{ "type": "Domain", "indicator": "webtimeapi.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/webtimeapi.com", "alexa": "http://www.alexa.com/siteinfo/webtimeapi.com", "indicator": "webtimeapi.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3784659943, "indicator": "webtimeapi.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "671138665921649e98001ab7", "name": "Ukrainian and Polish entities targeted with RomCom malware variants", "description": "A Russian-speaking threat group, UAT-5647, has been conducting attacks against Ukrainian government entities and Polish targets since late 2023. The group has evolved its toolset to include four distinct malware families: RustClaw and MeltingClaw downloaders, DustyHammock backdoor, and ShadyHammock backdoor. The attacks involve spear-phishing campaigns delivering these malware components, which ultimately lead to the deployment of an updated version of the RomCom malware called SingleCamper. UAT-5647's activities suggest a focus on establishing long-term access for data exfiltration, with potential for future ransomware deployment. The group's tactics include network reconnaissance, lateral movement, and attempts to compromise edge devices for evasion purposes.", "modified": "2024-11-16T16:03:43.771000", "created": "2024-10-17T16:16:38.100000", "tags": [ "romcom", "singlecamper", "dustyhammock", "russia", "shadyhammock", "ukraine", "rustclaw", "poland", "rustyclaw", "meltingclaw" ], "references": [ "https://blog.talosintelligence.com/uat-5647-romcom/" ], "public": 1, "adversary": "RomCom", "targeted_countries": [ "Poland", "Ukraine" ], "malware_families": [ { "id": "RomCom", "display_name": "RomCom", "target": null }, { "id": "SingleCamper", "display_name": "SingleCamper", "target": null }, { "id": "RustyClaw", "display_name": "RustyClaw", "target": null }, { "id": "MeltingClaw", "display_name": "MeltingClaw", "target": null }, { "id": "DustyHammock", "display_name": "DustyHammock", "target": null }, { "id": "ShadyHammock", "display_name": "ShadyHammock", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 32, "URL": 5, "domain": 12 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 386538, "modified_text": "560 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67202a91c03af52a3e00393f", "name": "InQuest - 28-10-2024", "description": "", "modified": "2024-11-28T00:00:50.629000", "created": "2024-10-29T00:21:37.073000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 91, "domain": 29, "FileHash-SHA256": 474, "hostname": 14, "FileHash-SHA1": 12, "FileHash-MD5": 4 }, "indicator_count": 624, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "549 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671ed771a90d9d4e03a539f5", "name": "InQuest - 27-10-2024", "description": "", "modified": "2024-11-27T00:00:42.578000", "created": "2024-10-28T00:14:41.049000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 484, "domain": 129, "URL": 222, "hostname": 31, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "550 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671d76cf232aeae365a12017", "name": "InQuest - 26-10-2024", "description": "", "modified": "2024-11-25T23:01:43.774000", "created": "2024-10-26T23:10:07.417000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 476, "hostname": 26, "URL": 195, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671c25558d3e76dba6bba70a", "name": "InQuest - 25-10-2024", "description": "", "modified": "2024-11-24T23:05:48.476000", "created": "2024-10-25T23:10:13.189000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 476, "hostname": 26, "URL": 195, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671ad410a33578e60aadd9a2", "name": "InQuest - 24-10-2024", "description": "", "modified": "2024-11-23T23:00:05.926000", "created": "2024-10-24T23:11:12.579000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 476, "hostname": 26, "URL": 195, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6719819c9a836408316b5d00", "name": "InQuest - 23-10-2024", "description": "", "modified": "2024-11-22T23:03:11.999000", "created": "2024-10-23T23:07:08.442000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 92, "hostname": 25, "URL": 193, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 534, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67131ff0724db0fa3bdae09d", "name": "UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants", "description": "A new wave of cyber-attacks is targeting Ukrainian government entities and Polish entities, according to Cisco Talos