{ "type": "Domain", "indicator": "zpec.ru", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/zpec.ru", "alexa": "http://www.alexa.com/siteinfo/zpec.ru", "indicator": "zpec.ru", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3685897426, "indicator": "zpec.ru", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "65709bdfec2ebd8b9c05c15d", "name": "Threat Intel Report - W22-2023", "description": "", "modified": "2023-12-06T16:05:51.194000", "created": "2023-12-06T16:05:51.194000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 147, "FileHash-MD5": 78, "FileHash-SHA1": 73, "domain": 111, "hostname": 29, "URL": 121 }, "indicator_count": 559, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "647f5b11eb99e3604bdfa363", "name": "ACITIVIDAD MALICIOSA | Relacionada con Avemaria Rat", "description": "Avemaria RAT es un software malicioso de acceso remoto altamente sofisticado y sigiloso. Se caracteriza por su capacidad para tomar el control completo de los sistemas infectados de forma remota, permitiendo a los actores malintencionados realizar una amplia gama de acciones. Avemaria RAT se propaga principalmente a trav\u00e9s de t\u00e9cnicas de ingenier\u00eda social, aprovechando la curiosidad o el descuido de los usuarios para hacer clic en enlaces o descargar archivos infectados.", "modified": "2023-07-06T15:01:44.391000", "created": "2023-06-06T16:13:05.016000", "tags": [ "ta0001", "ta0005", "ta0040", "ta0004", "t1016", "discovery", "t1027", "t1033", "t1041", "t1053" ], "references": [ "https://urlhaus.abuse.ch/browse/", "https://alertas-y-seguridad.jimdosite.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "domain": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "1059 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64747c916cd830d76839022d", "name": "Threat Intel Report - W22-2023", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2023-06-28T10:02:59.787000", "created": "2023-05-29T10:21:05.570000", "tags": [ "korean lazarus", "espionage", "lazarus", "buhti", "qbot", "stealthy bandit", "cosmicenergy", "babuk", "moneybird", "kimsuky", "windows", "microsoft", "cvss", "cvss base", "bandit stealer", "google cloud", "cloud sql", "lockbit", "qbot malware", "augusta", "malware", "service", "korean", "hashes domains", "amadey amadey", "ddos", "vidar vidar", "december", "arkei", "vidar", "remcos remcos", "wcry", "wanacryptor", "japan", "ip address", "blacklist host", "ip country", "latest spambot", "visit", "activity", "brazil", "canada", "singapore", "qakbot", "privateloader", "date", "malware url", "tags", "coinminer", "smake loader", "sha1 file", "name submit" ], "references": [ "http://sanddroid.xjtu.edu.cn/", "http://jevereg.amnpardaz.com/" ], "public": 1, "adversary": "Korean Lazarus", "targeted_countries": [ "Ukraine", "United States of America", "Georgia" ], "malware_families": [ { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "Moneybird", "display_name": "Moneybird", "target": null }, { "id": "Babuk", "display_name": "Babuk", "target": null }, { "id": "COSMICENERGY", "display_name": "COSMICENERGY", "target": null }, { "id": "Stealthy Bandit", "display_name": "Stealthy Bandit", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Buhti", "display_name": "Buhti", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 78, "FileHash-SHA1": 73, "FileHash-SHA256": 147, "URL": 121, "domain": 111, "hostname": 29 }, "indicator_count": 559, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "1067 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "647143991ffc56d78172d48d", "name": "URLHaus data - 26-05-2023", "description": "", "modified": "2023-06-25T23:00:51.347000", "created": "2023-05-26T23:41:13.452000", "tags": [ "BB29", "dll", "geofenced", "msi", "Qakbot", "USA", "64", "exe", "32", "elf", "Mozi", "32-bit", "mips", "mirai", "x86-32", "arm", "hajime", "AsyncRAT", "dropped-by-amadey", "sparc", "PowerPC", "intel", "renesas", "script", "motorola", "ddos-bot", "Stealc", "BRA", "trojan", "dropped-by-SmokeLoader", "LummaStealer", "dropped-by-PrivateLoader", "RedLine", "RedLineStealer", "dcrat", "VoidRAT", "Plasma", "njRAT", "AgentTesla", "Smoke Loader", "Pikabot", "js", "2022", "Password-protected", "zip", "1234", "7z", "AveMariaRAT", "rat", "Loki", "opendir", "geo", "Grandoreiro", "Gozi", "ascii", "Encoded", "RemcosRAT", "doc", "gafgyt", "additionalpayloads", "raccoonv2", "pw:1234", "rar", "RTF" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 999, "domain": 16, "hostname": 1 }, "indicator_count": 1016, "is_author": false, "is_subscribing": null, "subscriber_count": 1620, "modified_text": "1070 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://urlhaus.abuse.ch/browse/", "https://alertas-y-seguridad.jimdosite.com/", "http://jevereg.amnpardaz.com/", "http://sanddroid.xjtu.edu.cn/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Korean