otx.alienvault.com Open in urlscan Pro
13.226.145.43  Public Scan

URL: https://otx.alienvault.com/pulse/618137d47d1e3449918cdd21?scan=1&utm_userid=swimlanecyou&utm_medium=inproduct&utm_source=ot...
Submission: On November 02 via api from US — Scanned from DE

Form analysis 1 forms found in the DOM

<form _ngcontent-trv-c132="" novalidate="" class="login ng-untouched ng-pristine ng-invalid" id="welcomeLoginForm-pulse-detail" __bizdiag="-695151727" __biza="WJ__">
  <div _ngcontent-trv-c132="" class="form-group"><label _ngcontent-trv-c132="" for="id_login">Username</label><input _ngcontent-trv-c132="" container="body" formcontrolname="login" id="id_login" name="login" placement="right" type="text"
      class="form-control input-alienvault ng-untouched ng-pristine ng-invalid"><!----></div>
  <div _ngcontent-trv-c132="" class="form-group"><label _ngcontent-trv-c132="" for="id_password">Password</label><input _ngcontent-trv-c132="" container="body" formcontrolname="password" id="id_password" name="password" placement="right"
      type="password" class="form-control input-alienvault ng-untouched ng-pristine ng-invalid"><!----></div><button _ngcontent-trv-c132="" id="loginBtn" type="submit" class="btn btn-att disabled" disabled=""> Log in
    <i _ngcontent-trv-c132="" aria-hidden="true" class="fa fa-chevron-right smaller"></i></button>
  <div _ngcontent-trv-c132="" class="remember-checkbox"><label _ngcontent-trv-c132=""><input _ngcontent-trv-c132="" id="id_remember" name="remember" type="checkbox"> REMEMBER ME</label></div>
</form>

Text Content

×

   
 * Browse
 * Scan Endpoints
 * Create Pulse
 * Submit Sample
 * API Integration
   
   
 * Login | Sign Up
   

All
   
 * Login | Sign Up
   
 * 
   


Share
Actions
Subscribers (163258)
Suggest Edit
Clone
Embed
Download
Report Spam



FROM ZERO TO DOMAIN ADMIN

   
 * Created 25 minutes ago by AlienVault
 * Public
 * TLP: White

In a recent malware campaign, the Hancitor DLL was downloaded and used to
execute multiple payloads including a Cobalt Strike stager and Ficker Stealer.
The threat actors then began port scanning for SMB and a few backup systems such
as Synology, Veeam and Backup Exec.

Reference:
https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
Tags:
cobalt strike, hancitor, ficker
Malware Families:
Cobalt Strike - S0154 , Hancitor - S0499 , Ficker Stealer
Att&ck IDs:
T1566 - Phishing , T1071.001 - Web Protocols , T1204 - User Execution , T1055 -
Process Injection , T1018 - Remote System Discovery , T1068 - Exploitation for
Privilege Escalation , T1569.002 - Service Execution , T1135 - Network Share
Discovery , T1027 - Obfuscated Files or Information , T1482 - Domain Trust
Discovery , T1069.002 - Domain Groups , T1124 - System Time Discovery , T1570 -
Lateral Tool Transfer , T1059.001 - PowerShell , T1059.003 - Windows Command
Shell , T1204.002 - Malicious File

Endpoint Security
Scan your endpoints for IOCs from this Pulse!
Learn more
 * Indicators of Compromise (25)
 * Related Pulses (19)
 * Comments (0)
 * History (0)

CVE (1)Other (3)IPv4 (3)FileHash-SHA256 (6)FileHash-SHA1 (4)FileHash-MD5 (6)

TYPES OF INDICATORS

United States (2)Chile (1)

THREAT INFRASTRUCTURE

Show
10 25 50 100
entries
Search:

type

indicator

Role

title

Added

Active

related Pulses

domainwortlybeentax.comNov 2, 2021, 1:06:29 PM7

domain4a5ikol.ruNov 2, 2021, 1:06:29 PM5

URLhttp://wortlybeentax.com/8/forum.phpNov 2, 2021, 1:06:29 PM2

URLhttp://207.148.23.64:443Nov 2, 2021, 1:06:29 PM1

URLhttp://190.114.254.116:80Nov 2, 2021, 1:06:29 PM1

IPv464.235.39.32Nov 2, 2021, 1:06:29 PM1

IPv4207.148.23.64Nov 2, 2021, 1:06:29 PM3

FileHash-SHA256c443df1ddf8fd8a47af6fbfd0b597c4eb30d82efd1941692ba9bb9c4d6874e14Nov
2, 2021, 1:06:29 PM1

FileHash-SHA256be13b8457e7d7b3838788098a8c2b05f78506aa985e0319b588f01c39ca91844Nov
2, 2021, 1:06:29 PM1

FileHash-SHA25694dcca901155119edfcee23a50eca557a0c6cbe12056d726e9f67e3a0cd13d51Nov
2, 2021, 1:06:29 PM1


SHOWING 1 TO 10 OF 25 ENTRIES
1
2
3
Next


COMMENTS

You must be logged in to leave a comment.

Refresh Comments

 * © Copyright 2021 AlienVault, Inc.
   
 * Legal
   
 * Status
   


Login to Initiate Scan
×
 * Sign Up
 * Log In

or
Username
Password
Log in
REMEMBER ME

Recover Your Password | Resend Verification Email