Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge branch 'solution/Threatconnect-1' of https://github.com/BlueCycleOps/Azure-Sentinel into pr/8996

This commit is contained in:
PrasadBoke 2023-10-12 18:37:08 +05:30
Родитель ab7d7e1055 759d3c19eb
Коммит d03793252d
150 изменённых файлов: 37592 добавлений и 4256 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

233
.script/tests/KqlvalidationsTests/CustomTables/HYASProtectDnsSecurityLogs_CL.json Normal file
Просмотреть файл

@ -0,0 +1,233 @@
{
"Name":"HYASProtectDnsSecurityLogs_CL",
"Properties":[
{
"Name":"TenantId",
"Type":"String"
},
{
"Name":"SourceSystem",
"Type":"String"
},
{
"Name":"MG",
"Type":"String"
},
{
"Name":"ManagementGroupName",
"Type":"String"
},
{
"Name":"TimeGenerated",
"Type":"DateTime"
},
{
"Name":"Computer",
"Type":"String"
},
{
"Name":"RawData",
"Type":"String"
},
{
"Name":"IPVerdict_s",
"Type":"String"
},
{
"Name":"TLDVerdict_s",
"Type":"String"
},
{
"Name":"Reputation_d",
"Type":"Real"
},
{
"Name":"DateTime_s",
"Type":"String"
},
{
"Name":"Domain_s",
"Type":"String"
},
{
"Name":"DeviceName_s",
"Type":"String"
},
{
"Name":"ProcessName_s",
"Type":"String"
},
{
"Name":"Nameserver_s",
"Type":"String"
},
{
"Name":"Verdict_s",
"Type":"String"
},
{
"Name":"VerdictSource_s",
"Type":"String"
},
{
"Name":"VerdictStatus_s",
"Type":"String"
},
{
"Name":"Registrar_s",
"Type":"String"
},
{
"Name":"PolicyName_s",
"Type":"String"
},
{
"Name":"PolicyID_d",
"Type":"Real"
},
{
"Name":"RegistrarVerdict_s",
"Type":"String"
},
{
"Name":"TTL_d",
"Type":"Real"
},
{
"Name":"Tags_s",
"Type":"String"
},
{
"Name":"LogID_s",
"Type":"String"
},
{
"Name":"ClientID_g",
"Type":"String"
},
{
"Name":"ClientName_s",
"Type":"String"
},
{
"Name":"ClientIP_s",
"Type":"String"
},
{
"Name":"Domain2TLD_s",
"Type":"String"
},
{
"Name":"DomainTLD_s",
"Type":"String"
},
{
"Name":"Nameserver2TLD_s",
"Type":"String"
},
{
"Name":"NameserverTLD_s",
"Type":"String"
},
{
"Name":"NameserverIP_s",
"Type":"String"
},
{
"Name":"NameserverCountryISOCode_s",
"Type":"String"
},
{
"Name":"NameserverCountryName_s",
"Type":"String"
},
{
"Name":"ARecord_s",
"Type":"String"
},
{
"Name":"CName_s",
"Type":"String"
},
{
"Name":"CName2TLD_s",
"Type":"String"
},
{
"Name":"CNameTLD_s",
"Type":"String"
},
{
"Name":"ThreatLevel_s",
"Type":"String"
},
{
"Name":"QueryType_s",
"Type":"String"
},
{
"Name":"ResponseCode_d",
"Type":"Real"
},
{
"Name":"ResponseName_s",
"Type":"String"
},
{
"Name":"ResponseDescription_s",
"Type":"String"
},
{
"Name":"ResolverMode_s",
"Type":"String"
},
{
"Name":"ReasonLists_s",
"Type":"String"
},
{
"Name":"ReasonType_s",
"Type":"String"
},
{
"Name":"DomainAge_d",
"Type":"Real"
},
{
"Name":"DomainCategory_s",
"Type":"String"
},
{
"Name":"DomainCreationDate_t",
"Type":"DateTime"
},
{
"Name":"DomainExpiresDate_t",
"Type":"DateTime"
},
{
"Name":"DomainUpdatedDate_t",
"Type":"DateTime"
},
{
"Name":"NameserverVerdict_s",
"Type":"String"
},
{
"Name":"FQDNVerdict_s",
"Type":"String"
},
{
"Name":"DomainVerdict_s",
"Type":"String"
},
{
"Name":"Type",
"Type":"String"
},
{
"Name":"_ResourceId",
"Type":"String"
}
]
}

1
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Просмотреть файл

@ -94,6 +94,7 @@
"GCPDNSDataConnector",
"GWorkspaceRAPI",
"GoogleWorkspaceReportsAPI",
"GreyNoise2SentinelAPI",
"IdentityInfo",
"ImpervaWAFCloudAPI",
"ImpervaWAFGateway",

0
DataConnectors/AWS-S3/CloudWatchLanbdaFunction.py → DataConnectors/AWS-S3/CloudWatchLambdaFunction.py
Просмотреть файл

Двоичные данные
DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScripts.zip
Просмотреть файл

Двоичный файл не отображается.

2
DataConnectors/AWS-S3/README.md
Просмотреть файл

@ -4,7 +4,7 @@
AWS S3 Sentinel connector ingests many AWS service logs into Azure Sentinel. Currently supported logs include: AWS VPC Flow Logs, GuardDuty, Cloud Watch, Cloud Trail (management and data events).
This connector requires that each AWS service publish its logs to an S3 bucket in your account. In addition you must configure SQS notifications and permissions for the connector to retreive the logs.
This connector requires that each AWS service publish its logs to an S3 bucket in your account. In addition you must configure SQS notifications and permissions for the connector to retrieve the logs.
More information on the connector and configuration instructions can be found on the Azure Sentinel data connector page in the Azure portal.

49
Logos/ThreatConnect.svg
Просмотреть файл

@ -1,7 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="334px" height="167px" style="shape-rendering:geometricPrecision; text-rendering:geometricPrecision; image-rendering:optimizeQuality; fill-rule:evenodd; clip-rule:evenodd" xmlns:xlink="http://www.w3.org/1999/xlink">
<g><path style="opacity:0.987" fill="#fe7a4f" d="M 4.5,-0.5 C 8.5,-0.5 12.5,-0.5 16.5,-0.5C 51.6387,4.56966 76.9721,23.0697 92.5,55C 92.2716,55.3988 91.9382,55.5654 91.5,55.5C 62.8314,55.6666 34.1647,55.5 5.5,55C 3.34004,53.668 1.34004,52.168 -0.5,50.5C -0.5,35.1667 -0.5,19.8333 -0.5,4.5C 0.930149,2.614 2.59682,0.947334 4.5,-0.5 Z"/></g>
<g><path style="opacity:0.997" fill="#fca567" d="M 16.5,-0.5 C 90.1667,-0.5 163.833,-0.5 237.5,-0.5C 210.543,3.96985 188.709,16.9698 172,38.5C 168.101,43.631 165.268,49.2977 163.5,55.5C 156.834,73.836 156.834,92.1694 163.5,110.5C 173.053,134.551 190.053,151.051 214.5,160C 222.767,162.982 231.1,165.149 239.5,166.5C 193.833,166.5 148.167,166.5 102.5,166.5C 100.525,165.354 99.025,163.687 98,161.5C 97.8986,131.147 97.2319,100.814 96,70.5C 94.9585,65.3275 93.4585,60.3275 91.5,55.5C 91.9382,55.5654 92.2716,55.3988 92.5,55C 76.9721,23.0697 51.6387,4.56966 16.5,-0.5 Z"/></g>
<g><path style="opacity:1" fill="#345d7f" d="M 237.5,-0.5 C 246.833,-0.5 256.167,-0.5 265.5,-0.5C 294.305,4.22996 316.971,18.5633 333.5,42.5C 333.5,45.1667 333.5,47.8333 333.5,50.5C 331.66,52.168 329.66,53.668 327.5,55C 272.834,55.5 218.168,55.6667 163.5,55.5C 165.268,49.2977 168.101,43.631 172,38.5C 188.709,16.9698 210.543,3.96985 237.5,-0.5 Z"/></g>
<g><path style="opacity:1" fill="#345d7f" d="M 163.5,110.5 C 218.168,110.333 272.834,110.5 327.5,111C 329.66,112.332 331.66,113.832 333.5,115.5C 333.5,118.167 333.5,120.833 333.5,123.5C 316.966,147.439 294.3,161.772 265.5,166.5C 256.833,166.5 248.167,166.5 239.5,166.5C 231.1,165.149 222.767,162.982 214.5,160C 190.053,151.051 173.053,134.551 163.5,110.5 Z"/></g>
</svg>
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 27.9.0, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.1" id="a144cc69-f212-5a95-98e1-fb6fdd8de58e" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px"
viewBox="0 0 334 167.3" xml:space="preserve">
<style type="text/css">
.st0{fill:#FF7A4F;}
.st1{fill:url(#SVGID_1_);}
.st2{fill:url(#SVGID_00000134235850433476250970000000888907963530095800_);}
.st3{fill:#335D7F;}
.st4{fill:#FDA667;}
</style>
<g id="aa3e1aab-1432-4124-9d5d-1c0ec785f019">
<g id="f9ad83e1-ae9e-4d9d-9278-b060f63ac5eb">
<g id="addcb393-bcd7-4381-a2b3-d5bb8a37d878">
<path class="st0" d="M0,8.8V47c0,4.9,4.4,8.8,9.8,8.8c0,0,0,0,0,0h121l0-55.7H9.8C4.4,0,0,4,0,8.8C0,8.8,0,8.8,0,8.8z"/>
<linearGradient id="b315c62a-f852-5d9d-8a7b-3df1593b94c1" gradientUnits="userSpaceOnUse" x1="170.9021" y1="262.1024" x2="329.0352" y2="262.1024" gradientTransform="matrix(1 0 0 -1 0 290)">
<stop offset="0"/>
<stop offset="0.5"/>
<stop offset="1"/>
</linearGradient>
<path class="st1" d="M332.8,42.8C316.4,16.4,285.3,0,251.6,0c-2.5,0-9,0-9.8,0l-111,0.6v55.1h33l0,0h160.5c5.4,0,9.7-3.9,9.7-8.7
C334,45.6,333.6,44.1,332.8,42.8z"/>
<linearGradient id="c794a289-e00d-52ba-8324-9136f3f47af5" gradientUnits="userSpaceOnUse" x1="171.5907" y1="150.5957" x2="328.2036" y2="150.5957" gradientTransform="matrix(1 0 0 -1 0 290)">
<stop offset="0"/>
<stop offset="0.5"/>
<stop offset="1"/>
</linearGradient>
<path d="M332.8,124.5
c-16.5,26.4-47.5,42.8-81.3,42.8c-2.5,0-9,0-9.8,0l-111-0.6v-55.1h33l0,0h160.5c5.4,0,9.7,3.9,9.7,8.7
C334,121.7,333.6,123.2,332.8,124.5z"/>
<path class="st3" d="M332.8,42.8C316.4,16.4,285.3,0,251.6,0c-2.5,0-9,0-9.8,0l-111,0.6v55.1h33l0,0h160.5c5.4,0,9.7-3.9,9.7-8.7
C334,45.6,333.6,44.1,332.8,42.8z"/>
<path class="st3" d="M332.8,124.5c-16.5,26.4-47.5,42.8-81.3,42.8c-2.5,0-9,0-9.8,0L131,166.7c-0.1,0-0.2-0.1-0.2-0.2v-54.8
c0-0.1,0.1-0.2,0.2-0.2h32.8l0,0h160.5c5.4,0,9.7,3.9,9.7,8.7C334,121.7,333.6,123.2,332.8,124.5z"/>
<path class="st4" d="M251.6,0H97.9v0H10c1.1,0,3.7,0.2,5.5,0.4c47,4.9,82.4,40.7,82.4,83.2v75c0,4.8,4.3,8.7,9.7,8.7c0,0,0,0,0,0
h143.9c-6.3-0.2-10.1-0.4-15-1.1c-50.7-7.4-85.2-50.4-76.9-96c6.9-37.8,41.4-66.6,83.9-69.9C246.2,0.1,249.9,0,251.6,0z"/>
</g>
</g>
</g>
</svg>
Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 1.9 KiB

После

Ширина:  |  Высота:  |  Размер: 2.3 KiB

42
Logos/greynoise_logomark_black.svg Normal file
Просмотреть файл

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 26.5.0, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.1" id="3453cf71-5cae-4ed6-ab04-ab40fe4fd029" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px"
viewBox="0 0 720 720" xml:space="preserve">
<style type="text/css">
.st0{fill:none;stroke:#000000;stroke-width:7;stroke-miterlimit:10;}
</style>
<g>
<path d="M390.3,602.9c-133.9,0-242.9-108.9-242.9-242.9c0-16.6,1.7-32.8,4.9-48.4l-11.8-2.4c-3.3,16.5-5,33.5-5,50.8
c0,68.1,26.5,132.1,74.6,180.2c48.1,48.1,112.1,74.6,180.2,74.6c9.3,0,18.5-0.5,27.6-1.5l-1.3-11.9
C408,602.4,399.2,602.9,390.3,602.9"/>
<path class="st0" d="M390.3,602.9c-133.9,0-242.9-108.9-242.9-242.9c0-16.6,1.7-32.8,4.9-48.4l-11.8-2.4c-3.3,16.5-5,33.5-5,50.8
c0,68.1,26.5,132.1,74.6,180.2c48.1,48.1,112.1,74.6,180.2,74.6c9.3,0,18.5-0.5,27.6-1.5l-1.3-11.9
C408,602.4,399.2,602.9,390.3,602.9z"/>
<path d="M390.3,117.1c31,0,60.6,5.8,87.9,16.5l4.4-11.3c-29-11.3-60.2-17.1-92.3-17.1c-67.2,0-130.5,25.9-178.4,72.9l8.5,8.6
C264.2,143.7,324.2,117.1,390.3,117.1"/>
<path class="st0" d="M390.3,117.1c31,0,60.6,5.8,87.9,16.5l4.4-11.3c-29-11.3-60.2-17.1-92.3-17.1c-67.2,0-130.5,25.9-178.4,72.9
l8.5,8.6C264.2,143.7,324.2,117.1,390.3,117.1z"/>
<path d="M390.3,158.1c37.6,0,72.8,10.4,103,28.3l6.1-10.3c-32-19.1-69.3-30-109.2-30c-111.5,0-203.3,85.8-213,194.8l12,1.1
C198.4,239.1,285,158.1,390.3,158.1"/>
<path class="st0" d="M390.3,158.1c37.6,0,72.8,10.4,103,28.3l6.1-10.3c-32-19.1-69.3-30-109.2-30c-111.5,0-203.3,85.8-213,194.8
l12,1.1C198.4,239.1,285,158.1,390.3,158.1z"/>
<path d="M390.3,561.9c-100.4,0-183.9-73.7-199.3-169.8l-11.8,1.9c16.3,101.8,104.8,179.9,211.1,179.9c33.2,0,64.7-7.6,92.8-21.2
l-5.2-10.8C451.4,554.7,421.7,561.9,390.3,561.9"/>
<path class="st0" d="M390.3,561.9c-100.4,0-183.9-73.7-199.3-169.8l-11.8,1.9c16.3,101.8,104.8,179.9,211.1,179.9
c33.2,0,64.7-7.6,92.8-21.2l-5.2-10.8C451.4,554.7,421.7,561.9,390.3,561.9z"/>
<path d="M551,366.8c-3.6,85.5-74.3,154-160.7,154c-22.7,0-44.3-4.7-63.8-13.2l-4.8,11c21,9.1,44.2,14.2,68.6,14.2
c93,0,169.1-73.9,172.7-166H551z"/>
<path class="st0" d="M551,366.8c-3.6,85.5-74.3,154-160.7,154c-22.7,0-44.3-4.7-63.8-13.2l-4.8,11c21,9.1,44.2,14.2,68.6,14.2
c93,0,169.1-73.9,172.7-166H551z"/>
<path d="M390.3,199.1v-12c-95.3,0-172.9,77.5-172.9,172.9c0,25.6,5.6,49.9,15.6,71.7l10.9-5c-9.3-20.3-14.5-42.9-14.5-66.7
C229.4,271.3,301.6,199.1,390.3,199.1"/>
<path class="st0" d="M390.3,199.1v-12c-95.3,0-172.9,77.5-172.9,172.9c0,25.6,5.6,49.9,15.6,71.7l10.9-5
c-9.3-20.3-14.5-42.9-14.5-66.7C229.4,271.3,301.6,199.1,390.3,199.1z"/>
<path d="M390.3,240.1c38.6,0,73,18.4,95,46.8H500c-23.7-35.4-64-58.8-109.7-58.8c-72.7,0-131.9,59.2-131.9,131.9
s59.2,131.9,131.9,131.9c70.4,0,128.1-55.5,131.7-125h-6.5h-5.5h-77.6v12h76.4c-9.1,57.2-58.7,101-118.4,101
c-66.1,0-119.9-53.8-119.9-119.9C270.4,293.9,324.2,240.1,390.3,240.1"/>
<path class="st0" d="M390.3,240.1c38.6,0,73,18.4,95,46.8H500c-23.7-35.4-64-58.8-109.7-58.8c-72.7,0-131.9,59.2-131.9,131.9
s59.2,131.9,131.9,131.9c70.4,0,128.1-55.5,131.7-125h-6.5h-5.5h-77.6v12h76.4c-9.1,57.2-58.7,101-118.4,101
c-66.1,0-119.9-53.8-119.9-119.9C270.4,293.9,324.2,240.1,390.3,240.1z"/>
</g>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 3.1 KiB

