{ "type": "Domain", "indicator": "whichloadsfaster.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/whichloadsfaster.com", "alexa": "http://www.alexa.com/siteinfo/whichloadsfaster.com", "indicator": "whichloadsfaster.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3219939486, "indicator": "whichloadsfaster.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "66f1accda30d94af7e846357", "name": "Zendesk as VirusTotal \u00bb Ransom:Win32/CVE", "description": "*https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088 |||\n\n*In this situation a target received a VirusTotal / Zendesk drive by pop up message that site was unauthorized , fraud risk. The link has it all! Downloaders, install core, browser bar malware, ransomware, python script. Heavy attack. Desires deletion of device , accounts and contents.\n |||\nALF:HeraklezEval:Ransom:Win32/CVE , \nALF:Trojan:Win32/Cassini_6d4ebdc9 ,\nBackdoor:Win32/Zegost ,\nCVE-2023-22518 ,\nCVE-2023-4966 ,\nFakeAV.FOR ,\nMalware:AddsCopyToStartup ,\nNinite ,\nNoobyProtect ,\nTEL:Trojan:Win64/GoCLR ,\nTELPER:HSTR:CLEAN:Ninite ,\nTrojan:Win32/Cobaltstrike ,\nTrojan:Win32/Dridex ,\nTrojan:Win32/Fanop ,\nTrojan:Win32/Neconyd ,\nTrojan:Win32/Startpage ,\nTrojan:Win32/Zombie ,\nVirTool:Win32/Injector.gen!BQ ,\nVirTool:Win32/Obfuscator ,\nWin.Trojan.Generic-9935365-0 ,\nWorm:Win32/Autorun", "modified": "2024-10-23T17:03:27.463000", "created": "2024-09-23T18:00:45.146000", "tags": [ "as396982 google", "setup", "passive dns", "unknown", "ninite sep", "a td", "443 ma2592000", "accept", "gmt cache", "trojan", "status", "name servers", "urls", "creation date", "search", "emails", "servers", "as15169 google", "aaaa", "cname", "virtool", "cryp", "as19527 google", "win32", "related pulses", "file samples", "files matching", "date hash", "trojan features", "entries", "search otx", "telper", "worm", "copyright", "levelblue", "files domain", "files related", "pulses none", "accept accept", "as16625 akamai", "as20940", "asnone united", "nxdomain", "expiration date", "as21342", "as132147", "china", "as9808 china", "body", "all scoreblue", "backdoor", "alf features", "all search", "domain", "as15133 verizon", "as16552 tiggee", "url https", "http", "hostname", "ninite", "united states", "scan endpoints", "show", "showing", "next", "united", "as54113", "github pages", "formbook cnc", "checkin", "mtb aug", "a domains", "class", "twitter", "certificate", "record value", "pulse pulses", "overview ip", "address", "related nids", "files location", "div div", "github", "meta", "homepage", "form", "as36459", "g2 tls", "rsa sha256", "as29791", "dynamicloader", "medium", "yara detections", "dynamic", "filehash", "sha256", "february", "copy", "otx telemetry", "related tags", "a li", "span p", "dj ai", "dongjun jeong", "a h2", "writeups", "infosec journey", "script urls", "netherlands", "a nxdomain", "aaaa nxdomain", "cloudfront", "trojandropper", "china unknown", "msie", "chrome", "ipv4", "noobyprotect", "files", "peeringdb", "sign", "github copilot", "view", "notifications", "branches tags", "code issues", "pull", "write", "star", "code", "stars", "python", "shell", "footer", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "as62597 nsone", "dnssec", "win32mydoom sep", "windows nt", "wow64", "khtml", "gecko", "query", "jpn write", "e0e8e", "observed dns", "expiro", "defender", "malware", "possible", "suspicious", "activity dns", "mtb may", "sameorigin", "domain name", "error", "moved", "server", "mtb sep", "win32cve sep", "cloud provider", "reverse dns", "america asn", "dns resolutions", "domains top", "level", "unique tlds", "pulses", "default", "yara rule", "high", "cnc checkin", "cape", "powershell", "vmprotect", "local", "agent", "domainabuse", "su liao", "zhi pin", "application", "expiro malware", "anomalous file", "june", "fakedout threat", "analyzer paste", "iocs", "samples", "exploit", "germany unknown", "as14636", "russia unknown", "as9123 timeweb", "as45102 alibaba", "as43830", "read c", "write c", "process32nextw", "regsetvalueexa", "regdword", "installcore", "format", "delphi", "stack", "downloader", "urls http", "delete c", "tls handshake", "number", "failure", "delete", "ids detections", "fadok", "template", "slcc2", "media center", "contacted", "ollydbg", "internal", "simda", "brian sabey", "going dark", "stop", "as14061", "hostnames", "as48287 jsc", "as50340", "czechia