otx.alienvault.com
Open in
urlscan Pro
13.226.145.43
Public Scan
URL:
https://otx.alienvault.com/pulse/618137d47d1e3449918cdd21?scan=1&utm_userid=swimlanecyou&utm_medium=inproduct&utm_source=ot...
Submission: On November 02 via api from US — Scanned from DE
Submission: On November 02 via api from US — Scanned from DE
Form analysis
1 forms found in the DOM<form _ngcontent-trv-c132="" novalidate="" class="login ng-untouched ng-pristine ng-invalid" id="welcomeLoginForm-pulse-detail" __bizdiag="-695151727" __biza="WJ__">
<div _ngcontent-trv-c132="" class="form-group"><label _ngcontent-trv-c132="" for="id_login">Username</label><input _ngcontent-trv-c132="" container="body" formcontrolname="login" id="id_login" name="login" placement="right" type="text"
class="form-control input-alienvault ng-untouched ng-pristine ng-invalid"><!----></div>
<div _ngcontent-trv-c132="" class="form-group"><label _ngcontent-trv-c132="" for="id_password">Password</label><input _ngcontent-trv-c132="" container="body" formcontrolname="password" id="id_password" name="password" placement="right"
type="password" class="form-control input-alienvault ng-untouched ng-pristine ng-invalid"><!----></div><button _ngcontent-trv-c132="" id="loginBtn" type="submit" class="btn btn-att disabled" disabled=""> Log in
<i _ngcontent-trv-c132="" aria-hidden="true" class="fa fa-chevron-right smaller"></i></button>
<div _ngcontent-trv-c132="" class="remember-checkbox"><label _ngcontent-trv-c132=""><input _ngcontent-trv-c132="" id="id_remember" name="remember" type="checkbox"> REMEMBER ME</label></div>
</form>
Text Content
× * Browse * Scan Endpoints * Create Pulse * Submit Sample * API Integration * Login | Sign Up All * Login | Sign Up * Share Actions Subscribers (163258) Suggest Edit Clone Embed Download Report Spam FROM ZERO TO DOMAIN ADMIN * Created 25 minutes ago by AlienVault * Public * TLP: White In a recent malware campaign, the Hancitor DLL was downloaded and used to execute multiple payloads including a Cobalt Strike stager and Ficker Stealer. The threat actors then began port scanning for SMB and a few backup systems such as Synology, Veeam and Backup Exec. Reference: https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/ Tags: cobalt strike, hancitor, ficker Malware Families: Cobalt Strike - S0154 , Hancitor - S0499 , Ficker Stealer Att&ck IDs: T1566 - Phishing , T1071.001 - Web Protocols , T1204 - User Execution , T1055 - Process Injection , T1018 - Remote System Discovery , T1068 - Exploitation for Privilege Escalation , T1569.002 - Service Execution , T1135 - Network Share Discovery , T1027 - Obfuscated Files or Information , T1482 - Domain Trust Discovery , T1069.002 - Domain Groups , T1124 - System Time Discovery , T1570 - Lateral Tool Transfer , T1059.001 - PowerShell , T1059.003 - Windows Command Shell , T1204.002 - Malicious File Endpoint Security Scan your endpoints for IOCs from this Pulse! Learn more * Indicators of Compromise (25) * Related Pulses (19) * Comments (0) * History (0) CVE (1)Other (3)IPv4 (3)FileHash-SHA256 (6)FileHash-SHA1 (4)FileHash-MD5 (6) TYPES OF INDICATORS United States (2)Chile (1) THREAT INFRASTRUCTURE Show 10 25 50 100 entries Search: type indicator Role title Added Active related Pulses domainwortlybeentax.comNov 2, 2021, 1:06:29 PM7 domain4a5ikol.ruNov 2, 2021, 1:06:29 PM5 URLhttp://wortlybeentax.com/8/forum.phpNov 2, 2021, 1:06:29 PM2 URLhttp://207.148.23.64:443Nov 2, 2021, 1:06:29 PM1 URLhttp://190.114.254.116:80Nov 2, 2021, 1:06:29 PM1 IPv464.235.39.32Nov 2, 2021, 1:06:29 PM1 IPv4207.148.23.64Nov 2, 2021, 1:06:29 PM3 FileHash-SHA256c443df1ddf8fd8a47af6fbfd0b597c4eb30d82efd1941692ba9bb9c4d6874e14Nov 2, 2021, 1:06:29 PM1 FileHash-SHA256be13b8457e7d7b3838788098a8c2b05f78506aa985e0319b588f01c39ca91844Nov 2, 2021, 1:06:29 PM1 FileHash-SHA25694dcca901155119edfcee23a50eca557a0c6cbe12056d726e9f67e3a0cd13d51Nov 2, 2021, 1:06:29 PM1 SHOWING 1 TO 10 OF 25 ENTRIES 1 2 3 Next COMMENTS You must be logged in to leave a comment. Refresh Comments * © Copyright 2021 AlienVault, Inc. * Legal * Status Login to Initiate Scan × * Sign Up * Log In or Username Password Log in REMEMBER ME Recover Your Password | Resend Verification Email