4
Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml
Просмотреть файл

@ -25,6 +25,7 @@ Parsers:
- _ASim_AuditEvent_CiscoMeraki
- _ASim_AuditEvent_BarracudaWAF
- _ASim_AuditEvent_VectraXDRAudit
- _ASim_AuditEvent_SentinelOne
ParserParams:
- Name: pack
@ -42,5 +43,6 @@ ParserQuery: |
ASimAuditEventCiscoMeraki (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMeraki' in (DisabledParsers))),
ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaWAF' in (DisabledParsers))),
ASimAuditEventCiscoISE (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),
ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers)))
ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers))),
ASimAuditEventSentinelOne (BuiltInDisabled or ('ExcludeASimAuditEventSentinelOne' in (DisabledParsers)))

663
Parsers/ASimAuditEvent/Parsers/ASimAuditEventSentinelOne.yaml Normal file
Просмотреть файл

@ -0,0 +1,663 @@
Parser:
Title: Audit Event ASIM parser for SentinelOne
Version: '0.1.0'
LastUpdated: Oct 05 2023
Product:
Name: SentinelOne
Normalization:
Schema: AuditEvent
Version: '0.1'
References:
- Title: ASIM Audit Event Schema
Link: https://aka.ms/ASimAuditEventDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
- Title: SentinelOne documentation
Link: https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview
Description: |
This ASIM parser supports normalizing SentinelOne logs to the ASIM Audit Event normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.
ParserName: ASimAuditEventSentinelOne
EquivalentBuiltInParser: _ASim_AuditEvent_SentinelOne
ParserParams:
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let EventFieldsLookup = datatable(
activityType_d: real,
Operation: string,
EventType_activity: string,
EventSubType: string,
EventResult: string,
Object: string,
ObjectType: string
)
[
39, "Research Settings Modified", "", "", "Success", "Research Settings", "Policy Rule",
41, "Learning Mode Settings Modified", "Set", "", "Success", "Mitigation policy", "Policy Rule",
44, "Auto decommission On", "Enable", "", "Success", "Auto decommission", "Service",
45, "Auto decommission Off", "Disable", "", "Success", "Auto decommission", "Service",
46, "Auto Decommission Period Modified", "Set", "", "Success", "Auto decommission", "Service",
56, "Auto Mitigation Actions Modified", "Set", "", "Success", "Mitigation action", "Other",
57, "Quarantine Network Settings Modified", "", "", "Success", "NetworkSettings", "Configuration Atom",
68, "Engine Modified In Policy", "Set", "", "Success", "Engine Policy", "Policy Rule",
69, "Mitigation Policy Modified", "Set", "", "Success", "Threat Mitigation Policy", "Policy Rule",
70, "Policy Setting - Agent Notification On Suspicious Modified", "", "", "Success", "Agent notification", "Service",
82, "Monitor On Execute", "", "", "Success", "On execute setting", "Configuration Atom",
83, "Monitor On Write", "", "", "Success", "On write setting", "Configuration Atom",
105, "Deep Visibility Settings Modified", "", "", "Success", "Deep Visibility Setting", "Configuration Atom",
116, "Policy Settings Modified", "Disable", "", "Success", "Policy Settings", "Policy Rule",
150, "Live Security Updates Policy Modified", "", "", "Success", "Live Security Updates Policy", "Policy Rule",
151, "Live Security Updates Policy Inheritance Setting Changed", "Set", "", "Success", "Live Security Updates Policy", "Policy Rule",
200, "File Upload Settings Modified", "Set", "", "Success", "Binary Vault Settings", "Configuration Atom",
201, "File Upload Enabled/Disabled", "", "", "Success", "Binary Vault", "Policy Rule",
4004, "Policy Setting - Show Suspicious Activities Configuration Enabled", "Enable", "", "Success", "Policy Setting", "Policy Rule",
4005, "Policy Setting - Show Suspicious Activities Configuration Disabled", "Disable", "", "Success", "Policy Setting", "Policy Rule",
4104, "STAR Manual Response Marked Event As Malicious", "Set", "", "Success", "computerName", "Other",
4105, "STAR Manual Response Marked Event As Suspicious", "Set", "", "Success", "computerName", "Other",
5012, "Group Token Regenerated", "Create", "", "Success", "Token", "Policy Rule",
5020, "Site Created", "Create", "", "Success", "", "Other",
5021, "Site Modified", "Set", "", "Success", "", "Other",
5022, "Site Deleted", "Delete", "", "Success", "", "Other",
5024, "Site Policy Reverted", "", "", "Success", "", "Other",
5025, "Site Marked As Expired", "Disable", "", "Success", "", "Other",
5026, "Site Duplicated", "Create", "", "Success", "", "Other",
5027, "Site Token Regenerated", "Create", "", "Success", "", "Other",
6000, "Mobile Policy updated", "Set", "", "Success", "Mobile Policy", "Policy Rule",
6001, "Mobile Policy created", "Create", "", "Success", "Mobile Policy", "Policy Rule",
6002, "Mobile Policy removed", "Delete", "", "Success", "Mobile Policy", "Policy Rule",
6010, "UEM Connection created", "Create", "", "Success", "MDM Connection", "Configuration Atom",
6011, "UEM Connection updated", "Set", "", "Success", "MDM Connection", "Configuration Atom",
6012, "UEM Connection Removed", "Delete", "", "Success", "MDM Connection", "Configuration Atom",
73, "Scan New Agents Changed", "", "", "Success", "Scan new agents Setting", "Configuration Atom",
76, "Anti Tampering Modified", "", "", "Success", "Anti tampering setting", "Configuration Atom",
77, "Agent UI Settings Modified", "Set ", "", "Success", "Agent UI setting", "Configuration Atom",
78, "Snapshots Settings Modified", "", "", "Success", "Snapshots setting", "Configuration Atom",
79, "Agent Logging Modified", "", "", "Success", "Agent logging setting", "Configuration Atom",
84, "Deep Visibility Settings Modified", "", "", "Success", "Deep Visibility setting", "Configuration Atom",
87, "Remote Shell Settings Modified", "", "", "Success", "Remote Shell Settings", "Configuration Atom",
2100, "Upgrade Policy - Concurrency Limit Changed", "Set", "", "Success", "Policy Upgrade", "Policy Rule",
2101, "Upgrade Policy - Concurrency Limit Inheritance Changed", "Set", "", "Success", "Policy Upgrade", "Policy Rule",
2111, "Upgrade Policy - Maintenance Window Time Inheritance Changed", "Set", "", "Success", "Policy Upgrade", "Policy Rule",
];
let EventFieldsLookupMachineActivity = datatable(
activityType_d: real,
Operation: string,
EventType_machineactivity: string,
EventSubType_machineactivity: string,
EventResult: string,
Object: string,
ObjectType: string
)
[
52, "User Approved Agent Uninstall Request", "Other", "Approve", "Success", "Agent", "Service",
53, "User Rejected Agent Uninstall Request", "Other", "Reject", "Failure", "Agent", "Service",
54, "User Decommissioned Agent", "Disable", "", "Success", "Agent", "Service",
55, "User Recommissioned Agent", "Enable", "", "Success", "Agent", "Service",
61, "User Disconnected Agent From Network", "Execute", "", "Success", "Agent", "Service",
62, "User Reconnected Agent to Network", "Execute", "", "Success", "Agent", "Service",
63, "User Shutdown Agent", "Execute", "", "Success", "Agent", "Service",
93, "User Reset Agent's Local Config", "Set", "", "Success", "Local config", "Configuration Atom",
95, "User Moved Agent to Group", "Other", "Move", "Success", "Agent", "Service",
117, "User Disabled Agent", "Execute", "", "Success", "Agent", "Service",
118, "User Enabled Agent", "Execute", "", "Success", "Agent", "Service",
4100, "User Marked Deep Visibility Event As Threat", "Set", "", "Success", "Deep Visibility Event", "Other",
4101, "User Marked Deep Visibility Event As Suspicious", "Set", "", "Success", "Deep Visibility Event", "Other",
];
let EventFieldsLookupAccountActivity = datatable(
activityType_d: real,
Operation: string,
EventType_accountactivity: string,
EventSubType_accountactivity: string,
EventResult: string,
Object: string,
ObjectType: string
)
[
130, "Opt-in To EA program", "Create", "", "Success", "", "Other",
131, "Opt-out From EA Program", "Delete", "", "Success", "", "Other",
5040, "Account Created", "Create", "", "Success", "", "Other",
5041, "Account Modified", "Set", "", "Success", "", "Other",
5042, "Account Deleted", "Delete", "", "Success", "", "Other",
5044, "Account Policy Reverted", "Set", "", "Success", "", "Other",
7200, "Add cloud account", "Create", "", "Success", "", "Other",
7201, "Disable cloud Account", "Disable", "", "Success", "", "Other",
7202, "Enable cloud Account", "Enable", "", "Success", "", "Other"
];
let EventFieldsLookup_useractivity = datatable(
activityType_d: real,
Operation: string,
EventType_useractivity: string,
EventSubType_useractivity: string,
EventResult: string,
Object: string,
ObjectType: string
)
[
88, "User Remote Shell Modified", "", "", "Success", "Remote Shell", "Configuration Atom",
114, "API Token Revoked", "Disable", "", "Success", "API Token", "Service"
];
let EventFieldsLookup_otheractivity = datatable(
activityType_d: real,
Operation: string,
EventType_otheractivity: string,
EventSubType_otheractivity: string,
EventResult: string,
Object: string,
ObjectType: string
)
[
2, "Hash Defined as Malicious By Cloud", "Set", "", "Success", "", "Other",
40, "Cloud Intelligence Settings Modified", "", "", "Success", "Cloud Intelligence Settings", "Policy Rule",
58, "Notification Option Level Modified", "Set", "", "Success", "Notification Level", "Service",
59, "Event Severity Level Modified", "Set", "", "Success", "EventSeverity Level", "Other",
60, "Notification - Recipients Configuration Modified", "Set", "", "Success", "Recipients configuration", "Policy Rule",
101, "User Changed Agent's Customer Identifier", "Set", "", "Success", "Customer Identifier string", "Configuration Atom",
106, "User Commanded Agents To Move To Another Console", "Execute", "", "Failure", "Agents", "Service",
107, "User Created RBAC Role", "Create", "", "Success", "", "Other",
108, "User Edited RBAC Role", "Set", "", "Success", "", "Other",
109, "User Deleted RBAC Role", "Delete", "", "Success", "", "Other",
112, "API token Generated", "Create", "", "Success", "API Token", "Service",
113, "API Token Revoked", "Disable", "", "Success", "API Token", "Service",
129, "Allowed Domains Settings Changed", "Set", "", "Success", "User Domain Setting", "Other",
1501, "Location Created", "Create", "", "Success", "", "Service",
1502, "Location Copied", "Set", "Copy", "Success", "", "Service",
1503, "Location Modified", "Set", "", "Success", "", "Service",
1504, "Location Deleted", "Delete", "", "Success", "", "Service",
2011, "User Issued Kill Command", "Execute", "", "Success", "", "Other",
2012, "User Issued Remediate Command", "Execute", "", "Success", "", "Other",
2013, "User Issued Rollback Command", "Execute", "", "Success", "", "Other",
2014, "User Issued Quarantine Command", "Execute", "", "Success", "", "Other",
2015, "User Issued Unquarantine Command", "Execute", "", "Success", "", "Other",
2016, "User Marked Application As Threat", "Set", "", "Success", "", "Other",
2028, "Threat Incident Status Changed", "Set", "", "Success", "", "Other",
2029, "Ticket Number Changes", "Set", "", "Success", "", "Other",
2030, "Analyst Verdict Changes", "Set", "", "Success", "", "Other",
2036, "Threat Confidence Level Changed By Agent", "Set", "", "Success", "", "Other",
2037, "Threat Confidence Level Changed By Cloud", "Set", "", "Success", "", "Other",
3001, "User Added Hash Exclusion", "Set", "", "Success", "Hash", "Other",
3002, "User Added Blocklist Hash", "Set", "", "Success", "Hash", "Other",
3008, "New Path Exclusion", "Create", "", "Success", "Path", "Other",
3009, "New Signer Identity Exclusion", "Create", "", "Success", "Signer Identity", "Other",
3010, "New File Type Exclusion", "Create", "", "Success", "File Type", "Other",
3011, "New Browser Type Exclusion", "Create", "", "Success", "Browser Type", "Other",
3012, "Path Exclusion Modified", "Set", "", "Success", "Path", "Other",
3013, "Signer Identity Exclusion Modified", "Set", "", "Success", "Signer Identity", "Other",
3014, "File Type Exclusion Modified", "Set", "", "Success", "File Type", "Other",
3015, "Browser Type Exclusion Modified", "Set", "", "Success", "Browser Type", "Other",
3016, "Path Exclusion Deleted", "Delete", "", "Success", "Path", "Other",
3017, "Signer Identity Exclusion Deleted", "Delete", "", "Success", "Signer Identity", "Other",
3018, "File Type Exclusion Deleted", "Delete", "", "Success", "File Type", "Other",
3019, "Browser Type Exclusion Deleted", "Delete", "", "Success", "Browser Type", "Other",
3020, "User Deleted Hash From Blocklist", "Delete", "", "Success", "Hash", "Other",
3021, "User Deleted Hash Exclusion", "Delete", "", "Success", "Hash", "Other",
3100, "User Added Package", "Create", "", "Success", "Package", "Other",
3101, "User Modified Package", "Set", "", "Success", "Package", "Other",
3102, "User Deleted Package", "Delete", "", "Success", "Package", "Other",
3103, "Package Deleted By System - Too Many Packages", "Delete", "", "Success", "Package", "Other",
3500, "User Toggled Ranger Status", "Set", "", "Success", "Ranger Settings", "Other",
3501, "Ranger Settings Modified", "Set", "", "Success", "Ranger Settings", "Configuration Atom",
3502, "Ranger Network Settings Modified", "Set", "", "Success", "Ranger Network Setting", "Other",
3506, "Ranger - Device Review Modified", "Set", "", "Success", "Device Review", "Other",
3507, "Ranger - Device Tag Modified On Host", "Set", "", "Success", "Device Tag", "Other",
3521, "Ranger Deploy Initiated", "Initialize", "", "Success", "Ranger Deploy", "Other",
3525, "Ranger Deploy - Credential Created", "Create", "", "Success", "Credential", "Configuration Atom",
3526, "Ranger Deploy - Credential Deleted", "Delete", "", "Success", "Credential", "Configuration Atom",
3527, "Ranger Deploy - Credential Overridden", "Set", "", "Success", "Credential", "Configuration Atom",
3530, "Ranger Labels Updated", "Set", "", "Success", "Ranger Labels", "Other",
3531, "Ranger labels reverted", "Set", "", "Success", "Ranger Labels", "Other",
3600, "Custom Rules - User Created A Rule", "Create", "", "Success", "", "Policy Rule",
3601, "Custom Rules - User Changed A Rule", "Set", "", "Success", "", "Policy Rule",
3602, "Custom Rules - User Deleted A Rule", "Delete", "", "Success", "", "Policy Rule",
3603, "Custom Rules - Rule Status Changed", "Set", "", "Success", "", "Policy Rule",
3604, "Custom Rules - Rule Status Change Failed", "Set", "", "Failure", "", "Policy Rule",
3626, "User 2FA Email Verification Changed", "Set", "", "Success", "", "Service",
3628, "2FA Code Verification", "Set", "", "Success", "2FA", "Service",
3641, "Ranger self Provisioning Default Features Modified", "Set", "", "Success", "", "Other",
3650, "Tag Manager - User Created New Tag", "Create", "", "Success", "Tag", "Other",
3651, "Tag Manager - User Modified Tag", "Set", "", "Success", "Tag", "Other",
3652, "Tag Manager - User Deleted Tag", "Delete", "", "Success", "Tag", "Other",
3653, "Tag Manager - User Attached Tag", "Other", "Attach", "Success", "Tags", "Other",
3654, "Tag Manager - User Detached Tag", "Detach", "", "Success", "Tags", "Other",
3750, "Auto-Upgrade Policy Created", "Create", "", "Success", "", "Policy Rule",
3751, "Auto-Upgrade Policy Disabled", "Disable", "", "Success", "", "Policy Rule",
3752, "Auto-Upgrade Policy Activated", "Enable", "", "Success", "", "Policy Rule",
3753, "Auto-Upgrade Policy Deleted", "Delete", "", "Success", "", "Policy Rule",
3754, "Auto-Upgrade Policy Reordered", "Other", "Reorder", "Success", "", "Policy Rule",
3755, "Upgrade Policy Inheritance Setting Changed", "Set", "", "Success", "Upgrade Policy", "Policy Rule",
3756, "Auto-Upgrade Policy Edited", "Set", "", "Success", "", "Policy Rule",
3767, "Local Upgrade Authorized", "Other", "Authorize", "Success", "Local Upgrade Authorization", "Service",
3768, "Local Upgrade Authorized", "Other", "Authorize", "Success", "Local Upgrade Authorization", "Service",
3769, "Local Upgrade Authorized", "Other", "Authorize", "Success", "Local Upgrade Authorization", "Service",
3770, "Local Upgrade Authorization Expiry Date Changed", "Set", "", "Success", "Local Upgrade Authorization", "Service",
3771, "Local Upgrade Authorization Expiry Date Changed", "Set", "", "Success", "Local Upgrade Authorization", "Service",
3772, "Local Upgrade Unauthorized", "Other", "Unauthorize", "Failure", "Local Upgrade Authorization", "Service",
3773, "Local Upgrade Authorization Inherits from Site Level", "Set", "", "Success", "Local Upgrade Authorization", "Service",
3774, "Local Upgrade Authorization Inherits from Site Level", "Set", "", "Success", "Local Upgrade Authorization", "Service",
4001, "Suspicious Threat Was Marked As Threat", "Set", "", "Success", "", "Other",
4002, "Suspicious Threat Was Resolved", "Set", "", "Success", "", "Other",
4006, "Remember Me Length Modified", "Set", "", "Success", "Stay Sign in Duration", "Policy Rule",
4007, "Suspicious Threat Was Marked As Benign", "Set", "", "Success", "", "Other",
4008, "Threat Mitigation Status Changed", "Set", "", "Success", "", "Other",
4009, "Process Was Marked As Threat", "Set", "", "Success", "", "Other",
4011, "Suspicious Threat Was Unresolved", "Set", "", "Failure", "", "Other",