unknown", "date" ], "references": [ "https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088", "GitHub - peeringdb/peeringdb-py: PeeringDB python client", "00-skillsetparadesarrollo.zendesk.com", "https://github.com/peeringdb/peeringdb-py", "From the lovely Cyber Folks .PL Cover" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Poland", "Australia", "Austria", "Canada", "Netherlands", "China" ], "malware_families": [ { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2023-4966", "display_name": "CVE-2023-4966", "target": null }, { "id": "FakeAV.FOR", "display_name": "FakeAV.FOR", "target": null }, { "id": "TELPER:HSTR:CLEAN:Ninite", "display_name": "TELPER:HSTR:CLEAN:Ninite", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Dridex", "display_name": "Trojan:Win32/Dridex", "target": "/malware/Trojan:Win32/Dridex" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Malware:AddsCopyToStartup", "display_name": "Malware:AddsCopyToStartup", "target": null }, { "id": "Trojan:Win32/Cobaltstrike", "display_name": "Trojan:Win32/Cobaltstrike", "target": "/malware/Trojan:Win32/Cobaltstrike" }, { "id": "ALF:Trojan:Win32/Cassini_6d4ebdc9", "display_name": "ALF:Trojan:Win32/Cassini_6d4ebdc9", "target": null }, { "id": "Trojan:Win32/Startpage", "display_name": "Trojan:Win32/Startpage", "target": "/malware/Trojan:Win32/Startpage" }, { "id": "Backdoor:Win32/Zegost", "display_name": "Backdoor:Win32/Zegost", "target": "/malware/Backdoor:Win32/Zegost" }, { "id": "Trojan:Win32/Fanop", "display_name": "Trojan:Win32/Fanop", "target": "/malware/Trojan:Win32/Fanop" }, { "id": "Trojan:Win32/Neconyd", "display_name": "Trojan:Win32/Neconyd", "target": "/malware/Trojan:Win32/Neconyd" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "Win.Trojan.Generic-9935365-0", "display_name": "Win.Trojan.Generic-9935365-0", "target": null }, { "id": "Ninite", "display_name": "Ninite", "target": null }, { "id": "NoobyProtect", "display_name": "NoobyProtect", "target": null }, { "id": "TEL:Trojan:Win64/GoCLR", "display_name": "TEL:Trojan:Win64/GoCLR", "target": null }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4891, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2436, "CVE": 3, "FileHash-MD5": 2510, "FileHash-SHA1": 2063, "FileHash-SHA256": 4054, "hostname": 1788, "URL": 1228, "email": 16 }, "indicator_count": 14098, "is_author": false, "is_subscribing": null, "subscriber_count": 239, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658dd276d03bca9b7a93b724", "name": "Makop | Lazarus | Spyware", "description": "Privilege abuse. Spyware and miscellaneous cyber attacks leveraged against various individuals using escalated privileges. Pegasus was found, not thoroughly explored.", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-28T19:54:30.287000", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658ef84e3324dfdb9d16bd73", "name": "Makop | Lazarus | Spyware (if it looks like a Pegasus...)", "description": "", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-29T16:48:15", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": "658dd276d03bca9b7a93b724", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6216bf52ae39eb8fd3432ac4", "name": "eop.gov", "description": "", "modified": "2022-03-25T00:03:52.440000", "created": "2022-02-23T23:12:18.801000", "tags": [ "dns replication", "date", "subdomains", "detections type", "name", "text file", "lookups", "registrant", "status", "first", "aaaa", "algorithm", "key identifier", "x509v3 subject", "categories", "ranks rank", "value ingestion", "time statvoo", "utc cisco", "umbrella" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1428, "hostname": 408, "FileHash-SHA256": 131, "domain": 169, "FileHash-SHA1": 9 }, "indicator_count": 2145, "is_author": false, "is_subscribing": null, "subscriber_count": 408, "modified_text": "1486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://github.com/peeringdb/peeringdb-py", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "00-skillsetparadesarrollo.zendesk.com", "From the lovely Cyber Folks .PL Cover", "gameskinny.com", "GitHub - peeringdb/peeringdb-py: PeeringDB python