-28T00:03:01.004000", "created": "2022-12-29T00:01:18.709000", "tags": [ "OSINT", "PrivateLoader", "RisePro Stealer", "Information Stealer", "Crypto", "T1213", "T1113", "T1555.004", "T1129", "T1547.001" ], "references": [ "https://community.riskiq.com/article/2007689c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 19, "FileHash-MD5": 19, "domain": 25 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1219 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62454eff50cc4f88bff49b25", "name": "Quick Update: Kraken Completes Its Rebrand to Anubis | ZeroFox", "description": "A previously unknown botnet targeting Windows has been experimenting with new features, and is attempting to find a brand for itself, according to ZeroFox Intelligence, a security firm based in New York City.", "modified": "2022-04-30T00:00:33.024000", "created": "2022-03-31T06:49:35.626000", "tags": [ "smokeloader", "anubis", "c whoami", "walmart cyber", "intel team", "ezcubepanel", "adminlte", "ui process", "xor routine", "privacy", "january", "february", "kraken", "october", "zerofox", "pepega", "alert", "intelligence as", "figure", "pepe", "redline", "execution" ], "references": [ "https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/", "https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SmokeLoader", "display_name": "SmokeLoader", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "domain": 14, "FileHash-MD5": 2, "FileHash-SHA1": 2, "URL": 1 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 355, "modified_text": "1492 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "vip-space.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "vip-space.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780205942.0192063 }