4012, "UI Inactivity Timeout Modified", "Set", "", "Success", "Inactivity timeout", "Configuration Atom",
5242, "Ranger - Device Tag Created", "Create", "", "Success", "", "Other",
5243, "Ranger - Device Tag Updated", "Set", "", "Success", "", "Other",
5244, "Ranger - Device Tag Deleted", "Delete", "", "Success", "", "Other",
5250, "Firewall Control Tag Created", "Create", "", "Success", "", "Other",
5251, "Firewall Control Tag Updated", "Set", "", "Success", "", "Other",
5252, "Firewall Control Tag Updated", "Delete", "", "Success", "", "Other",
5253, "Network Quarantine Control Tag Created", "Create", "", "Success", "", "Other",
5254, "Network Quarantine Control Tag Updated", "Set", "", "Success", "", "Other",
5255, "Network Quarantine Control Tag Deleted", "Delete", "", "Success", "", "Other",
5256, "Firewall Control Tag Added/Removed From Rule", "", "", "Success", "", "Policy Rule",
5257, "Firewall Control Tag Inherited", "Set", "", "Success", "Firewall Control tags", "Other",
5258, "Network Quarantine Control Tag Added/Removed From Rule", "", "", "Success", "", "Policy Rule",
5259, "Network Quarantine Control Tag Inherited", "Set", "", "Success", "Network Quarantine Control Tag", "Other",
7500, "Remote Ops Password Configured", "Set", "", "Success", "Remote Ops password configuration", "Configuration Atom",
7501, "Remote Ops Password Deleted", "Delete", "", "Success", "Remote Ops password configuration", "Configuration Atom",
7602, "User Edited Run Script Guardrails", "Set", "", "Success", "Guardrails", "Service",
7603, "User Enabled Run Script Guardrails", "Enable", "", "Success", "Guardrails", "Service",
7604, "User Disabled Run Script Guardrails", "Disable", "", "Success", "Guardrails", "Service",
5120, "Device Rule Created", "Create", "", "Success", "", "Policy Rule",
5121, "Device Rule Modified", "Set", "", "Success", "", "Policy Rule",
5122, "Device Rule Deleted", "Delete", "", "Success", "", "Policy Rule",
5123, "Device Rules Reordered", "Set", "", "Success", "", "Policy Rule",
5124, "Device Rules Settings Modified", "Set", "", "Success", "Device Control settings", "Policy Rule",
5129, "Device Rule Copied To Scope", "Set", "", "Success", "", "Policy Rule",
5220, "Firewall Rule Created", "Create", "", "Success", "", "Policy Rule",
5221, "Firewall Rule Modified", "Set/Other", "", "Success", "", "Policy Rule",
5222, "Firewall Rule Deleted", "Delete", "", "Success", "", "Policy Rule",
5225, "Firewall Control Settings Modified", "Set", "", "Success", "Firewall Rule", "Policy Rule",
5226, "Firewall Rules Reordered", "Set", "", "Success", "Firewall Rule", "Policy Rule",
5231, "Firewall Rule Copied To Scope", "Set", "", "Success", "", "Policy Rule",
5234, "Network Quarantine Rule Created", "Create", "", "Success", "", "Policy Rule",
5235, "Network Quarantine Rule Modified", "Set", "", "Success", "", "Policy Rule",
5236, "Network Quarantine Rule Deleted", "Delete", "", "Success", "", "Policy Rule",
5237, "Network Quarantine Control Settings Modified", "Set", "", "Success", "Network Quarantine Rule", "Policy Rule",
5238, "Network Quarantine Rules Reordered", "Set", "", "Success", "Network Quarantine Rule", "Policy Rule",
5241, "Network Quarantine Rule Copied To Scope", "Set", "", "Success", "", "Policy Rule",
6030, "Mobile Device Updated", "Other", "", "Success", "Device", "Other",
6053, "Mobile Incident Resolved", "Set", "", "Success", "", "Other",
6054, "Mobile Incident Status Changed", "Set", "", "Success", "", "Other",
6055, "Mobile Incident Analyst Verdict Changed", "Set", "", "Success", "", "Other"
];
let EventTypeLookup_onoff = datatable(
field: string,
EventType_field: string,
NewValue_field: string
)
[
"true", "Enable", "on",
"false", "Disable", "off"
];
let EventTypeLookup_enableddisabled = datatable(
field: string,
EventType_fieldenableddisabled: string,
NewValue_fieldenableddisabled: string
)
[
"true", "Enable", "enabled",
"false", "Disable", "disabled"
];
let EventSeverityLookup = datatable (EventResult: string, EventSeverity_lookup: string)
[
"Success", "Informational",
"Failure", "Low"
];
let EventSeverityLookup_activity = datatable (activityType_d: real, EventSeverity_activity: string)
[
4100, "Medium",
4101, "High",
2016, "Medium",
2028, "Low",
4001, "Medium",
4002, "Low",
4007, "Low",
4008, "Medium",
4009, "Medium",
4011, "High",
2, "Medium",
2011, "Low",
2012, "Low",
2013, "Medium",
2014, "Low",
2015, "Low",
4002, "Low",
4104, "High",
4105, "Medium"
];
let ThreatConfidenceLookup_undefined = datatable(
threatInfo_analystVerdict_s: string,
ThreatConfidence_undefined: int
)
[
"false_positive", 5,
"undefined", 15,
"suspicious", 25,
"true_positive", 33
];
let ThreatConfidenceLookup_suspicious = datatable(
threatInfo_analystVerdict_s: string,
ThreatConfidence_suspicious: int
)
[
"false_positive", 40,
"undefined", 50,
"suspicious", 60,
"true_positive", 67
];
let ThreatConfidenceLookup_malicious = datatable(
threatInfo_analystVerdict_s: string,
ThreatConfidence_malicious: int
)
[
"false_positive", 75,
"undefined", 80,
"suspicious", 90,
"true_positive", 100
];
let parser = (disabled: bool=false) {
let RawGroupSiteActivityIds = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111]);
let RawOtherActivityIds = dynamic([2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);
let activitydata = SentinelOne_CL
| where not(disabled) and event_name_s == "Activities."
| project-away
threatInfo_confidenceLevel_s,
threatInfo_analystVerdict_s,
threatInfo_threatName_s,
threatInfo_incidentStatus_s,
threatInfo_identifiedAt_t,
threatInfo_updatedAt_t,
threatInfo_threatId_s,
mitigationStatus_s;
let rawgroupsiteactivitydata = activitydata
| where activityType_d in (RawGroupSiteActivityIds)
| parse-kv DataFields_s as (username: string, userName: string, userFullName: string, newValue: string, policyEnabled: string, siteName: string, oldValue: string, ipAddress: string, oldSiteName: string, policy: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
| parse-kv policy as (id: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
| project-rename ObjectId = id
| lookup EventFieldsLookup on activityType_d;
let groupsiteactivitydata_onoff = rawgroupsiteactivitydata
| where activityType_d in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150)
| lookup EventTypeLookup_onoff on $left.newValue == $right.field
| lookup EventTypeLookup_onoff on $left.policyEnabled == $right.field
| extend
EventType = coalesce(EventType_field, EventType_field1),
NewValue = coalesce(NewValue_field, NewValue_field1);
let groupsiteactivitydata_enabledisabled = rawgroupsiteactivitydata
| where activityType_d in (70, 82, 83, 201)
| lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field
| extend
EventType = EventType_fieldenableddisabled,
NewValue = NewValue_fieldenableddisabled;
let groupsiteactivitydata_other = rawgroupsiteactivitydata
| where activityType_d !in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150, 70, 82, 83, 201)
| extend EventType = EventType_activity;
let groupsiteactivitydata = union
groupsiteactivitydata_onoff,
groupsiteactivitydata_enabledisabled,
groupsiteactivitydata_other
| extend
ActorUsername = coalesce(username, userName, userFullName),
Object = coalesce(Object, siteName, oldSiteName),
NewValue = coalesce(NewValue, newValue),
OldValue = oldValue;
let machineactivitydata = activitydata
| where activityType_d in (52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101)
| parse-kv DataFields_s as (username: string, userName: string, computerName: string, threatClassification: string, ipAddress: string, groupName: string, targetGroupName: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
| lookup EventFieldsLookupMachineActivity on activityType_d
| extend
EventType = EventType_machineactivity,
EventSubType = EventSubType_machineactivity,
ThreatCategory_datafields = threatClassification,
OldValue = groupName,
NewValue = targetGroupName,
ObjectId = agentId_s
| extend ActorUsername = coalesce(username, userName)
| invoke _ASIM_ResolveDvcFQDN('computerName');
let accountactivitydata = activitydata
| where activityType_d in (130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203)
| parse-kv DataFields_s as (username: string, accountName: string, cloudProviderAccountName: string, ipAddress: string, accountId: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
| lookup EventFieldsLookupAccountActivity on activityType_d
| extend
EventType = EventType_accountactivity,
EventSubType = EventSubType_accountactivity,
Object = coalesce(accountName, cloudProviderAccountName),
ObjectId = accountId;
let useractivitydata = activitydata
| where activityType_d in (88, 114)
| parse-kv DataFields_s as (username: string, byUser: string, newValue: string, ipAddress: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
| lookup EventFieldsLookup_useractivity on activityType_d
| lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field
| extend
ActorUsername = byUser,
EventType = coalesce(EventType_useractivity, EventType_fieldenableddisabled),
EventSubType = EventSubType_useractivity,
NewValue = NewValue_fieldenableddisabled;
let rawotheractivitydata = activitydata
| where activityType_d in (RawOtherActivityIds)
| parse-kv DataFields_s as (username: string, userName: string, email: string, globalTwoFaEnabled: string, cloudIntelligenceOn: string, fileDisplayName: string, roleName: string, oldIncidentStatusTitle: string, oldTicketId: string, oldAnalystVerdictTitle: string, oldConfidenceLevel: string, previous: string, oldStatus: string, oldTagName: string, oldTagDescription: string, newIncidentStatusTitle: string, newTicketId: string, newAnalystVerdictTitle: string, newConfidenceLevel: string, newStatus: string, current: string, Status: string, newTagName: string, newTagDescription: string, value: string, rulesAdded: string, rulesRemoved: string, tagsAdded: string, tagsRemoved: string, incidentName: string, ruleName: string, deviceId: string, ip: string, externalIp: string, affectedDevices: string, featureValue: string, featureName: string, recoveryEmail: string, policyName: string, tagName: string, gatewayExternalIp: string, gatewayMac: string, threatClassification: string, ipAddress: string, applicationPath: string, externalId: string, consoleUrl: string, ruleId: string, policyId: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
| lookup EventFieldsLookup_otheractivity on activityType_d
| lookup EventTypeLookup_onoff on $left.cloudIntelligenceOn == $right.field
| lookup EventTypeLookup_onoff on $left.globalTwoFaEnabled == $right.field
| extend
ActorUsername = coalesce(username, userName),
EventType = coalesce(EventType_otheractivity, EventType_field, EventType_field1),
EventSubType = EventSubType_otheractivity,
Object = coalesce(Object, fileDisplayName, applicationPath, roleName, ruleName, incidentName, recoveryEmail, featureName, policyName, tagName),
NewValue = coalesce(newIncidentStatusTitle, newTicketId, newAnalystVerdictTitle, newConfidenceLevel, newStatus, current, Status, newTagName, newTagDescription, featureValue),
OldValue = coalesce(oldIncidentStatusTitle, oldTicketId, oldAnalystVerdictTitle, oldConfidenceLevel, oldStatus, previous, oldTagName, oldTagDescription),
TargetIpAddr = coalesce(externalIp, ip, gatewayExternalIp),
ThreatCategory_datafields = threatClassification,
RuleName = ruleName,
TargetDvcId = deviceId,
ObjectId = coalesce(ruleId, policyId, externalId, deviceId)
| invoke _ASIM_ResolveDstFQDN('affectedDevices')
| project-rename
TargetHostname = DstHostname,
TargetDomain = DstDomain,
TargetDomainType = DstDomainType,
TargetFQDN = DstFQDN,
TargetUrl = consoleUrl;
let parsedotheractivitydata_eventtype = rawotheractivitydata
| where activityType_d in (5256, 5258)
| extend EventType = case(
isnotempty(rulesAdded) or isnotempty(tagsAdded),
"Create",
isnotempty(rulesRemoved) or isnotempty(tagsRemoved),
"Delete",
"Set"
);
let parsedotheractivitydata_objectvalue = rawotheractivitydata
| where activityType_d in (3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3650, 3651, 3652, 3653, 3654)
| extend Object = strcat(Object, ' ', value);
let parsedotheractivitydata_severity = rawotheractivitydata
| where activityType_d in (2036, 2037, 2030)
| extend EventSeverity_specific = case(
primaryDescription_s has_any ("to malicious", "to True positive"),
"High",
primaryDescription_s has_any ("to suspicious", "to Undefined"),
"Medium",
primaryDescription_s has "to False positive",
"Low",
"Informational"
);
let ParsedActivitydata = union
groupsiteactivitydata,
machineactivitydata,
accountactivitydata,
useractivitydata,
rawotheractivitydata,
parsedotheractivitydata_eventtype,
parsedotheractivitydata_objectvalue
| where activityType_d !in(2030, 2036, 2037)
| lookup EventSeverityLookup on EventResult
| lookup EventSeverityLookup_activity on activityType_d;
let UnParsedActivitydatawithThreat = union ParsedActivitydata, parsedotheractivitydata_severity
| where isnotempty(threatId_s)
| join kind=inner (SentinelOne_CL
| where event_name_s == "Threats."
| project
TimeGenerated,
threatInfo_confidenceLevel_s,
threatInfo_analystVerdict_s,
threatInfo_threatName_s,
threatInfo_incidentStatus_s,
threatInfo_identifiedAt_t,
threatInfo_updatedAt_t,
threatInfo_threatId_s,
mitigationStatus_s)
on $left.threatId_s == $right.threatInfo_threatId_s
| where TimeGenerated1 >= TimeGenerated
| summarize arg_min(TimeGenerated1, *) by activityType_d, threatId_s, createdAt_t, TimeGenerated;
let undefineddata = UnParsedActivitydatawithThreat
| where threatInfo_confidenceLevel_s == "Undefined"
| lookup ThreatConfidenceLookup_undefined on threatInfo_analystVerdict_s;
let suspiciousdata = UnParsedActivitydatawithThreat
| where threatInfo_confidenceLevel_s == "suspicious"
| lookup ThreatConfidenceLookup_suspicious on threatInfo_analystVerdict_s;
let maliciousdata = UnParsedActivitydatawithThreat
| where threatInfo_confidenceLevel_s == "malicious"
| lookup ThreatConfidenceLookup_malicious on threatInfo_analystVerdict_s;
let ParsedActivitydatawithThreat = union undefineddata, suspiciousdata, maliciousdata
| extend
ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),
AdditionalFields = bag_pack(
"threatUpdatedAt",
threatInfo_updatedAt_t,
"threatAnalystVerdict",
threatInfo_analystVerdict_s,
"threatIncidentStatus",
threatInfo_incidentStatus_s,
"mitigationStatus",
mitigationStatus_s
)
| project-rename
ThreatId = threatId_s,
ThreatName = threatInfo_threatName_s,
ThreatFirstReportedTime = threatInfo_identifiedAt_t,
ThreatCategory_threats = threatInfo_classification_s,
ThreatOriginalConfidence = threatInfo_confidenceLevel_s;
let ParsedActivitydatawithoutThreat = ParsedActivitydata
| where isempty(threatId_s);
union ParsedActivitydatawithThreat, ParsedActivitydatawithoutThreat
| extend
EventSeverity = coalesce(EventSeverity_specific, EventSeverity_activity, EventSeverity_lookup),
EventProduct = "SentinelOne",
EventVendor = "SentinelOne",
EventSchema = "AuditEvent",
EventSchemaVersion = "0.1",
EventCount = toint(1),
AdditionalFields = bag_merge(AdditionalFields, todynamic(DataFields_s)),
EventOriginalType = tostring(toint(activityType_d)),
SrcIpAddr = iff(ipAddress != "null", ipAddress, ""),
DvcAction = iff(EventResult == "Success", "Allow", "Deny"),
ThreatCategory = coalesce(ThreatCategory_datafields, ThreatCategory_threats)
| project-rename
EventStartTime = createdAt_t,
EventUid = _ItemId,
EventMessage = primaryDescription_s,
ActorUserId = userId_s,
DvcId = agentId_s,
EventOriginalUid = activityUuid_g
| extend
ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),
ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),
ActorUserIdType = iff(isnotempty(ActorUserId), "Other", ""),
DvcIdType = iff(isnotempty(DvcId), "Other", ""),
TargetDvcIdType = iff(isnotempty(TargetDvcId), "Other", ""),
ValueType = iff(isnotempty(NewValue), "Other", "")
| extend
EventEndTime = EventStartTime,
User = ActorUsername,
IpAddr = SrcIpAddr,
Dvc = coalesce(DvcHostname, DvcId, EventProduct),
Dst = coalesce(TargetHostname, TargetIpAddr),
Src = SrcIpAddr,
Rule = RuleName,
Value = NewValue
| project-away
*_d,
*_s,
*_t,
*_g,
*_b,
Computer,
MG,
ManagementGroupName,
RawData,
SourceSystem,
TenantId,
username,
userName,
userFullName,
newValue,
policyEnabled,
siteName,
oldValue,
computerName,
accountName,
cloudProviderAccountName,
email,
globalTwoFaEnabled,
cloudIntelligenceOn,
fileDisplayName,
roleName,
oldIncidentStatusTitle,
oldTicketId,
oldAnalystVerdictTitle,
oldConfidenceLevel,
previous,
oldStatus,
oldTagName,
oldTagDescription,
newIncidentStatusTitle,
newTicketId,
newAnalystVerdictTitle,
newConfidenceLevel,
newStatus,
current,
Status,
newTagName,
newTagDescription,
value,
rulesAdded,
rulesRemoved,
tagsAdded,
tagsRemoved,
incidentName,
ruleName,
deviceId,
ip,
externalIp,
affectedDevices,
featureValue,
featureName,
recoveryEmail,
policyName,
policy,
tagName,
gatewayExternalIp,
gatewayMac,
threatClassification,
applicationPath,
externalId,
groupName,
oldSiteName,
targetGroupName,
ipAddress,
EventType_*,
EventSubType_*,
EventSeverity_*,
NewValue_*,
_ResourceId,
TimeGenerated1,
ThreatCategory_*,
ThreatConfidence_*,
accountId,
policyId,
ruleId,
byUser
};
parser(disabled=disabled)