intelligence and security services, and the threat actor is aggressively expanding its tooling and infrastructure.", "modified": "2024-11-18T02:01:39.360000", "created": "2024-10-19T02:56:48.830000", "tags": [ "russia", "landing page top story", "malware", "ukraine", "apt", "top story", "shadyhammock", "singlecamper", "uat5647", "dustyhammock", "meltingclaw", "cisco secure", "port", "rustyclaw", "ipaddress", "system", "rust", "open", "polish", "plink", "umbrella", "romcom" ], "references": [ "https://blog.talosintelligence.com/uat-5647-romcom/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RustyClaw", "display_name": "RustyClaw", "target": null }, { "id": "DustyHammock", "display_name": "DustyHammock", "target": null }, { "id": "ShadyHammock", "display_name": "ShadyHammock", "target": null }, { "id": "RomCom", "display_name": "RomCom", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "demogreatvotes", "id": "297245", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 25, "FileHash-SHA256": 33, "URL": 5, "domain": 12 }, "indicator_count": 100, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "559 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6711ef4e3e5187750af79ac9", "name": "Russian RomCom Targeting Ukrainian Government with New SingleCamper RAT Variant", "description": "", "modified": "2024-11-17T05:01:31.027000", "created": "2024-10-18T05:17:02.908000", "tags": [ "hashes", "sha256", "cyber", "threat", "october", "time", "crypto cyber", "defence", "domains", "ipv4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 33, "domain": 12 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "560 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66faa521983e83e65c5a49d7", "name": "Inside SnipBot: The Latest RomCom Malware Variant", "description": "Palo Alto Networks has discovered a new strain of the RomCom malware family that employs new tricks to evade detection and evade attack, which it believes is related to a major intelligence-gathering operation.", "modified": "2024-10-30T13:01:14.454000", "created": "2024-09-30T13:18:25.228000", "tags": [ "c2 server", "snipbot", "localappdata", "sha256", "romcom", "download", "pdf file", "public", "snipbot malware", "c2 domain", "explorer", "virustotal", "winrar", "april", "february", "main", "ukraine", "alliance", "desktop", "open", "generic" ], "references": [ "https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RomCom", "display_name": "RomCom", "target": null }, { "id": "SnipBot", "display_name": "SnipBot", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Legal", "Agriculture", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 15, "URL": 1, "domain": 17, "hostname": 2 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "578 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f972a3f4e616aa644026f9", "name": "September 29th, 2024 - CryptoGen Cyber Threat Intelligence Advisory #5236 - PDF Files Modified to Deliver SnipBot Malware", "description": "", "modified": "2024-10-29T15:01:07.137000", "created": "2024-09-29T15:30:43.943000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "578 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f68688936db6c2e5a7da8c", "name": "RomCom malware variant \u2018SnipBot\u2019", "description": "RomCom malware variant \u2018SnipBot\u2019", "modified": "2024-10-27T10:02:08.254000", "created": "2024-09-27T10:18:48.897000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IndoOpenThreatXchange", "id": "286483", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_286483/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "domain": 15, "hostname": 2 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 89, "modified_text": "581 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f3bda1c61310abd4d95ff2", "name": "Inside SnipBot: The Latest RomCom Malware Variant", "description": "Palo Alto Networks has discovered a new strain of the RomCom malware family that employs new tricks to evade detection and evade attack, which it believes is related to a major intelligence-gathering operation.", "modified": "2024-10-25T07:00:26.477000", "created": "2024-09-25T07:37:05.610000", "tags": [ "c2 server", "snipbot", "localappdata", "sha256", "romcom", "download", "pdf file", "public", "snipbot malware", "c2 domain", "explorer", "virustotal", "winrar", "april", "february", "main", "ukraine", "alliance", "desktop", "open", "generic" ], "references": [ "https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RomCom", "display_name": "RomCom", "target": null }, { "id": "SnipBot", "display_name": "SnipBot", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Legal", "Agriculture", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 15, "URL": 1, "domain": 17, "hostname": 2 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "583 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f2a3f2ae81092dcf0d728b", "name": "Inside SnipBot: The Latest RomCom Malware Variant", "description": "Palo Alto Networks has discovered a new strain of the RomCom malware family that employs new tricks to evade detection and evade attack, which it believes is related to a major intelligence-gathering operation.", "modified": "2024-10-24T11:03:36.936000", "created": "2024-09-24T11:35:14.787000", "tags": [ "c2 server", "snipbot", "localappdata", "sha256", "romcom", "download", "pdf file", "public", "snipbot malware", "c2 domain", "explorer", "virustotal", "winrar", "april", "february", "main", "ukraine", "alliance", "desktop", "open", "generic" ], "references": [ "https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RomCom", "display_name": "RomCom", "target": null }, { "id": "SnipBot", "display_name": "SnipBot", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Legal", "Agriculture", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "URL": 2, "domain": 17, "hostname": 2 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://labs.inquest.net/iocdb", "https://blog.talosintelligence.com/uat-5647-romcom/", "https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/" ], "related": { "alienvault": { "adversary": [ "RomCom" ], "malware_families": [ "Dustyhammock", "Romcom", "Shadyhammock", "Meltingclaw", "Singlecamper", "Rustyclaw" ], "industries": [ "Government" ] }, "other": { "adversary": [], "malware_families": [ "Dustyhammock", "Romcom", "Shadyhammock", "Snipbot", "Rustyclaw" ], "industries": [ "Legal", "Financial", "Agriculture" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "671138665921649e98001ab7", "name": "Ukrainian and Polish entities targeted with RomCom malware variants", "description": "A Russian-speaking threat group, UAT-5647, has been conducting attacks against Ukrainian government entities and Polish targets since late 2023. The group has evolved its toolset to include four distinct malware families: RustClaw and MeltingClaw downloaders, DustyHammock backdoor, and ShadyHammock backdoor. The attacks involve spear-phishing campaigns delivering these malware components, which ultimately lead to the deployment of an updated version of the RomCom malware called SingleCamper. UAT-5647's activities suggest a focus on establishing long-term access for data exfiltration, with potential for future ransomware deployment. The group's tactics include network reconnaissance, lateral movement, and attempts to compromise edge devices for evasion purposes.", "modified": "2024-11-16T16:03:43.771000", "created": "2024-10-17T16:16:38.100000", "tags": [ "romcom", "singlecamper", "dustyhammock", "russia", "shadyhammock", "ukraine", "rustclaw", "poland", "rustyclaw", "meltingclaw" ], "references": [ "https://blog.talosintelligence.com/uat-5647-romcom/" ], "public": 1, "adversary": "RomCom", "targeted_countries": [ "Poland", "Ukraine" ], "malware_families": [ { "id": "RomCom", "display_name": "RomCom", "target": null }, { "id": "SingleCamper", "display_name": "SingleCamper", "target": null }, { "id": "RustyClaw", "display_name": "RustyClaw", "target": null }, { "id": "MeltingClaw", "display_name": "MeltingClaw", "target": null }, { "id": "DustyHammock", "display_name": "DustyHammock", "target": null }, { "id": "ShadyHammock", "display_name": "ShadyHammock", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 32, "URL": 5, "domain": 12 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 386538, "modified_text": "560 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67202a91c03af52a3e00393f", "name": "InQuest - 28-10-2024", "description": "", "modified": "2024-11-28T00:00:50.629000", "created": "2024-10-29T00:21:37.073000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 91, "domain": 29, "FileHash-SHA256": 474, "hostname": 14, "FileHash-SHA1": 12, "FileHash-MD5": 4 }, "indicator_count": 624, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "549 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671ed771a90d9d4e03a539f5", "name": "InQuest - 27-10-2024", "description": "", "modified": "2024-11-27T00:00:42.578000", "created": "2024-10-28T00:14:41.049000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 484, "domain": 129, "URL": 222, "hostname": 31, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "550 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671d76cf232aeae365a12017", "name": "InQuest - 26-10-2024", "description": "", "modified": "2024-11-25T23:01:43.774000", "created": "2024-10-26T23:10:07.417000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 476, "hostname": 26, "URL": 195, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671c25558d3e76dba6bba70a", "name": "InQuest - 25-10-2024", "description": "", "modified": "2024-11-24T23:05:48.476000", "created": "2024-10-25T23:10:13.189000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 476, "hostname": 26, "URL": 195, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671ad410a33578e60aadd9a2", "name": "InQuest - 24-10-2024", "description": "", "modified": "2024-11-23T23:00:05.926000", "created": "2024-10-24T23:11:12.579000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 476, "hostname": 26, "URL": 195, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6719819c9a836408316b5d00", "name": "InQuest - 23-10-2024", "description": "", "modified": "2024-11-22T23:03:11.999000", "created": "2024-10-23T23:07:08.442000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 92, "hostname": 25, "URL": 193, "domain": 126, "FileHash-SHA1": 14, "FileHash-MD5": 84 }, "indicator_count": 534, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67131ff0724db0fa3bdae09d", "name": "UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants", "description": "A new wave of cyber-attacks is targeting Ukrainian government entities and Polish entities, according to Cisco Talos intelligence and security services, and the threat actor is aggressively expanding its tooling and infrastructure.", "modified": "2024-11-18T02:01:39.360000", "created": "2024-10-19T02:56:48.830000", "tags": [ "russia", "landing page top story", "malware", "ukraine", "apt", "top story", "shadyhammock", "singlecamper", "uat5647", "dustyhammock", "meltingclaw", "cisco secure", "port", "rustyclaw", "ipaddress", "system", "rust", "open", "polish", "plink", "umbrella", "romcom" ], "references": [ "https://blog.talosintelligence.com/uat-5647-romcom/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RustyClaw", "display_name": "RustyClaw", "target": null }, { "id": "DustyHammock", "display_name": "DustyHammock", "target": null }, { "id": "ShadyHammock", "display_name": "ShadyHammock", "target": null }, { "id": "RomCom", "display_name": "RomCom", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "demogreatvotes", "id": "297245", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 25, "FileHash-SHA256": 33, "URL": 5, "domain": 12 }, "indicator_count": 100, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "559 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6711ef4e3e5187750af79ac9", "name": "Russian RomCom Targeting Ukrainian Government with New SingleCamper RAT Variant", "description": "", "modified": "2024-11-17T05:01:31.027000", "created": "2024-10-18T05:17:02.908000", "tags": [ "hashes", "sha256", "cyber", "threat", "october", "time", "crypto cyber", "defence", "domains", "ipv4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 33, "domain": 12 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "560 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66faa521983e83e65c5a49d7", "name": "Inside SnipBot: The Latest RomCom Malware Variant", "description": "Palo Alto Networks has discovered a new strain of the RomCom malware family that employs new tricks to evade detection and evade attack, which it believes is related to a major intelligence-gathering operation.", "modified": "2024-10-30T13:01:14.454000", "created": "2024-09-30T13:18:25.228000", "tags": [ "c2 server", "snipbot", "localappdata", "sha256", "romcom", "download", "pdf file", "public", "snipbot malware", "c2 domain", "explorer", "virustotal", "winrar", "april", "february", "main", "ukraine", "alliance", "desktop", "open", "generic" ], "references": [ "https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RomCom", "display_name": "RomCom", "target": null }, { "id": "SnipBot", "display_name": "SnipBot", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Legal", "Agriculture", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 15, "URL": 1, "domain": 17, "hostname": 2 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "578 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "webtimeapi.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "webtimeapi.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780234784.4793 }