client", "https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088", "uat.identityssl.newscdn.com.au" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Brashears", "Trojan:win32/zombie", "Trojan:win32/dridex", "Virtool:win32/injector.gen!bq", "Malware:addscopytostartup", "Lolkek", "Hallrender", "Fakeav.for", "Win.trojan.generic-9935365-0", "Noobyprotect", "Alf:heraklezeval:ransom:win32/cve", "Backdoor:win32/zegost", "Ninite", "Ransomware", "Tel:trojan:win64/goclr", "Worm:win32/autorun", "Virtool:win32/obfuscator", "Sabey", "Hacktool", "Telper:hstr:clean:ninite", "Trojan:win32/cobaltstrike", "Alf:trojan:win32/cassini_6d4ebdc9", "Cve-2023-4966", "Makop ransomware", "Trojan:win32/fanop", "Trojan:win32/neconyd", "Lazarus", "Cve-2023-22518", "Trojan:win32/startpage", "Little" ], "industries": [ "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "66f1accda30d94af7e846357", "name": "Zendesk as VirusTotal \u00bb Ransom:Win32/CVE", "description": "*https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088 |||\n\n*In this situation a target received a VirusTotal / Zendesk drive by pop up message that site was unauthorized , fraud risk. The link has it all! Downloaders, install core, browser bar malware, ransomware, python script. Heavy attack. Desires deletion of device , accounts and contents.\n |||\nALF:HeraklezEval:Ransom:Win32/CVE , \nALF:Trojan:Win32/Cassini_6d4ebdc9 ,\nBackdoor:Win32/Zegost ,\nCVE-2023-22518 ,\nCVE-2023-4966 ,\nFakeAV.FOR ,\nMalware:AddsCopyToStartup ,\nNinite ,\nNoobyProtect ,\nTEL:Trojan:Win64/GoCLR ,\nTELPER:HSTR:CLEAN:Ninite ,\nTrojan:Win32/Cobaltstrike ,\nTrojan:Win32/Dridex ,\nTrojan:Win32/Fanop ,\nTrojan:Win32/Neconyd ,\nTrojan:Win32/Startpage ,\nTrojan:Win32/Zombie ,\nVirTool:Win32/Injector.gen!BQ ,\nVirTool:Win32/Obfuscator ,\nWin.Trojan.Generic-9935365-0 ,\nWorm:Win32/Autorun", "modified": "2024-10-23T17:03:27.463000", "created": "2024-09-23T18:00:45.146000", "tags": [ "as396982 google", "setup", "passive dns", "unknown", "ninite sep", "a td", "443 ma2592000", "accept", "gmt cache", "trojan", "status", "name servers", "urls", "creation date", "search", "emails", "servers", "as15169 google", "aaaa", "cname", "virtool", "cryp", "as19527 google", "win32", "related pulses", "file samples", "files matching", "date hash", "trojan features", "entries", "search otx", "telper", "worm", "copyright", "levelblue", "files domain", "files related", "pulses none", "accept accept", "as16625 akamai", "as20940", "asnone united", "nxdomain", "expiration date", "as21342", "as132147", "china", "as9808 china", "body", "all scoreblue", "backdoor", "alf features", "all search", "domain", "as15133 verizon", "as16552 tiggee", "url https", "http", "hostname", "ninite", "united states", "scan endpoints", "show", "showing", "next", "united", "as54113", "github pages", "formbook cnc", "checkin", "mtb aug", "a domains", "class", "twitter", "certificate", "record value", "pulse pulses", "overview ip", "address", "related nids", "files location", "div div", "github", "meta", "homepage", "form", "as36459", "g2 tls", "rsa sha256", "as29791", "dynamicloader", "medium", "yara detections", "dynamic", "filehash", "sha256", "february", "copy", "otx telemetry", "related tags", "a li", "span p", "dj ai", "dongjun jeong", "a h2", "writeups", "infosec journey", "script urls", "netherlands", "a nxdomain", "aaaa nxdomain", "cloudfront", "trojandropper", "china unknown", "msie", "chrome", "ipv4", "noobyprotect", "files", "peeringdb", "sign", "github copilot", "view", "notifications", "branches tags", "code issues", "pull", "write", "star", "code", "stars", "python", "shell", "footer", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "as62597 nsone", "dnssec", "win32mydoom sep", "windows nt", "wow64", "khtml", "gecko", "query", "jpn write", "e0e8e", "observed dns", "expiro", "defender", "malware", "possible", "suspicious", "activity dns", "mtb may", "sameorigin", "domain name", "error", "moved", "server", "mtb sep", "win32cve sep", "cloud provider", "reverse dns", "america asn", "dns resolutions", "domains top", "level", "unique tlds", "pulses", "default", "yara rule", "high", "cnc checkin", "cape", "powershell", "vmprotect", "local", "agent", "domainabuse", "su liao", "zhi pin", "application", "expiro malware", "anomalous file", "june", "fakedout threat", "analyzer paste", "iocs", "samples", "exploit", "germany unknown", "as14636", "russia unknown", "as9123 timeweb", "as45102 alibaba", "as43830", "read c", "write c", "process32nextw", "regsetvalueexa", "regdword", "installcore", "format", "delphi", "stack", "downloader", "urls http", "delete c", "tls