4
Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml
Просмотреть файл

@ -25,6 +25,7 @@ Parsers:
- _Im_AuditEvent_CiscoMeraki
- _Im_AuditEvent_BarracudaWAF
- _Im_AuditEvent_VectraXDRAudit
- _Im_AuditEvent_SentinelOne
ParserParams:
- Name: starttime
Type: datetime
@ -68,5 +69,6 @@ ParserQuery: |
ASimAuditEventCiscoMeraki (BuiltInDisabled or ('ExcludevimAuditEventCiscoMeraki' in (DisabledParsers))),
ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludevimAuditEventBarracudaWAF' in (DisabledParsers))),
ASimAuditEventCiscoISE (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),
ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers)))
ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers))),
ASimAuditEventSentinelOne (BuiltInDisabled or ('ExcludevimAuditEventSentinelOne' in (DisabledParsers)))

706
Parsers/ASimAuditEvent/Parsers/vimAuditEventSentinelOne.yaml Normal file
Просмотреть файл

@ -0,0 +1,706 @@
Parser:
Title: Audit Event ASIM parser for SentinelOne
Version: '0.1.0'
LastUpdated: Oct 05 2023
Product:
Name: SentinelOne
Normalization:
Schema: AuditEvent
Version: '0.1'
References:
- Title: ASIM Audit Event Schema
Link: https://aka.ms/ASimAuditEventDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
- Title: SentinelOne documentation
Link: https://<SOneInstanceDomain>.sentinelone.net/api-doc/overview
Description: |
This ASIM parser supports normalizing SentinelOne logs to the ASIM Audit Event normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.
ParserName: vimAuditEventSentinelOne
EquivalentBuiltInParser: _Im_AuditEvent_SentinelOne
ParserParams:
- Name: disabled
Type: bool
Default: false
- Name: starttime
Type: datetime
Default: datetime(null)
- Name: endtime
Type: datetime
Default: datetime(null)
- Name: srcipaddr_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: operation_has_any
Type: dynamic
Default: dynamic([])
- Name: eventtype_in
Type: dynamic
Default: dynamic([])
- Name: eventresult
Type: string
Default: '*'
- Name: actorusername_has_any
Type: dynamic
Default: dynamic([])
- Name: object_has_any
Type: dynamic
Default: dynamic([])
- Name: newvalue_has_any
Type: dynamic
Default: dynamic([])
ParserQuery: |
let EventFieldsLookup = datatable(
activityType_d: real,
Operation: string,
EventType_activity: string,
EventSubType: string,
EventResult: string,
Object: string,
ObjectType: string
)
[
39, "Research Settings Modified", "", "", "Success", "Research Settings", "Policy Rule",
41, "Learning Mode Settings Modified", "Set", "", "Success", "Mitigation policy", "Policy Rule",
44, "Auto decommission On", "Enable", "", "Success", "Auto decommission", "Service",
45, "Auto decommission Off", "Disable", "", "Success", "Auto decommission", "Service",
46, "Auto Decommission Period Modified", "Set", "", "Success", "Auto decommission", "Service",
56, "Auto Mitigation Actions Modified", "Set", "", "Success", "Mitigation action", "Other",
57, "Quarantine Network Settings Modified", "", "", "Success", "NetworkSettings", "Configuration Atom",
68, "Engine Modified In Policy", "Set", "", "Success", "Engine Policy", "Policy Rule",
69, "Mitigation Policy Modified", "Set", "", "Success", "Threat Mitigation Policy", "Policy Rule",
70, "Policy Setting - Agent Notification On Suspicious Modified", "", "", "Success", "Agent notification", "Service",
82, "Monitor On Execute", "", "", "Success", "On execute setting", "Configuration Atom",
83, "Monitor On Write", "", "", "Success", "On write setting", "Configuration Atom",
105, "Deep Visibility Settings Modified", "", "", "Success", "Deep Visibility Setting", "Configuration Atom",
116, "Policy Settings Modified", "Disable", "", "Success", "Policy Settings", "Policy Rule",
150, "Live Security Updates Policy Modified", "", "", "Success", "Live Security Updates Policy", "Policy Rule",
151, "Live Security Updates Policy Inheritance Setting Changed", "Set", "", "Success", "Live Security Updates Policy", "Policy Rule",
200, "File Upload Settings Modified", "Set", "", "Success", "Binary Vault Settings", "Configuration Atom",
201, "File Upload Enabled/Disabled", "", "", "Success", "Binary Vault", "Policy Rule",
4004, "Policy Setting - Show Suspicious Activities Configuration Enabled", "Enable", "", "Success", "Policy Setting", "Policy Rule",
4005, "Policy Setting - Show Suspicious Activities Configuration Disabled", "Disable", "", "Success", "Policy Setting", "Policy Rule",
4104, "STAR Manual Response Marked Event As Malicious", "Set", "", "Success", "computerName", "Other",
4105, "STAR Manual Response Marked Event As Suspicious", "Set", "", "Success", "computerName", "Other",
5012, "Group Token Regenerated", "Create", "", "Success", "Token", "Policy Rule",
5020, "Site Created", "Create", "", "Success", "", "Other",
5021, "Site Modified", "Set", "", "Success", "", "Other",
5022, "Site Deleted", "Delete", "", "Success", "", "Other",
5024, "Site Policy Reverted", "", "", "Success", "", "Other",
5025, "Site Marked As Expired", "Disable", "", "Success", "", "Other",
5026, "Site Duplicated", "Create", "", "Success", "", "Other",
5027, "Site Token Regenerated", "Create", "", "Success", "", "Other",
6000, "Mobile Policy updated", "Set", "", "Success", "Mobile Policy", "Policy Rule",
6001, "Mobile Policy created", "Create", "", "Success", "Mobile Policy", "Policy Rule",
6002, "Mobile Policy removed", "Delete", "", "Success", "Mobile Policy", "Policy Rule",
6010, "UEM Connection created", "Create", "", "Success", "MDM Connection", "Configuration Atom",
6011, "UEM Connection updated", "Set", "", "Success", "MDM Connection", "Configuration Atom",
6012, "UEM Connection Removed", "Delete", "", "Success", "MDM Connection", "Configuration Atom",
73, "Scan New Agents Changed", "", "", "Success", "Scan new agents Setting", "Configuration Atom",
76, "Anti Tampering Modified", "", "", "Success", "Anti tampering setting", "Configuration Atom",
77, "Agent UI Settings Modified", "Set ", "", "Success", "Agent UI setting", "Configuration Atom",
78, "Snapshots Settings Modified", "", "", "Success", "Snapshots setting", "Configuration Atom",
79, "Agent Logging Modified", "", "", "Success", "Agent logging setting", "Configuration Atom",
84, "Deep Visibility Settings Modified", "", "", "Success", "Deep Visibility setting", "Configuration Atom",
87, "Remote Shell Settings Modified", "", "", "Success", "Remote Shell Settings", "Configuration Atom",
2100, "Upgrade Policy - Concurrency Limit Changed", "Set", "", "Success", "Policy Upgrade", "Policy Rule",
2101, "Upgrade Policy - Concurrency Limit Inheritance Changed", "Set", "", "Success", "Policy Upgrade", "Policy Rule",
2111, "Upgrade Policy - Maintenance Window Time Inheritance Changed", "Set", "", "Success", "Policy Upgrade", "Policy Rule",
];
let EventFieldsLookupMachineActivity = datatable(
activityType_d: real,
Operation: string,
EventType_machineactivity: string,
EventSubType_machineactivity: string,
EventResult: string,
Object: string,
ObjectType: string
)
[
52, "User Approved Agent Uninstall Request", "Other", "Approve", "Success", "Agent", "Service",
53, "User Rejected Agent Uninstall Request", "Other", "Reject", "Failure", "Agent", "Service",
54, "User Decommissioned Agent", "Disable", "", "Success", "Agent", "Service",
55, "User Recommissioned Agent", "Enable", "", "Success", "Agent", "Service",
61, "User Disconnected Agent From Network", "Execute", "", "Success", "Agent", "Service",
62, "User Reconnected Agent to Network", "Execute", "", "Success", "Agent", "Service",
63, "User Shutdown Agent", "Execute", "", "Success", "Agent", "Service",
93, "User Reset Agent's Local Config", "Set", "", "Success", "Local config", "Configuration Atom",
95, "User Moved Agent to Group", "Other", "Move", "Success", "Agent", "Service",
117, "User Disabled Agent", "Execute", "", "Success", "Agent", "Service",
118, "User Enabled Agent", "Execute", "", "Success", "Agent", "Service",
4100, "User Marked Deep Visibility Event As Threat", "Set", "", "Success", "Deep Visibility Event", "Other",
4101, "User Marked Deep Visibility Event As Suspicious", "Set", "", "Success", "Deep Visibility Event", "Other",
];
let EventFieldsLookupAccountActivity = datatable(
activityType_d: real,
Operation: string,
EventType_accountactivity: string,
EventSubType_accountactivity: string,
EventResult: string,
Object: string,
ObjectType: string
)
[
130, "Opt-in To EA program", "Create", "", "Success", "", "Other",
131, "Opt-out From EA Program", "Delete", "", "Success", "", "Other",
5040, "Account Created", "Create", "", "Success", "", "Other",
5041, "Account Modified", "Set", "", "Success", "", "Other",
5042, "Account Deleted", "Delete", "", "Success", "", "Other",
5044, "Account Policy Reverted", "Set", "", "Success", "", "Other",
7200, "Add cloud account", "Create", "", "Success", "", "Other",
7201, "Disable cloud Account", "Disable", "", "Success", "", "Other",
7202, "Enable cloud Account", "Enable", "", "Success", "", "Other"
];
let EventFieldsLookup_useractivity = datatable(
activityType_d: real,
Operation: string,
EventType_useractivity: string,
EventSubType_useractivity: string,
EventResult: string,
Object: string,
ObjectType: string
)
[
88, "User Remote Shell Modified", "", "", "Success", "Remote Shell", "Configuration Atom",
114, "API Token Revoked", "Disable", "", "Success", "API Token", "Service"
];
let EventFieldsLookup_otheractivity = datatable(
activityType_d: real,
Operation: string,
EventType_otheractivity: string,
EventSubType_otheractivity: string,
EventResult: string,
Object: string,
ObjectType: string
)
[
2, "Hash Defined as Malicious By Cloud", "Set", "", "Success", "", "Other",
40, "Cloud Intelligence Settings Modified", "", "", "Success", "Cloud Intelligence Settings", "Policy Rule",
58, "Notification Option Level Modified", "Set", "", "Success", "Notification Level", "Service",
59, "Event Severity Level Modified", "Set", "", "Success", "EventSeverity Level", "Other",
60, "Notification - Recipients Configuration Modified", "Set", "", "Success", "Recipients configuration", "Policy Rule",
101, "User Changed Agent's Customer Identifier", "Set", "", "Success", "Customer Identifier string", "Configuration Atom",
106, "User Commanded Agents To Move To Another Console", "Execute", "", "Failure", "Agents", "Service",
107, "User Created RBAC Role", "Create", "", "Success", "", "Other",
108, "User Edited RBAC Role", "Set", "", "Success", "", "Other",
109, "User Deleted RBAC Role", "Delete", "", "Success", "", "Other",
112, "API token Generated", "Create", "", "Success", "API Token", "Service",
113, "API Token Revoked", "Disable", "", "Success", "API Token", "Service",
129, "Allowed Domains Settings Changed", "Set", "", "Success", "User Domain Setting", "Other",
1501, "Location Created", "Create", "", "Success", "", "Service",
1502, "Location Copied", "Set", "Copy", "Success", "", "Service",
1503, "Location Modified", "Set", "", "Success", "", "Service",
1504, "Location Deleted", "Delete", "", "Success", "", "Service",
2011, "User Issued Kill Command", "Execute", "", "Success", "", "Other",
2012, "User Issued Remediate Command", "Execute", "", "Success", "", "Other",
2013, "User Issued Rollback Command", "Execute", "", "Success", "", "Other",
2014, "User Issued Quarantine Command", "Execute", "", "Success", "", "Other",
2015, "User Issued Unquarantine Command", "Execute", "", "Success", "", "Other",
2016, "User Marked Application As Threat", "Set", "", "Success", "", "Other",
2028, "Threat Incident Status Changed", "Set", "", "Success", "", "Other",
2029, "Ticket Number Changes", "Set", "", "Success", "", "Other",
2030, "Analyst Verdict Changes", "Set", "", "Success", "", "Other",
2036, "Threat Confidence Level Changed By Agent", "Set", "", "Success", "", "Other",
2037, "Threat Confidence Level Changed By Cloud", "Set", "", "Success", "", "Other",
3001, "User Added Hash Exclusion", "Set", "", "Success", "Hash", "Other",
3002, "User Added Blocklist Hash", "Set", "", "Success", "Hash", "Other",
3008, "New Path Exclusion", "Create", "", "Success", "Path", "Other",
3009, "New Signer Identity Exclusion", "Create", "", "Success", "Signer Identity", "Other",
3010, "New File Type Exclusion", "Create", "", "Success", "File Type", "Other",
3011, "New Browser Type Exclusion", "Create", "", "Success", "Browser Type", "Other",
3012, "Path Exclusion Modified", "Set", "", "Success", "Path", "Other",
3013, "Signer Identity Exclusion Modified", "Set", "", "Success", "Signer Identity", "Other",
3014, "File Type Exclusion Modified", "Set", "", "Success", "File Type", "Other",
3015, "Browser Type Exclusion Modified", "Set", "", "Success", "Browser Type", "Other",
3016, "Path Exclusion Deleted", "Delete", "", "Success", "Path", "Other",
3017, "Signer Identity Exclusion Deleted", "Delete", "", "Success", "Signer Identity", "Other",
3018, "File Type Exclusion Deleted", "Delete", "", "Success", "File Type", "Other",
3019, "Browser Type Exclusion Deleted", "Delete", "", "Success", "Browser Type", "Other",
3020, "User Deleted Hash From Blocklist", "Delete", "", "Success", "Hash", "Other",
3021, "User Deleted Hash Exclusion", "Delete", "", "Success", "Hash", "Other",
3100, "User Added Package", "Create", "", "Success", "Package", "Other",
3101, "User Modified Package", "Set", "", "Success", "Package", "Other",
3102, "User Deleted Package", "Delete", "", "Success", "Package", "Other",
3103, "Package Deleted By System - Too Many Packages", "Delete", "", "Success", "Package", "Other",
3500, "User Toggled Ranger Status", "Set", "", "Success", "Ranger Settings", "Other",
3501, "Ranger Settings Modified", "Set", "", "Success", "Ranger Settings", "Configuration Atom",
3502, "Ranger Network Settings Modified", "Set", "", "Success", "Ranger Network Setting", "Other",
3506, "Ranger - Device Review Modified", "Set", "", "Success", "Device Review", "Other",
3507, "Ranger - Device Tag Modified On Host", "Set", "", "Success", "Device Tag", "Other",
3521, "Ranger Deploy Initiated", "Initialize", "", "Success", "Ranger Deploy", "Other",
3525, "Ranger Deploy - Credential Created", "Create", "", "Success", "Credential", "Configuration Atom",
3526, "Ranger Deploy - Credential Deleted", "Delete", "", "Success", "Credential", "Configuration Atom",
3527, "Ranger Deploy - Credential Overridden", "Set", "", "Success", "Credential", "Configuration Atom",
3530, "Ranger Labels Updated", "Set", "", "Success", "Ranger Labels", "Other",
3531, "Ranger labels reverted", "Set", "", "Success", "Ranger Labels", "Other",
3600, "Custom Rules - User Created A Rule", "Create", "", "Success", "", "Policy Rule",
3601, "Custom Rules - User Changed A Rule", "Set", "", "Success", "", "Policy Rule",
3602, "Custom Rules - User Deleted A Rule", "Delete", "", "Success", "", "Policy Rule",
3603, "Custom Rules - Rule Status Changed", "Set", "", "Success", "", "Policy Rule",
3604, "Custom Rules - Rule Status Change Failed", "Set", "", "Failure", "", "Policy Rule",
3626, "User 2FA Email Verification Changed", "Set", "", "Success", "", "Service",
3628, "2FA Code Verification", "Set", "", "Success", "2FA", "Service",
3641, "Ranger self Provisioning Default Features Modified", "Set", "", "Success", "", "Other",
3650, "Tag Manager - User Created New Tag", "Create", "", "Success", "Tag", "Other",
3651, "Tag Manager - User Modified Tag", "Set", "", "Success", "Tag", "Other",
3652, "Tag Manager - User Deleted Tag", "Delete", "", "Success", "Tag", "Other",
3653, "Tag Manager - User Attached Tag", "Other", "Attach", "Success", "Tags", "Other",
3654, "Tag Manager - User Detached Tag", "Detach", "", "Success", "Tags", "Other",
3750, "Auto-Upgrade Policy Created", "Create", "", "Success", "", "Policy Rule",
3751, "Auto-Upgrade Policy Disabled", "Disable", "", "Success", "", "Policy Rule",
3752, "Auto-Upgrade Policy Activated", "Enable", "", "Success", "", "Policy Rule",
3753, "Auto-Upgrade Policy Deleted", "Delete", "", "Success", "", "Policy Rule",
3754, "Auto-Upgrade Policy Reordered", "Other", "Reorder", "Success", "", "Policy Rule",
3755, "Upgrade Policy Inheritance Setting Changed", "Set", "", "Success", "Upgrade Policy", "Policy Rule",
3756, "Auto-Upgrade Policy Edited", "Set", "", "Success", "", "Policy Rule",
3767, "Local Upgrade Authorized", "Other", "Authorize", "Success", "Local Upgrade Authorization", "Service",
3768, "Local Upgrade Authorized", "Other", "Authorize", "Success", "Local Upgrade Authorization", "Service",
3769, "Local Upgrade Authorized", "Other", "Authorize", "Success", "Local Upgrade Authorization", "Service",
3770, "Local Upgrade Authorization Expiry Date Changed", "Set", "", "Success", "Local Upgrade Authorization", "Service",
3771, "Local Upgrade Authorization Expiry Date Changed", "Set", "", "Success", "Local Upgrade Authorization", "Service",
3772, "Local Upgrade Unauthorized", "Other", "Unauthorize", "Failure", "Local Upgrade Authorization", "Service",
3773, "Local Upgrade Authorization Inherits from Site Level", "Set", "", "Success", "Local Upgrade Authorization", "Service",
3774, "Local Upgrade Authorization Inherits from Site Level", "Set", "", "Success", "Local Upgrade Authorization", "Service",
4001, "Suspicious Threat Was Marked As Threat", "Set", "", "Success", "", "Other",
4002, "Suspicious Threat Was Resolved", "Set", "", "Success", "", "Other",
4006, "Remember Me Length Modified", "Set", "", "Success", "Stay Sign in Duration", "Policy Rule",
4007, "Suspicious Threat Was Marked As Benign", "Set", "", "Success", "", "Other",
4008, "Threat Mitigation Status Changed", "Set", "", "Success", "", "Other",
4009, "Process Was Marked As Threat", "Set", "", "Success", "", "Other",
4011, "Suspicious Threat Was Unresolved", "Set", "", "Failure", "", "Other",
4012, "UI Inactivity Timeout Modified", "Set", "", "Success", "Inactivity timeout", "Configuration Atom",
5242, "Ranger - Device Tag Created", "Create", "", "Success", "", "Other",
5243, "Ranger - Device Tag Updated", "Set", "", "Success", "", "Other",
5244, "Ranger - Device Tag Deleted", "Delete", "", "Success", "", "Other",
5250, "Firewall Control Tag Created", "Create", "", "Success", "", "Other",