Lazarus" ], "malware_families": [ "Moneybird", "Cosmicenergy", "Stealthy bandit", "Kimsuky", "Buhti", "Babuk", "Qbot" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "65709bdfec2ebd8b9c05c15d", "name": "Threat Intel Report - W22-2023", "description": "", "modified": "2023-12-06T16:05:51.194000", "created": "2023-12-06T16:05:51.194000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 147, "FileHash-MD5": 78, "FileHash-SHA1": 73, "domain": 111, "hostname": 29, "URL": 121 }, "indicator_count": 559, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "647f5b11eb99e3604bdfa363", "name": "ACITIVIDAD MALICIOSA | Relacionada con Avemaria Rat", "description": "Avemaria RAT es un software malicioso de acceso remoto altamente sofisticado y sigiloso. Se caracteriza por su capacidad para tomar el control completo de los sistemas infectados de forma remota, permitiendo a los actores malintencionados realizar una amplia gama de acciones. Avemaria RAT se propaga principalmente a trav\u00e9s de t\u00e9cnicas de ingenier\u00eda social, aprovechando la curiosidad o el descuido de los usuarios para hacer clic en enlaces o descargar archivos infectados.", "modified": "2023-07-06T15:01:44.391000", "created": "2023-06-06T16:13:05.016000", "tags": [ "ta0001", "ta0005", "ta0040", "ta0004", "t1016", "discovery", "t1027", "t1033", "t1041", "t1053" ], "references": [ "https://urlhaus.abuse.ch/browse/", "https://alertas-y-seguridad.jimdosite.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "domain": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "1059 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64747c916cd830d76839022d", "name": "Threat Intel Report - W22-2023", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2023-06-28T10:02:59.787000", "created": "2023-05-29T10:21:05.570000", "tags": [ "korean lazarus", "espionage", "lazarus", "buhti", "qbot", "stealthy bandit", "cosmicenergy", "babuk", "moneybird", "kimsuky", "windows", "microsoft", "cvss", "cvss base", "bandit stealer", "google cloud", "cloud sql", "lockbit", "qbot malware", "augusta", "malware", "service", "korean", "hashes domains", "amadey amadey", "ddos", "vidar vidar", "december", "arkei", "vidar", "remcos remcos", "wcry", "wanacryptor", "japan", "ip address", "blacklist host", "ip country", "latest spambot", "visit", "activity", "brazil", "canada", "singapore", "qakbot", "privateloader", "date", "malware url", "tags", "coinminer", "smake loader", "sha1 file", "name submit" ], "references": [ "http://sanddroid.xjtu.edu.cn/", "http://jevereg.amnpardaz.com/" ], "public": 1, "adversary": "Korean Lazarus", "targeted_countries": [ "Ukraine", "United States of America", "Georgia" ], "malware_families": [ { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "Moneybird", "display_name": "Moneybird", "target": null }, { "id": "Babuk", "display_name": "Babuk", "target": null }, { "id": "COSMICENERGY", "display_name": "COSMICENERGY", "target": null }, { "id": "Stealthy Bandit", "display_name": "Stealthy Bandit", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "Buhti", "display_name": "Buhti", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 78, "FileHash-SHA1": 73, "FileHash-SHA256": 147, "URL": 121, "domain": 111, "hostname": 29 }, "indicator_count": 559, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "1067 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "647143991ffc56d78172d48d", "name": "URLHaus data - 26-05-2023", "description": "", "modified": "2023-06-25T23:00:51.347000", "created": "2023-05-26T23:41:13.452000", "tags": [ "BB29", "dll", "geofenced", "msi", "Qakbot", "USA", "64", "exe", "32", "elf", "Mozi", "32-bit", "mips", "mirai", "x86-32", "arm", "hajime", "AsyncRAT", "dropped-by-amadey", "sparc", "PowerPC", "intel", "renesas", "script", "motorola", "ddos-bot", "Stealc", "BRA", "trojan", "dropped-by-SmokeLoader", "LummaStealer", "dropped-by-PrivateLoader", "RedLine", "RedLineStealer", "dcrat", "VoidRAT", "Plasma", "njRAT", "AgentTesla", "Smoke Loader", "Pikabot", "js", "2022", "Password-protected", "zip", "1234", "7z", "AveMariaRAT", "rat", "Loki", "opendir", "geo", "Grandoreiro", "Gozi", "ascii", "Encoded", "RemcosRAT", "doc", "gafgyt", "additionalpayloads", "raccoonv2", "pw:1234", "rar", "RTF" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 999, "domain": 16, "hostname": 1 }, "indicator_count": 1016, "is_author": false, "is_subscribing": null, "subscriber_count": 1620, "modified_text": "1070 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "zpec.ru", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "zpec.ru", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "http://zpec.ru/bitrix/admin/swiss.exe", "status": "offline", "threat": "malware_download", "date_added": "2023-05-26", "tags": [ "AveMariaRAT", "exe", "rat" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780206598.2815814 }