handshake", "number", "failure", "delete", "ids detections", "fadok", "template", "slcc2", "media center", "contacted", "ollydbg", "internal", "simda", "brian sabey", "going dark", "stop", "as14061", "hostnames", "as48287 jsc", "as50340", "czechia unknown", "date" ], "references": [ "https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088", "GitHub - peeringdb/peeringdb-py: PeeringDB python client", "00-skillsetparadesarrollo.zendesk.com", "https://github.com/peeringdb/peeringdb-py", "From the lovely Cyber Folks .PL Cover" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Poland", "Australia", "Austria", "Canada", "Netherlands", "China" ], "malware_families": [ { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2023-4966", "display_name": "CVE-2023-4966", "target": null }, { "id": "FakeAV.FOR", "display_name": "FakeAV.FOR", "target": null }, { "id": "TELPER:HSTR:CLEAN:Ninite", "display_name": "TELPER:HSTR:CLEAN:Ninite", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Dridex", "display_name": "Trojan:Win32/Dridex", "target": "/malware/Trojan:Win32/Dridex" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Malware:AddsCopyToStartup", "display_name": "Malware:AddsCopyToStartup", "target": null }, { "id": "Trojan:Win32/Cobaltstrike", "display_name": "Trojan:Win32/Cobaltstrike", "target": "/malware/Trojan:Win32/Cobaltstrike" }, { "id": "ALF:Trojan:Win32/Cassini_6d4ebdc9", "display_name": "ALF:Trojan:Win32/Cassini_6d4ebdc9", "target": null }, { "id": "Trojan:Win32/Startpage", "display_name": "Trojan:Win32/Startpage", "target": "/malware/Trojan:Win32/Startpage" }, { "id": "Backdoor:Win32/Zegost", "display_name": "Backdoor:Win32/Zegost", "target": "/malware/Backdoor:Win32/Zegost" }, { "id": "Trojan:Win32/Fanop", "display_name": "Trojan:Win32/Fanop", "target": "/malware/Trojan:Win32/Fanop" }, { "id": "Trojan:Win32/Neconyd", "display_name": "Trojan:Win32/Neconyd", "target": "/malware/Trojan:Win32/Neconyd" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "Win.Trojan.Generic-9935365-0", "display_name": "Win.Trojan.Generic-9935365-0", "target": null }, { "id": "Ninite", "display_name": "Ninite", "target": null }, { "id": "NoobyProtect", "display_name": "NoobyProtect", "target": null }, { "id": "TEL:Trojan:Win64/GoCLR", "display_name": "TEL:Trojan:Win64/GoCLR", "target": null }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4891, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2436, "CVE": 3, "FileHash-MD5": 2510, "FileHash-SHA1": 2063, "FileHash-SHA256": 4054, "hostname": 1788, "URL": 1228, "email": 16 }, "indicator_count": 14098, "is_author": false, "is_subscribing": null, "subscriber_count": 239, "modified_text": "543 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658dd276d03bca9b7a93b724", "name": "Makop | Lazarus | Spyware", "description": "Privilege abuse. Spyware and miscellaneous cyber attacks leveraged against various individuals using escalated privileges. Pegasus was found, not thoroughly explored.", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-28T19:54:30.287000", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "658ef84e3324dfdb9d16bd73", "name": "Makop | Lazarus | Spyware (if it looks like a Pegasus...)", "description": "", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-29T16:48:15", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": "658dd276d03bca9b7a93b724", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "813 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6216bf52ae39eb8fd3432ac4", "name": "eop.gov", "description": "", "modified": "2022-03-25T00:03:52.440000", "created": "2022-02-23T23:12:18.801000", "tags": [ "dns replication", "date", "subdomains", "detections type", "name", "text file", "lookups", "registrant", "status", "first", "aaaa", "algorithm", "key identifier", "x509v3 subject", "categories", "ranks rank", "value ingestion", "time statvoo", "utc cisco", "umbrella" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1428, "hostname": 408, "FileHash-SHA256": 131, "domain": 169, "FileHash-SHA1": 9 }, "indicator_count": 2145, "is_author": false, "is_subscribing": null, "subscriber_count": 408, "modified_text": "1486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "whichloadsfaster.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "whichloadsfaster.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776642664.3958461 }