5251, "Firewall Control Tag Updated", "Set", "", "Success", "", "Other",
5252, "Firewall Control Tag Updated", "Delete", "", "Success", "", "Other",
5253, "Network Quarantine Control Tag Created", "Create", "", "Success", "", "Other",
5254, "Network Quarantine Control Tag Updated", "Set", "", "Success", "", "Other",
5255, "Network Quarantine Control Tag Deleted", "Delete", "", "Success", "", "Other",
5256, "Firewall Control Tag Added/Removed From Rule", "", "", "Success", "", "Policy Rule",
5257, "Firewall Control Tag Inherited", "Set", "", "Success", "Firewall Control tags", "Other",
5258, "Network Quarantine Control Tag Added/Removed From Rule", "", "", "Success", "", "Policy Rule",
5259, "Network Quarantine Control Tag Inherited", "Set", "", "Success", "Network Quarantine Control Tag", "Other",
7500, "Remote Ops Password Configured", "Set", "", "Success", "Remote Ops password configuration", "Configuration Atom",
7501, "Remote Ops Password Deleted", "Delete", "", "Success", "Remote Ops password configuration", "Configuration Atom",
7602, "User Edited Run Script Guardrails", "Set", "", "Success", "Guardrails", "Service",
7603, "User Enabled Run Script Guardrails", "Enable", "", "Success", "Guardrails", "Service",
7604, "User Disabled Run Script Guardrails", "Disable", "", "Success", "Guardrails", "Service",
5120, "Device Rule Created", "Create", "", "Success", "", "Policy Rule",
5121, "Device Rule Modified", "Set", "", "Success", "", "Policy Rule",
5122, "Device Rule Deleted", "Delete", "", "Success", "", "Policy Rule",
5123, "Device Rules Reordered", "Set", "", "Success", "", "Policy Rule",
5124, "Device Rules Settings Modified", "Set", "", "Success", "Device Control settings", "Policy Rule",
5129, "Device Rule Copied To Scope", "Set", "", "Success", "", "Policy Rule",
5220, "Firewall Rule Created", "Create", "", "Success", "", "Policy Rule",
5221, "Firewall Rule Modified", "Set/Other", "", "Success", "", "Policy Rule",
5222, "Firewall Rule Deleted", "Delete", "", "Success", "", "Policy Rule",
5225, "Firewall Control Settings Modified", "Set", "", "Success", "Firewall Rule", "Policy Rule",
5226, "Firewall Rules Reordered", "Set", "", "Success", "Firewall Rule", "Policy Rule",
5231, "Firewall Rule Copied To Scope", "Set", "", "Success", "", "Policy Rule",
5234, "Network Quarantine Rule Created", "Create", "", "Success", "", "Policy Rule",
5235, "Network Quarantine Rule Modified", "Set", "", "Success", "", "Policy Rule",
5236, "Network Quarantine Rule Deleted", "Delete", "", "Success", "", "Policy Rule",
5237, "Network Quarantine Control Settings Modified", "Set", "", "Success", "Network Quarantine Rule", "Policy Rule",
5238, "Network Quarantine Rules Reordered", "Set", "", "Success", "Network Quarantine Rule", "Policy Rule",
5241, "Network Quarantine Rule Copied To Scope", "Set", "", "Success", "", "Policy Rule",
6030, "Mobile Device Updated", "Other", "", "Success", "Device", "Other",
6053, "Mobile Incident Resolved", "Set", "", "Success", "", "Other",
6054, "Mobile Incident Status Changed", "Set", "", "Success", "", "Other",
6055, "Mobile Incident Analyst Verdict Changed", "Set", "", "Success", "", "Other"
];
let EventTypeLookup_onoff = datatable(
field: string,
EventType_field: string,
NewValue_field: string
)
[
"true", "Enable", "on",
"false", "Disable", "off"
];
let EventTypeLookup_enableddisabled = datatable(
field: string,
EventType_fieldenableddisabled: string,
NewValue_fieldenableddisabled: string
)
[
"true", "Enable", "enabled",
"false", "Disable", "disabled"
];
let EventSeverityLookup = datatable (EventResult: string, EventSeverity_lookup: string)
[
"Success", "Informational",
"Failure", "Low"
];
let EventSeverityLookup_activity = datatable (activityType_d: real, EventSeverity_activity: string)
[
4100, "Medium",
4101, "High",
2016, "Medium",
2028, "Low",
4001, "Medium",
4002, "Low",
4007, "Low",
4008, "Medium",
4009, "Medium",
4011, "High",
2, "Medium",
2011, "Low",
2012, "Low",
2013, "Medium",
2014, "Low",
2015, "Low",
4002, "Low",
4104, "High",
4105, "Medium"
];
let ThreatConfidenceLookup_undefined = datatable(
threatInfo_analystVerdict_s: string,
ThreatConfidence_undefined: int
)
[
"false_positive", 5,
"undefined", 15,
"suspicious", 25,
"true_positive", 33
];
let ThreatConfidenceLookup_suspicious = datatable(
threatInfo_analystVerdict_s: string,
ThreatConfidence_suspicious: int
)
[
"false_positive", 40,
"undefined", 50,
"suspicious", 60,
"true_positive", 67
];
let ThreatConfidenceLookup_malicious = datatable(
threatInfo_analystVerdict_s: string,
ThreatConfidence_malicious: int
)
[
"false_positive", 75,
"undefined", 80,
"suspicious", 90,
"true_positive", 100
];
let parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {
let AllActivityIdsForAudit = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111, 52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101, 130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203, 2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);
let RawOtherActivityIds = dynamic([2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);
let activitydata = SentinelOne_CL
| where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)
and event_name_s == "Activities."
and activityType_d in (AllActivityIdsForAudit)
and (array_length(actorusername_has_any) == 0 or primaryDescription_s has_any (actorusername_has_any))
and (array_length(newvalue_has_any) == 0 or primaryDescription_s has_any (newvalue_has_any) or DataFields_s has_any (newvalue_has_any))
and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix))
| project-away
threatInfo_confidenceLevel_s,
threatInfo_analystVerdict_s,
threatInfo_threatName_s,
threatInfo_incidentStatus_s,
threatInfo_identifiedAt_t,
threatInfo_updatedAt_t,
threatInfo_threatId_s,
mitigationStatus_s;
let rawgroupsiteactivitydata = activitydata
| where activityType_d in (39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111)
| parse-kv DataFields_s as (username: string, userName: string, userFullName: string, newValue: string, policyEnabled: string, siteName: string, oldValue: string, ipAddress: string, oldSiteName: string, policy: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
| parse-kv policy as (id: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
| project-rename ObjectId = id
| lookup EventFieldsLookup on activityType_d;
let groupsiteactivitydata_onoff = rawgroupsiteactivitydata
| where activityType_d in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150)
| lookup EventTypeLookup_onoff on $left.newValue == $right.field
| lookup EventTypeLookup_onoff on $left.policyEnabled == $right.field
| extend
EventType = coalesce(EventType_field, EventType_field1),
NewValue = coalesce(NewValue_field, NewValue_field1);
let groupsiteactivitydata_enabledisabled = rawgroupsiteactivitydata
| where activityType_d in (70, 82, 83, 201)
| lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field
| extend
EventType = EventType_fieldenableddisabled,
NewValue = NewValue_fieldenableddisabled;
let groupsiteactivitydata_other = rawgroupsiteactivitydata
| where activityType_d !in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150, 70, 82, 83, 201)
| extend EventType = EventType_activity;
let groupsiteactivitydata = union
groupsiteactivitydata_onoff,
groupsiteactivitydata_enabledisabled,
groupsiteactivitydata_other
| extend
ActorUsername = coalesce(username, userName, userFullName),
Object = coalesce(Object, siteName, oldSiteName),
NewValue = coalesce(NewValue, newValue),
OldValue = oldValue;
let machineactivitydata = activitydata
| where activityType_d in (52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101)
| parse-kv DataFields_s as (username: string, userName: string, computerName: string, threatClassification: string, ipAddress: string, groupName: string, targetGroupName: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
| lookup EventFieldsLookupMachineActivity on activityType_d
| extend
EventType = EventType_machineactivity,
EventSubType = EventSubType_machineactivity,
ThreatCategory = threatClassification,
OldValue = groupName,
NewValue = targetGroupName,
ObjectId = agentId_s
| extend ActorUsername = coalesce(username, userName)
| invoke _ASIM_ResolveDvcFQDN('computerName');
let accountactivitydata = activitydata
| where activityType_d in (130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203)
| parse-kv DataFields_s as (username: string, accountName: string, cloudProviderAccountName: string, ipAddress: string, accountId: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
| lookup EventFieldsLookupAccountActivity on activityType_d
| extend
EventType = EventType_accountactivity,
EventSubType = EventSubType_accountactivity,
Object = coalesce(accountName, cloudProviderAccountName),
ObjectId = accountId;
let useractivitydata = activitydata
| where activityType_d in (88, 114)
| parse-kv DataFields_s as (username: string, byUser: string, newValue: string, ipAddress: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
| lookup EventFieldsLookup_useractivity on activityType_d
| lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field
| extend
ActorUsername = byUser,
EventType = coalesce(EventType_useractivity, EventType_fieldenableddisabled),
EventSubType = EventSubType_useractivity,
NewValue = NewValue_fieldenableddisabled;
let rawotheractivitydata = activitydata
| where activityType_d in (RawOtherActivityIds)
| parse-kv DataFields_s as (username: string, userName: string, email: string, globalTwoFaEnabled: string, cloudIntelligenceOn: string, fileDisplayName: string, roleName: string, oldIncidentStatusTitle: string, oldTicketId: string, oldAnalystVerdictTitle: string, oldConfidenceLevel: string, previous: string, oldStatus: string, oldTagName: string, oldTagDescription: string, newIncidentStatusTitle: string, newTicketId: string, newAnalystVerdictTitle: string, newConfidenceLevel: string, newStatus: string, current: string, Status: string, newTagName: string, newTagDescription: string, value: string, rulesAdded: string, rulesRemoved: string, tagsAdded: string, tagsRemoved: string, incidentName: string, ruleName: string, deviceId: string, ip: string, externalIp: string, affectedDevices: string, featureValue: string, featureName: string, recoveryEmail: string, policyName: string, tagName: string, gatewayExternalIp: string, gatewayMac: string, threatClassification: string, ipAddress: string, applicationPath: string, externalId: string, consoleUrl: string, ruleId: string, policyId: string) with (pair_delimiter=",", kv_delimiter=":", quote='"')
| lookup EventFieldsLookup_otheractivity on activityType_d
| lookup EventTypeLookup_onoff on $left.cloudIntelligenceOn == $right.field
| lookup EventTypeLookup_onoff on $left.globalTwoFaEnabled == $right.field
| extend
ActorUsername = coalesce(username, userName),
EventType = coalesce(EventType_otheractivity, EventType_field, EventType_field1),
EventSubType = EventSubType_otheractivity,
Object = coalesce(Object, fileDisplayName, applicationPath, roleName, ruleName, incidentName, recoveryEmail, featureName, policyName, tagName),
NewValue = coalesce(newIncidentStatusTitle, newTicketId, newAnalystVerdictTitle, newConfidenceLevel, newStatus, current, Status, newTagName, newTagDescription, featureValue),
OldValue = coalesce(oldIncidentStatusTitle, oldTicketId, oldAnalystVerdictTitle, oldConfidenceLevel, oldStatus, previous, oldTagName, oldTagDescription),
TargetIpAddr = coalesce(externalIp, ip, gatewayExternalIp),
ThreatCategory = threatClassification,
RuleName = ruleName,
TargetDvcId = deviceId,
ObjectId = coalesce(ruleId, policyId, externalId, deviceId)
| invoke _ASIM_ResolveDstFQDN('affectedDevices')
| project-rename
TargetHostname = DstHostname,
TargetDomain = DstDomain,
TargetDomainType = DstDomainType,
TargetFQDN = DstFQDN,
TargetUrl = consoleUrl;
let parsedotheractivitydata_eventtype = rawotheractivitydata
| where activityType_d in (5256, 5258)
| extend EventType = case(
isnotempty(rulesAdded) or isnotempty(tagsAdded),
"Create",
isnotempty(rulesRemoved) or isnotempty(tagsRemoved),
"Delete",
"Set"
);
let parsedotheractivitydata_objectvalue = rawotheractivitydata
| where activityType_d in (3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3650, 3651, 3652, 3653, 3654)
| extend Object = strcat(Object, ' ', value);
let parsedotheractivitydata_severity = rawotheractivitydata
| where activityType_d in (2036, 2037, 2030)
| where (eventresult == "*" or EventResult =~ eventresult)
and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))
and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))
and (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))
and (array_length(object_has_any) == 0 or Object has_any (object_has_any))
and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix))
| extend EventSeverity_specific = case(
primaryDescription_s has_any ("to malicious", "to True positive"),
"High",
primaryDescription_s has_any ("to suspicious", "to Undefined"),
"Medium",
primaryDescription_s has "to False positive",
"Low",
"Informational"
);
let ParsedActivitydata = union
groupsiteactivitydata,
machineactivitydata,
accountactivitydata,
useractivitydata,
rawotheractivitydata,
parsedotheractivitydata_eventtype,
parsedotheractivitydata_objectvalue
| where activityType_d !in(2030, 2036, 2037)
| lookup EventSeverityLookup on EventResult
| lookup EventSeverityLookup_activity on activityType_d
| where (eventresult == "*" or EventResult =~ eventresult)
and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))
and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))
and (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))
and (array_length(object_has_any) == 0 or Object has_any (object_has_any))
and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix));
let UnParsedActivitydatawithThreat = union ParsedActivitydata, parsedotheractivitydata_severity
| where isnotempty(threatId_s)
| join kind=inner (SentinelOne_CL
| where event_name_s == "Threats."
| project
TimeGenerated,
threatInfo_confidenceLevel_s,
threatInfo_analystVerdict_s,
threatInfo_threatName_s,
threatInfo_incidentStatus_s,
threatInfo_identifiedAt_t,
threatInfo_updatedAt_t,
threatInfo_threatId_s,
mitigationStatus_s)
on $left.threatId_s == $right.threatInfo_threatId_s
| where TimeGenerated1 >= TimeGenerated
| summarize arg_min(TimeGenerated1, *) by activityType_d, threatId_s, createdAt_t, TimeGenerated;
let undefineddata = UnParsedActivitydatawithThreat
| where threatInfo_confidenceLevel_s == "Undefined"
| lookup ThreatConfidenceLookup_undefined on threatInfo_analystVerdict_s;
let suspiciousdata = UnParsedActivitydatawithThreat
| where threatInfo_confidenceLevel_s == "suspicious"
| lookup ThreatConfidenceLookup_suspicious on threatInfo_analystVerdict_s;
let maliciousdata = UnParsedActivitydatawithThreat
| where threatInfo_confidenceLevel_s == "malicious"
| lookup ThreatConfidenceLookup_malicious on threatInfo_analystVerdict_s;
let ParsedActivitydatawithThreat = union undefineddata, suspiciousdata, maliciousdata
| extend
ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),
AdditionalFields = bag_pack(
"threatUpdatedAt",
threatInfo_updatedAt_t,
"threatAnalystVerdict",
threatInfo_analystVerdict_s,
"threatIncidentStatus",
threatInfo_incidentStatus_s,
"mitigationStatus",
mitigationStatus_s
)
| project-rename
ThreatId = threatId_s,
ThreatName = threatInfo_threatName_s,
ThreatFirstReportedTime = threatInfo_identifiedAt_t,
ThreatCategory_threats = threatInfo_classification_s,
ThreatOriginalConfidence = threatInfo_confidenceLevel_s;
let ParsedActivitydatawithoutThreat = ParsedActivitydata
| where isempty(threatId_s);
union ParsedActivitydatawithThreat, ParsedActivitydatawithoutThreat
| extend
EventSeverity = coalesce(EventSeverity_specific, EventSeverity_activity, EventSeverity_lookup),
EventProduct = "SentinelOne",
EventVendor = "SentinelOne",
EventSchema = "AuditEvent",
EventSchemaVersion = "0.1",
EventCount = toint(1),
AdditionalFields = bag_merge(AdditionalFields, todynamic(DataFields_s)),
EventOriginalType = tostring(toint(activityType_d)),
SrcIpAddr = iff(ipAddress != "null", ipAddress, ""),
DvcAction = iff(EventResult == "Success", "Allow", "Deny")
| project-rename
EventStartTime = createdAt_t,
EventUid = _ItemId,
EventMessage = primaryDescription_s,
ActorUserId = userId_s,
DvcId = agentId_s,
EventOriginalUid = activityUuid_g
| extend
ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),
ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),
ActorUserIdType = iff(isnotempty(ActorUserId), "Other", ""),
DvcIdType = iff(isnotempty(DvcId), "Other", ""),
TargetDvcIdType = iff(isnotempty(TargetDvcId), "Other", ""),
ValueType = iff(isnotempty(NewValue), "Other", "")
| extend
EventEndTime = EventStartTime,
User = ActorUsername,
IpAddr = SrcIpAddr,
Dvc = coalesce(DvcHostname, DvcId, EventProduct),
Dst = coalesce(TargetHostname, TargetIpAddr),
Src = SrcIpAddr,
Rule = RuleName,
Value = NewValue
| project-away
*_d,
*_s,
*_t,
*_g,
*_b,
Computer,
MG,
ManagementGroupName,
RawData,
SourceSystem,
TenantId,
username,
userName,
userFullName,
newValue,
policyEnabled,
siteName,
oldValue,
computerName,
accountName,
cloudProviderAccountName,
email,
globalTwoFaEnabled,
cloudIntelligenceOn,
fileDisplayName,
roleName,
oldIncidentStatusTitle,
oldTicketId,
oldAnalystVerdictTitle,
oldConfidenceLevel,
previous,
oldStatus,
oldTagName,
oldTagDescription,
newIncidentStatusTitle,
newTicketId,
newAnalystVerdictTitle,
newConfidenceLevel,
newStatus,
current,
Status,
newTagName,
newTagDescription,
value,
rulesAdded,
rulesRemoved,
tagsAdded,
tagsRemoved,
incidentName,
ruleName,
deviceId,
ip,
externalIp,
affectedDevices,
featureValue,
featureName,
recoveryEmail,
policyName,
policy,
tagName,
gatewayExternalIp,
gatewayMac,
threatClassification,
applicationPath,
externalId,
groupName,
oldSiteName,
targetGroupName,
ipAddress,
EventType_*,
EventSubType_*,
EventSeverity_*,
NewValue_*,
_ResourceId,
TimeGenerated1,
ThreatCategory_*,
ThreatConfidence_*,
accountId,
policyId,
ruleId,
byUser
};
parser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)

