{ "type": "Domain", "indicator": "whitecontroller.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/whitecontroller.com", "alexa": "http://www.alexa.com/siteinfo/whitecontroller.com", "indicator": "whitecontroller.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2201230228, "indicator": "whitecontroller.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "5ef38fa73ccd462e6072ca54", "name": "Glupteba: Hidden Malware Delivery in Plain Sight", "description": "This morning, SophosLabs is publishing a report on a malware family whose infection numbers have been steadily growing since the beginning of the year. This malware, with its hard-to-pronounce name, has been getting regular updates and feature enhancements that seem to be focused on its ability to conceal itself from detection on infected computers.\n\nIn our report, we\u2019ve taken a deep dive into what makes the Glupteba malware distinctive. The core malware is, in essence, a dropper with extensive backdoor functionality, but it is a dropper that goes to great efforts to keep itself, and its various components, hidden from view by the human operator of an infected computer, or the security software charged with its protection.", "modified": "2020-06-24T17:38:47.212000", "created": "2020-06-24T17:38:47.212000", "tags": [ "Glupteba" ], "references": [ "https://github.com/sophoslabs/IoCs/blob/master/Trojan-Glupteba", "https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf", "https://news.sophos.com/en-us/2020/06/24/glupteba-report/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "VirTool:Win64/Glupteba", "display_name": "VirTool:Win64/Glupteba", "target": "/malware/VirTool:Win64/Glupteba" } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 103, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 21, "FileHash-SHA256": 10, "URL": 10, "hostname": 1, "BitcoinAddress": 2, "FileHash-MD5": 7, "FileHash-SHA1": 7 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 386502, "modified_text": "2166 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5e3d89a082119cabd7d9e5a6", "name": "InstallCapital \u2014 When AdWare Becomes Pay-per-Install Cyber-Crime", "description": "\"With this article we\u2019re trying to raise an alert about Pay-per-Install networks. The security industry has been indulgent with PPI for years considering it just as adware-related but the reality is very different, these networks are potentially huge malware distributors frequently used by various cyber-criminals.\"", "modified": "2020-02-07T16:10:39.127000", "created": "2020-02-07T16:00:32.388000", "tags": [ "Adware", "Crimeware", "PPI" ], "references": [ "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451" ], "public": 1, "adversary": "InstallCapital", "targeted_countries": [], "malware_families": [ { "id": "InstallCapital", "display_name": "InstallCapital", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 1, "hostname": 1, "domain": 15 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386502, "modified_text": "2304 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://github.com/sophoslabs/IoCs/blob/master/Trojan-Glupteba", "https://news.sophos.com/en-us/2020/06/24/glupteba-report/", "https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf", "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451" ], "related": { "alienvault": { "adversary": [ "InstallCapital" ], "malware_families": [ "Glupteba", "Installcapital", "Trojan:win32/glupteba", "Virtool:win64/glupteba" ], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "5ef38fa73ccd462e6072ca54", "name": "Glupteba: Hidden Malware Delivery in Plain Sight", "description": "This morning, SophosLabs is publishing a report on a malware family whose infection numbers have been steadily growing since the beginning of the year. This malware, with its hard-to-pronounce name, has been getting regular updates and feature enhancements that seem to be focused on its ability to conceal itself from detection on infected computers.\n\nIn our report, we\u2019ve taken a deep dive into what makes the Glupteba malware distinctive. The core malware is, in essence, a dropper with extensive backdoor functionality, but it is a dropper that goes to great efforts to keep itself, and its various components, hidden from view by the human operator of an infected computer, or the security software charged with its protection.", "modified": "2020-06-24T17:38:47.212000", "created": "2020-06-24T17:38:47.212000", "tags": [ "Glupteba" ], "references": [ "https://github.com/sophoslabs/IoCs/blob/master/Trojan-Glupteba", "https://news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf", "https://news.sophos.com/en-us/2020/06/24/glupteba-report/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Glupteba", "display_name": "Glupteba", "target": null }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "VirTool:Win64/Glupteba", "display_name": "VirTool:Win64/Glupteba", "target": "/malware/VirTool:Win64/Glupteba" } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 103, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 21, "FileHash-SHA256": 10, "URL": 10, "hostname": 1, "BitcoinAddress": 2, "FileHash-MD5": 7, "FileHash-SHA1": 7 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 386502, "modified_text": "2166 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5e3d89a082119cabd7d9e5a6", "name": "InstallCapital \u2014 When AdWare Becomes Pay-per-Install Cyber-Crime", "description": "\"With this article we\u2019re trying to raise an alert about Pay-per-Install networks. The security industry has been indulgent with PPI for years considering it just as adware-related but the reality is very different, these networks are potentially huge malware distributors frequently used by various cyber-criminals.\"", "modified": "2020-02-07T16:10:39.127000", "created": "2020-02-07T16:00:32.388000", "tags": [ "Adware", "Crimeware", "PPI" ], "references": [ "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451" ], "public": 1, "adversary": "InstallCapital", "targeted_countries": [], "malware_families": [ { "id": "InstallCapital", "display_name": "InstallCapital", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 1, "hostname": 1, "domain": 15 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386502, "modified_text": "2304 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "whitecontroller.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "whitecontroller.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780212376.9872336 }