33
Parsers/ASimAuditEvent/Tests/SentinelOne_ASimAuditEvent_DataTest.csv Normal file
Просмотреть файл

@ -0,0 +1,33 @@
Result
"(0) Error: 1 invalid value(s) (up to 10 listed) in 1 records (0.06%) for field [DvcHostname] of type [Hostname]: [""u2019s MacBook Pro""] (Schema:AuditEvent)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
"(2) Info: Empty value in 1376 records (88.26%) in recommended field [ObjectId] (Schema:AuditEvent)"
"(2) Info: Empty value in 1440 records (92.37%) in optional field [RuleName] (Schema:AuditEvent)"
"(2) Info: Empty value in 1440 records (92.37%) in optional field [Rule] (Schema:AuditEvent)"
"(2) Info: Empty value in 1480 records (94.93%) in recommended field [SrcIpAddr] (Schema:AuditEvent)"
"(2) Info: Empty value in 1480 records (94.93%) in recommended field [Src] (Schema:AuditEvent)"
"(2) Info: Empty value in 1522 records (97.63%) in recommended field [DvcHostname] (Schema:AuditEvent)"
"(2) Info: Empty value in 1551 records (99.49%) in optional field [EventSubType] (Schema:AuditEvent)"
"(2) Info: Empty value in 1554 records (99.68%) in optional field [DvcFQDN] (Schema:AuditEvent)"
"(2) Info: Empty value in 1554 records (99.68%) in recommended field [DvcDomain] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in optional field [TargetDomain] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in optional field [TargetDvcId] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in optional field [TargetFQDN] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in optional field [TargetUrl] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in recommended field [Dst] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in recommended field [TargetHostname] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in recommended field [TargetIpAddr] (Schema:AuditEvent)"
"(2) Info: Empty value in 198 records (12.7%) in optional field [DvcId] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatCategory] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatConfidence] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatFirstReportedTime] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatId] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatOriginalConfidence] (Schema:AuditEvent)"
"(2) Info: Empty value in 243 records (15.59%) in optional field [ThreatName] (Schema:AuditEvent)"
"(2) Info: Empty value in 243 records (15.59%) in optional field [ValueType] (Schema:AuditEvent)"
"(2) Info: Empty value in 243 records (15.59%) in recommended field [NewValue] (Schema:AuditEvent)"
"(2) Info: Empty value in 543 records (34.83%) in optional field [ActorUserId] (Schema:AuditEvent)"
"(2) Info: Empty value in 545 records (34.96%) in optional field [ActorUserType] (Schema:AuditEvent)"
"(2) Info: Empty value in 545 records (34.96%) in recommended field [ActorUsername] (Schema:AuditEvent)"
"(2) Info: Empty value in 847 records (54.33%) in optional field [OldValue] (Schema:AuditEvent)"
1 Result
2 (0) Error: 1 invalid value(s) (up to 10 listed) in 1 records (0.06%) for field [DvcHostname] of type [Hostname]: ["u2019s MacBook Pro"] (Schema:AuditEvent)
3 (0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventProduct] of type [Enumerated]: ["SentinelOne"] (Schema:AuditEvent)
4 (0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventVendor] of type [Enumerated]: ["SentinelOne"] (Schema:AuditEvent)
5 (2) Info: Empty value in 1376 records (88.26%) in recommended field [ObjectId] (Schema:AuditEvent)
6 (2) Info: Empty value in 1440 records (92.37%) in optional field [RuleName] (Schema:AuditEvent)
7 (2) Info: Empty value in 1440 records (92.37%) in optional field [Rule] (Schema:AuditEvent)
8 (2) Info: Empty value in 1480 records (94.93%) in recommended field [SrcIpAddr] (Schema:AuditEvent)
9 (2) Info: Empty value in 1480 records (94.93%) in recommended field [Src] (Schema:AuditEvent)
10 (2) Info: Empty value in 1522 records (97.63%) in recommended field [DvcHostname] (Schema:AuditEvent)
11 (2) Info: Empty value in 1551 records (99.49%) in optional field [EventSubType] (Schema:AuditEvent)
12 (2) Info: Empty value in 1554 records (99.68%) in optional field [DvcFQDN] (Schema:AuditEvent)
13 (2) Info: Empty value in 1554 records (99.68%) in recommended field [DvcDomain] (Schema:AuditEvent)
14 (2) Info: Empty value in 1559 records (100.0%) in optional field [TargetDomain] (Schema:AuditEvent)
15 (2) Info: Empty value in 1559 records (100.0%) in optional field [TargetDvcId] (Schema:AuditEvent)
16 (2) Info: Empty value in 1559 records (100.0%) in optional field [TargetFQDN] (Schema:AuditEvent)
17 (2) Info: Empty value in 1559 records (100.0%) in optional field [TargetUrl] (Schema:AuditEvent)
18 (2) Info: Empty value in 1559 records (100.0%) in recommended field [Dst] (Schema:AuditEvent)
19 (2) Info: Empty value in 1559 records (100.0%) in recommended field [TargetHostname] (Schema:AuditEvent)
20 (2) Info: Empty value in 1559 records (100.0%) in recommended field [TargetIpAddr] (Schema:AuditEvent)
21 (2) Info: Empty value in 198 records (12.7%) in optional field [DvcId] (Schema:AuditEvent)
22 (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatCategory] (Schema:AuditEvent)
23 (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatConfidence] (Schema:AuditEvent)
24 (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatFirstReportedTime] (Schema:AuditEvent)
25 (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatId] (Schema:AuditEvent)
26 (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatOriginalConfidence] (Schema:AuditEvent)
27 (2) Info: Empty value in 243 records (15.59%) in optional field [ThreatName] (Schema:AuditEvent)
28 (2) Info: Empty value in 243 records (15.59%) in optional field [ValueType] (Schema:AuditEvent)
29 (2) Info: Empty value in 243 records (15.59%) in recommended field [NewValue] (Schema:AuditEvent)
30 (2) Info: Empty value in 543 records (34.83%) in optional field [ActorUserId] (Schema:AuditEvent)
31 (2) Info: Empty value in 545 records (34.96%) in optional field [ActorUserType] (Schema:AuditEvent)
32 (2) Info: Empty value in 545 records (34.96%) in recommended field [ActorUsername] (Schema:AuditEvent)
33 (2) Info: Empty value in 847 records (54.33%) in optional field [OldValue] (Schema:AuditEvent)

67
Parsers/ASimAuditEvent/Tests/SentinelOne_AsimAuditEvent_SchemaTest.csv Normal file
Просмотреть файл

@ -0,0 +1,67 @@
Result
"(1) Warning: Missing recommended field [DvcIpAddr]"
"(1) Warning: Missing recommended field [EventResultDetails]"
"(2) Info: Missing optional alias [Application] aliasing non-existent column [TargetAppName]"
"(2) Info: Missing optional alias [Process] aliasing non-existent column [ActingProcessName]"
"(2) Info: Missing optional field [ActingAppId]"
"(2) Info: Missing optional field [ActingAppName]"
"(2) Info: Missing optional field [ActingAppType]"
"(2) Info: Missing optional field [ActorOriginalUserType]"
"(2) Info: Missing optional field [ActorScopeId]"
"(2) Info: Missing optional field [ActorScope]"
"(2) Info: Missing optional field [ActorSessionId]"
"(2) Info: Missing optional field [ActorUserAadId]"
"(2) Info: Missing optional field [ActorUserSid]"
"(2) Info: Missing optional field [DvcDescription]"
"(2) Info: Missing optional field [DvcInterface]"
"(2) Info: Missing optional field [DvcMacAddr]"
"(2) Info: Missing optional field [DvcOriginalAction]"
"(2) Info: Missing optional field [DvcOsVersion]"
"(2) Info: Missing optional field [DvcOs]"
"(2) Info: Missing optional field [DvcScopeId]"
"(2) Info: Missing optional field [DvcScope]"
"(2) Info: Missing optional field [DvcZone]"
"(2) Info: Missing optional field [EventOriginalResultDetails]"
"(2) Info: Missing optional field [EventOriginalSeverity]"
"(2) Info: Missing optional field [EventOriginalSubType]"
"(2) Info: Missing optional field [EventOwner]"
"(2) Info: Missing optional field [EventProductVersion]"
"(2) Info: Missing optional field [EventReportUrl]"
"(2) Info: Missing optional field [HttpUserAgent]"
"(2) Info: Missing optional field [RuleNumber]"
"(2) Info: Missing optional field [SrcDescription]"
"(2) Info: Missing optional field [SrcDeviceType]"
"(2) Info: Missing optional field [SrcDomain]"
"(2) Info: Missing optional field [SrcDvcId]"
"(2) Info: Missing optional field [SrcDvcScopeId]"
"(2) Info: Missing optional field [SrcDvcScope]"
"(2) Info: Missing optional field [SrcFQDN]"
"(2) Info: Missing optional field [SrcGeoCity]"
"(2) Info: Missing optional field [SrcGeoCountry]"
"(2) Info: Missing optional field [SrcGeoLatitude]"
"(2) Info: Missing optional field [SrcGeoLongitude]"
"(2) Info: Missing optional field [SrcGeoRegion]"
"(2) Info: Missing optional field [SrcHostname]"
"(2) Info: Missing optional field [SrcOriginalRiskLevel]"
"(2) Info: Missing optional field [SrcPortNumber]"
"(2) Info: Missing optional field [SrcRiskLevel]"
"(2) Info: Missing optional field [TargetAppId]"
"(2) Info: Missing optional field [TargetAppName]"
"(2) Info: Missing optional field [TargetDescription]"
"(2) Info: Missing optional field [TargetDeviceType]"
"(2) Info: Missing optional field [TargetDvcOs]"
"(2) Info: Missing optional field [TargetDvcScopeId]"
"(2) Info: Missing optional field [TargetDvcScope]"
"(2) Info: Missing optional field [TargetGeoCity]"
"(2) Info: Missing optional field [TargetGeoCountry]"
"(2) Info: Missing optional field [TargetGeoLatitude]"
"(2) Info: Missing optional field [TargetGeoLongitude]"
"(2) Info: Missing optional field [TargetGeoRegion]"
"(2) Info: Missing optional field [TargetOriginalRiskLevel]"
"(2) Info: Missing optional field [TargetPortNumber]"
"(2) Info: Missing optional field [TargetRiskLevel]"
"(2) Info: Missing optional field [ThreatIpAddr]"
"(2) Info: Missing optional field [ThreatIsActive]"
"(2) Info: Missing optional field [ThreatLastReportedTime]"
"(2) Info: Missing optional field [ThreatOriginalRiskLevel]"
"(2) Info: Missing optional field [ThreatRiskLevel]"
1 Result
2 (1) Warning: Missing recommended field [DvcIpAddr]
3 (1) Warning: Missing recommended field [EventResultDetails]
4 (2) Info: Missing optional alias [Application] aliasing non-existent column [TargetAppName]
5 (2) Info: Missing optional alias [Process] aliasing non-existent column [ActingProcessName]
6 (2) Info: Missing optional field [ActingAppId]
7 (2) Info: Missing optional field [ActingAppName]
8 (2) Info: Missing optional field [ActingAppType]
9 (2) Info: Missing optional field [ActorOriginalUserType]
10 (2) Info: Missing optional field [ActorScopeId]
11 (2) Info: Missing optional field [ActorScope]
12 (2) Info: Missing optional field [ActorSessionId]
13 (2) Info: Missing optional field [ActorUserAadId]
14 (2) Info: Missing optional field [ActorUserSid]
15 (2) Info: Missing optional field [DvcDescription]
16 (2) Info: Missing optional field [DvcInterface]
17 (2) Info: Missing optional field [DvcMacAddr]
18 (2) Info: Missing optional field [DvcOriginalAction]
19 (2) Info: Missing optional field [DvcOsVersion]
20 (2) Info: Missing optional field [DvcOs]
21 (2) Info: Missing optional field [DvcScopeId]
22 (2) Info: Missing optional field [DvcScope]
23 (2) Info: Missing optional field [DvcZone]
24 (2) Info: Missing optional field [EventOriginalResultDetails]
25 (2) Info: Missing optional field [EventOriginalSeverity]
26 (2) Info: Missing optional field [EventOriginalSubType]
27 (2) Info: Missing optional field [EventOwner]
28 (2) Info: Missing optional field [EventProductVersion]
29 (2) Info: Missing optional field [EventReportUrl]
30 (2) Info: Missing optional field [HttpUserAgent]
31 (2) Info: Missing optional field [RuleNumber]
32 (2) Info: Missing optional field [SrcDescription]
33 (2) Info: Missing optional field [SrcDeviceType]
34 (2) Info: Missing optional field [SrcDomain]
35 (2) Info: Missing optional field [SrcDvcId]
36 (2) Info: Missing optional field [SrcDvcScopeId]
37 (2) Info: Missing optional field [SrcDvcScope]
38 (2) Info: Missing optional field [SrcFQDN]
39 (2) Info: Missing optional field [SrcGeoCity]
40 (2) Info: Missing optional field [SrcGeoCountry]
41 (2) Info: Missing optional field [SrcGeoLatitude]
42 (2) Info: Missing optional field [SrcGeoLongitude]
43 (2) Info: Missing optional field [SrcGeoRegion]
44 (2) Info: Missing optional field [SrcHostname]
45 (2) Info: Missing optional field [SrcOriginalRiskLevel]
46 (2) Info: Missing optional field [SrcPortNumber]
47 (2) Info: Missing optional field [SrcRiskLevel]
48 (2) Info: Missing optional field [TargetAppId]
49 (2) Info: Missing optional field [TargetAppName]
50 (2) Info: Missing optional field [TargetDescription]
51 (2) Info: Missing optional field [TargetDeviceType]
52 (2) Info: Missing optional field [TargetDvcOs]
53 (2) Info: Missing optional field [TargetDvcScopeId]
54 (2) Info: Missing optional field [TargetDvcScope]
55 (2) Info: Missing optional field [TargetGeoCity]
56 (2) Info: Missing optional field [TargetGeoCountry]
57 (2) Info: Missing optional field [TargetGeoLatitude]
58 (2) Info: Missing optional field [TargetGeoLongitude]
59 (2) Info: Missing optional field [TargetGeoRegion]
60 (2) Info: Missing optional field [TargetOriginalRiskLevel]
61 (2) Info: Missing optional field [TargetPortNumber]
62 (2) Info: Missing optional field [TargetRiskLevel]
63 (2) Info: Missing optional field [ThreatIpAddr]
64 (2) Info: Missing optional field [ThreatIsActive]
65 (2) Info: Missing optional field [ThreatLastReportedTime]
66 (2) Info: Missing optional field [ThreatOriginalRiskLevel]
67 (2) Info: Missing optional field [ThreatRiskLevel]

33
Parsers/ASimAuditEvent/Tests/SentinelOne_vimAuditEvent_DataTest.csv Normal file
Просмотреть файл

@ -0,0 +1,33 @@
Result
"(0) Error: 1 invalid value(s) (up to 10 listed) in 1 records (0.06%) for field [DvcHostname] of type [Hostname]: [""u2019s MacBook Pro""] (Schema:AuditEvent)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventProduct] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
"(0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventVendor] of type [Enumerated]: [""SentinelOne""] (Schema:AuditEvent)"
"(2) Info: Empty value in 1376 records (88.26%) in recommended field [ObjectId] (Schema:AuditEvent)"
"(2) Info: Empty value in 1440 records (92.37%) in optional field [RuleName] (Schema:AuditEvent)"
"(2) Info: Empty value in 1440 records (92.37%) in optional field [Rule] (Schema:AuditEvent)"
"(2) Info: Empty value in 1480 records (94.93%) in recommended field [SrcIpAddr] (Schema:AuditEvent)"
"(2) Info: Empty value in 1480 records (94.93%) in recommended field [Src] (Schema:AuditEvent)"
"(2) Info: Empty value in 1522 records (97.63%) in recommended field [DvcHostname] (Schema:AuditEvent)"
"(2) Info: Empty value in 1551 records (99.49%) in optional field [EventSubType] (Schema:AuditEvent)"
"(2) Info: Empty value in 1554 records (99.68%) in optional field [DvcFQDN] (Schema:AuditEvent)"
"(2) Info: Empty value in 1554 records (99.68%) in recommended field [DvcDomain] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in optional field [TargetDomain] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in optional field [TargetDvcId] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in optional field [TargetFQDN] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in optional field [TargetUrl] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in recommended field [Dst] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in recommended field [TargetHostname] (Schema:AuditEvent)"
"(2) Info: Empty value in 1559 records (100.0%) in recommended field [TargetIpAddr] (Schema:AuditEvent)"
"(2) Info: Empty value in 198 records (12.7%) in optional field [DvcId] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatCategory] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatConfidence] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatFirstReportedTime] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatId] (Schema:AuditEvent)"
"(2) Info: Empty value in 235 records (15.07%) in optional field [ThreatOriginalConfidence] (Schema:AuditEvent)"
"(2) Info: Empty value in 243 records (15.59%) in optional field [ThreatName] (Schema:AuditEvent)"
"(2) Info: Empty value in 243 records (15.59%) in optional field [ValueType] (Schema:AuditEvent)"
"(2) Info: Empty value in 243 records (15.59%) in recommended field [NewValue] (Schema:AuditEvent)"
"(2) Info: Empty value in 543 records (34.83%) in optional field [ActorUserId] (Schema:AuditEvent)"
"(2) Info: Empty value in 545 records (34.96%) in optional field [ActorUserType] (Schema:AuditEvent)"
"(2) Info: Empty value in 545 records (34.96%) in recommended field [ActorUsername] (Schema:AuditEvent)"
"(2) Info: Empty value in 847 records (54.33%) in optional field [OldValue] (Schema:AuditEvent)"
1 Result
2 (0) Error: 1 invalid value(s) (up to 10 listed) in 1 records (0.06%) for field [DvcHostname] of type [Hostname]: ["u2019s MacBook Pro"] (Schema:AuditEvent)
3 (0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventProduct] of type [Enumerated]: ["SentinelOne"] (Schema:AuditEvent)
4 (0) Error: 1 invalid value(s) (up to 10 listed) in 1559 records (100.0%) for field [EventVendor] of type [Enumerated]: ["SentinelOne"] (Schema:AuditEvent)
5 (2) Info: Empty value in 1376 records (88.26%) in recommended field [ObjectId] (Schema:AuditEvent)
6 (2) Info: Empty value in 1440 records (92.37%) in optional field [RuleName] (Schema:AuditEvent)
7 (2) Info: Empty value in 1440 records (92.37%) in optional field [Rule] (Schema:AuditEvent)
8 (2) Info: Empty value in 1480 records (94.93%) in recommended field [SrcIpAddr] (Schema:AuditEvent)
9 (2) Info: Empty value in 1480 records (94.93%) in recommended field [Src] (Schema:AuditEvent)
10 (2) Info: Empty value in 1522 records (97.63%) in recommended field [DvcHostname] (Schema:AuditEvent)
11 (2) Info: Empty value in 1551 records (99.49%) in optional field [EventSubType] (Schema:AuditEvent)
12 (2) Info: Empty value in 1554 records (99.68%) in optional field [DvcFQDN] (Schema:AuditEvent)
13 (2) Info: Empty value in 1554 records (99.68%) in recommended field [DvcDomain] (Schema:AuditEvent)
14 (2) Info: Empty value in 1559 records (100.0%) in optional field [TargetDomain] (Schema:AuditEvent)
15 (2) Info: Empty value in 1559 records (100.0%) in optional field [TargetDvcId] (Schema:AuditEvent)
16 (2) Info: Empty value in 1559 records (100.0%) in optional field [TargetFQDN] (Schema:AuditEvent)
17 (2) Info: Empty value in 1559 records (100.0%) in optional field [TargetUrl] (Schema:AuditEvent)
18 (2) Info: Empty value in 1559 records (100.0%) in recommended field [Dst] (Schema:AuditEvent)
19 (2) Info: Empty value in 1559 records (100.0%) in recommended field [TargetHostname] (Schema:AuditEvent)
20 (2) Info: Empty value in 1559 records (100.0%) in recommended field [TargetIpAddr] (Schema:AuditEvent)
21 (2) Info: Empty value in 198 records (12.7%) in optional field [DvcId] (Schema:AuditEvent)
22 (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatCategory] (Schema:AuditEvent)
23 (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatConfidence] (Schema:AuditEvent)
24 (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatFirstReportedTime] (Schema:AuditEvent)
25 (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatId] (Schema:AuditEvent)
26 (2) Info: Empty value in 235 records (15.07%) in optional field [ThreatOriginalConfidence] (Schema:AuditEvent)
27 (2) Info: Empty value in 243 records (15.59%) in optional field [ThreatName] (Schema:AuditEvent)
28 (2) Info: Empty value in 243 records (15.59%) in optional field [ValueType] (Schema:AuditEvent)
29 (2) Info: Empty value in 243 records (15.59%) in recommended field [NewValue] (Schema:AuditEvent)
30 (2) Info: Empty value in 543 records (34.83%) in optional field [ActorUserId] (Schema:AuditEvent)
31 (2) Info: Empty value in 545 records (34.96%) in optional field [ActorUserType] (Schema:AuditEvent)
32 (2) Info: Empty value in 545 records (34.96%) in recommended field [ActorUsername] (Schema:AuditEvent)
33 (2) Info: Empty value in 847 records (54.33%) in optional field [OldValue] (Schema:AuditEvent)

67
Parsers/ASimAuditEvent/Tests/SentinelOne_vimAuditEvent_SchemaTest.csv Normal file
Просмотреть файл

@ -0,0 +1,67 @@
Result
"(1) Warning: Missing recommended field [DvcIpAddr]"
"(1) Warning: Missing recommended field [EventResultDetails]"
"(2) Info: Missing optional alias [Application] aliasing non-existent column [TargetAppName]"
"(2) Info: Missing optional alias [Process] aliasing non-existent column [ActingProcessName]"
"(2) Info: Missing optional field [ActingAppId]"
"(2) Info: Missing optional field [ActingAppName]"
"(2) Info: Missing optional field [ActingAppType]"
"(2) Info: Missing optional field [ActorOriginalUserType]"
"(2) Info: Missing optional field [ActorScopeId]"
"(2) Info: Missing optional field [ActorScope]"
"(2) Info: Missing optional field [ActorSessionId]"
"(2) Info: Missing optional field [ActorUserAadId]"
"(2) Info: Missing optional field [ActorUserSid]"
"(2) Info: Missing optional field [DvcDescription]"
"(2) Info: Missing optional field [DvcInterface]"
"(2) Info: Missing optional field [DvcMacAddr]"
"(2) Info: Missing optional field [DvcOriginalAction]"
"(2) Info: Missing optional field [DvcOsVersion]"
"(2) Info: Missing optional field [DvcOs]"
"(2) Info: Missing optional field [DvcScopeId]"
"(2) Info: Missing optional field [DvcScope]"
"(2) Info: Missing optional field [DvcZone]"
"(2) Info: Missing optional field [EventOriginalResultDetails]"
"(2) Info: Missing optional field [EventOriginalSeverity]"
"(2) Info: Missing optional field [EventOriginalSubType]"
"(2) Info: Missing optional field [EventOwner]"
"(2) Info: Missing optional field [EventProductVersion]"
"(2) Info: Missing optional field [EventReportUrl]"
"(2) Info: Missing optional field [HttpUserAgent]"
"(2) Info: Missing optional field [RuleNumber]"
"(2) Info: Missing optional field [SrcDescription]"
"(2) Info: Missing optional field [SrcDeviceType]"
"(2) Info: Missing optional field [SrcDomain]"
"(2) Info: Missing optional field [SrcDvcId]"
"(2) Info: Missing optional field [SrcDvcScopeId]"
"(2) Info: Missing optional field [SrcDvcScope]"
"(2) Info: Missing optional field [SrcFQDN]"
"(2) Info: Missing optional field [SrcGeoCity]"
"(2) Info: Missing optional field [SrcGeoCountry]"
"(2) Info: Missing optional field [SrcGeoLatitude]"
"(2) Info: Missing optional field [SrcGeoLongitude]"
"(2) Info: Missing optional field [SrcGeoRegion]"
"(2) Info: Missing optional field [SrcHostname]"
"(2) Info: Missing optional field [SrcOriginalRiskLevel]"
"(2) Info: Missing optional field [SrcPortNumber]"
"(2) Info: Missing optional field [SrcRiskLevel]"
"(2) Info: Missing optional field [TargetAppId]"
"(2) Info: Missing optional field [TargetAppName]"
"(2) Info: Missing optional field [TargetDescription]"
"(2) Info: Missing optional field [TargetDeviceType]"
"(2) Info: Missing optional field [TargetDvcOs]"
"(2) Info: Missing optional field [TargetDvcScopeId]"
"(2) Info: Missing optional field [TargetDvcScope]"
"(2) Info: Missing optional field [TargetGeoCity]"
"(2) Info: Missing optional field [TargetGeoCountry]"
"(2) Info: Missing optional field [TargetGeoLatitude]"
"(2) Info: Missing optional field [TargetGeoLongitude]"
"(2) Info: Missing optional field [TargetGeoRegion]"
"(2) Info: Missing optional field [TargetOriginalRiskLevel]"
"(2) Info: Missing optional field [TargetPortNumber]"
"(2) Info: Missing optional field [TargetRiskLevel]"
"(2) Info: Missing optional field [ThreatIpAddr]"
"(2) Info: Missing optional field [ThreatIsActive]"
"(2) Info: Missing optional field [ThreatLastReportedTime]"
"(2) Info: Missing optional field [ThreatOriginalRiskLevel]"
"(2) Info: Missing optional field [ThreatRiskLevel]"
1 Result
2 (1) Warning: Missing recommended field [DvcIpAddr]
3 (1) Warning: Missing recommended field [EventResultDetails]
4 (2) Info: Missing optional alias [Application] aliasing non-existent column [TargetAppName]
5 (2) Info: Missing optional alias [Process] aliasing non-existent column [ActingProcessName]
6 (2) Info: Missing optional field [ActingAppId]
7 (2) Info: Missing optional field [ActingAppName]
8 (2) Info: Missing optional field [ActingAppType]
9 (2) Info: Missing optional field [ActorOriginalUserType]
10 (2) Info: Missing optional field [ActorScopeId]
11 (2) Info: Missing optional field [ActorScope]
12 (2) Info: Missing optional field [ActorSessionId]
13 (2) Info: Missing optional field [ActorUserAadId]
14 (2) Info: Missing optional field [ActorUserSid]
15 (2) Info: Missing optional field [DvcDescription]
16 (2) Info: Missing optional field [DvcInterface]
17 (2) Info: Missing optional field [DvcMacAddr]
18 (2) Info: Missing optional field [DvcOriginalAction]
19 (2) Info: Missing optional field [DvcOsVersion]
20 (2) Info: Missing optional field [DvcOs]
21 (2) Info: Missing optional field [DvcScopeId]
22 (2) Info: Missing optional field [DvcScope]
23 (2) Info: Missing optional field [DvcZone]
24 (2) Info: Missing optional field [EventOriginalResultDetails]
25 (2) Info: Missing optional field [EventOriginalSeverity]
26 (2) Info: Missing optional field [EventOriginalSubType]
27 (2) Info: Missing optional field [EventOwner]
28 (2) Info: Missing optional field [EventProductVersion]
29 (2) Info: Missing optional field [EventReportUrl]
30 (2) Info: Missing optional field [HttpUserAgent]
31 (2) Info: Missing optional field [RuleNumber]
32 (2) Info: Missing optional field [SrcDescription]
33 (2) Info: Missing optional field [SrcDeviceType]
34 (2) Info: Missing optional field [SrcDomain]
35 (2) Info: Missing optional field [SrcDvcId]
36 (2) Info: Missing optional field [SrcDvcScopeId]
37 (2) Info: Missing optional field [SrcDvcScope]
38 (2) Info: Missing optional field [SrcFQDN]
39 (2) Info: Missing optional field [SrcGeoCity]
40 (2) Info: Missing optional field [SrcGeoCountry]
41 (2) Info: Missing optional field [SrcGeoLatitude]
42 (2) Info: Missing optional field [SrcGeoLongitude]
43 (2) Info: Missing optional field [SrcGeoRegion]
44 (2) Info: Missing optional field [SrcHostname]
45 (2) Info: Missing optional field [SrcOriginalRiskLevel]
46 (2) Info: Missing optional field [SrcPortNumber]
47 (2) Info: Missing optional field [SrcRiskLevel]
48 (2) Info: Missing optional field [TargetAppId]
49 (2) Info: Missing optional field [TargetAppName]
50 (2) Info: Missing optional field [TargetDescription]
51 (2) Info: Missing optional field [TargetDeviceType]
52 (2) Info: Missing optional field [TargetDvcOs]
53 (2) Info: Missing optional field [TargetDvcScopeId]
54 (2) Info: Missing optional field [TargetDvcScope]
55 (2) Info: Missing optional field [TargetGeoCity]
56 (2) Info: Missing optional field [TargetGeoCountry]
57 (2) Info: Missing optional field [TargetGeoLatitude]
58 (2) Info: Missing optional field [TargetGeoLongitude]
59 (2) Info: Missing optional field [TargetGeoRegion]
60 (2) Info: Missing optional field [TargetOriginalRiskLevel]
61 (2) Info: Missing optional field [TargetPortNumber]
62 (2) Info: Missing optional field [TargetRiskLevel]
63 (2) Info: Missing optional field [ThreatIpAddr]
64 (2) Info: Missing optional field [ThreatIsActive]
65 (2) Info: Missing optional field [ThreatLastReportedTime]
66 (2) Info: Missing optional field [ThreatOriginalRiskLevel]
67 (2) Info: Missing optional field [ThreatRiskLevel]

61
Sample Data/ASIM/SentinelOne_ASimAuditEvent_IngestedLogs.csv Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

19238
Sample Data/ASIM/SentinelOne_ASimAuditEvent_RawLogs.json Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

72
Sample Data/Custom/GreyNoiseEvent.json Normal file
Просмотреть файл

@ -0,0 +1,72 @@
[
{
"ip": "1.1.2.2",
"metadata": {
"asn": "AS25000",
"city": "Taif",
"country": "Saudi Arabia",
"country_code": "SA",
"organization": "Saudi Telecom Company JSC",
"category": "isp",
"tor": false,
"rdns": "" ,
"os": "Windows 7/8",
"sensor_count": 78,
"sensor_hits": 433,
"region": "Mecca Region",
"destination_countries": [
"Belarus",
"United States",
"Saudi Arabia",
"Bulgaria",
"United Kingdom",
"Israel",
"Australia",
"Indonesia",
"South Korea"
],
"source_country": "Saudi Arabia",
"source_country_code": "SA",
"destination_country_codes": [
"BY",
"US",
"SA",
"BG",
"GB",
"IL",
"AU",
"ID",
"KR"
]
},
"bot": false,
"vpn": false,
"vpn_service": "N/A",
"spoofable": false,
"raw_data": {
"scan": [
{
"port": 445,
"protocol": "TCP"
},
{
"port": 1433,
"protocol": "TCP"
}
],
"web": {},
"ja3": [],
"hassh": []
},
"first_seen": "2023-08-23",
"last_seen": "2023-08-25",
"seen": true,
"tags": [
"MSSQL Bruteforcer",
"SMBv1 Crawler"
],
"actor": "unknown",
"classification": "malicious",
"cve": []
}
]

13
Sample Data/Custom/Recoreded Future/RecordedFutureDomainWorkbook_ExampleDomainProxyLog_IngestedLogs.csv Normal file
Просмотреть файл

@ -0,0 +1,13 @@
TenantId,SourceSystem,MG,ManagementGroupName,"TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",Computer,RawData,"Action_s","Content_Type_s","Device_s","Domain_s","Response_s","Src_IPv4_s","URL_s",Type,"_ResourceId",parts,tld,"DNS_TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",TenantId1,"TimeGenerated1 [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",SourceSystem1,Action,ActivityGroupNames,AdditionalInformation,ApplicationId,AzureTenantId,ConfidenceScore,Description,DiamondModel,ExternalIndicatorId,"ExpirationDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",IndicatorId,ThreatType,Active,KillChainActions,KillChainC2,KillChainDelivery,KillChainExploitation,KillChainReconnaissance,KillChainWeaponization,KnownFalsePositives,MalwareNames,PassiveOnly,ThreatSeverity,Tags,TrafficLightProtocolLevel,EmailEncoding,EmailLanguage,EmailRecipient,EmailSenderAddress,EmailSenderName,EmailSourceDomain,EmailSourceIpAddress,EmailSubject,EmailXMailer,"FileCompileDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]","FileCreatedDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",FileHashType,FileHashValue,FileMutexName,FileName,FilePacker,FilePath,FileSize,FileType,DomainName,NetworkIP,NetworkPort,NetworkDestinationAsn,NetworkDestinationCidrBlock,NetworkDestinationIP,NetworkCidrBlock,NetworkDestinationPort,NetworkProtocol,NetworkSourceAsn,NetworkSourceCidrBlock,NetworkSourceIP,NetworkSourcePort,Url,UserAgent,IndicatorProvider,Type1
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/16/2023, 4:05:13.099 PM",,,GET,"text/javascript","Squid_Proxy","ikomoouessgqekmc.xyz","TCP_MISS/200","10.1.70.199","http://ikomoouessgqekmc.xyz/qgdaxsi","Squid_Proxy_Domain_CL",,"[""ikomoouessgqekmc"",""xyz""]",xyz,"9/16/2023, 4:05:13.099 PM","f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:06.074 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",90,"Recorded Future - Domains - Command and Control Activity",,"indicator--b29ed22d-bc66-4ea3-9527-cb1f7d5996de","9/19/2023, 7:07:35.900 PM",4B5338C3FB62BE62671A9C63A9FB11D83CE2B9E9DC70D082C46256A054D65280,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695057312382,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"ikomoouessgqekmc.xyz",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 4:05:12.176 PM",,,GET,"image/webp","Squid_Proxy","nihsxhvkfjwotm.bid","TCP_MISS/304","10.1.147.78","http://nihsxhvkfjwotm.bid/nkavfib","Squid_Proxy_Domain_CL",,"[""nihsxhvkfjwotm"",""bid""]",bid,"9/15/2023, 4:05:12.176 PM","f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:06.117 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",92,"Recorded Future - Domains - Command and Control Activity",,"indicator--0fc20b4c-3c37-4321-b991-2eaafc2d744e","9/19/2023, 7:07:36.511 PM",95956A998E54BBE5EFCA1E68B6AE8DE2FF31FA3B286070A6931C18CD8FB19965,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported Botnet Domain\"",\""EvidenceString\"":\""9 sightings on 1 source: External Sensor Data Analysis. nihsxhvkfjwotm.bid is observed to be a botnet domain from which network attacks are launched. Attacks may include SPAM messages, DOS, SQL injections, proxy jacking, and other unsolicited contacts.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691544788241,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1695104194129,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695104194092,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"nihsxhvkfjwotm.bid",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/19/2023, 5:08:25.443 PM",,,GET,"text/css","Squid_Proxy","csyeywqwyikqaiim.xyz","TCP_MISS/304","10.1.203.27","http://csyeywqwyikqaiim.xyz/wixylmz","Squid_Proxy_Domain_CL",,"[""csyeywqwyikqaiim"",""xyz""]",xyz,"9/19/2023, 5:08:25.443 PM","f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:06.343 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",91,"Recorded Future - Domains - Command and Control Activity",,"indicator--78c75a0a-c236-4f67-907f-facde94f5c6d","9/19/2023, 7:07:32.698 PM",7E44E1F99140ED284EF6D4379ED8B40505BCA4A18FDDFECC3818DDA1ABB06581,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Twitter. Most recent link (Jul 5, 2023): https://twitter.com/0xToxin/statuses/1676578018985123841\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1688562323000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695051741313,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"csyeywqwyikqaiim.xyz",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/19/2023, 11:20:55.461 AM",,,GET,"text/css","Squid_Proxy","snfrpmnq.org","TCP_MISS/200","10.1.4.174","http://snfrpmnq.org/xsqvmdw","Squid_Proxy_Domain_CL",,"[""snfrpmnq"",""org""]",org,"9/19/2023, 11:20:55.461 AM","f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:06.351 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",92,"Recorded Future - Domains - Command and Control Activity",,"indicator--027005e3-dfe2-41d2-bd06-e8ac80b9aab8","9/19/2023, 7:07:32.983 PM",8BD4D42FFD595F366EA42C53950192F049B8D0F8E2BADF9A90272D0814364FB0,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New unknownmalware Dom: snfrpmnq[.]org IP: 169[.]50[.]13[.]61 NS: https://t.co/JxUb8f0Cir https://t.co/RCTjQ7czQd. Most recent link (May 5, 2020): https://twitter.com/DGAFeedAlerts/statuses/1257784471450980354\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1588714161000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1695056485635,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695056485614,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"snfrpmnq.org",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/19/2023, 5:08:25.443 PM",,,GET,"text/css","Squid_Proxy","csyeywqwyikqaiim.xyz","TCP_MISS/304","10.1.203.27","http://csyeywqwyikqaiim.xyz/wixylmz","Squid_Proxy_Domain_CL",,"[""csyeywqwyikqaiim"",""xyz""]",xyz,"9/19/2023, 5:08:25.443 PM","f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:08.349 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",91,"Recorded Future - Domains - Command and Control Activity",,"indicator--edf873d9-031f-4512-9377-7c66b70d6d84","9/19/2023, 7:07:37.897 PM",7E44E1F99140ED284EF6D4379ED8B40505BCA4A18FDDFECC3818DDA1ABB06581,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Twitter. Most recent link (Jul 5, 2023): https://twitter.com/0xToxin/statuses/1676578018985123841\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1688562323000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695051741313,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"csyeywqwyikqaiim.xyz",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/19/2023, 11:20:55.461 AM",,,GET,"text/css","Squid_Proxy","snfrpmnq.org","TCP_MISS/200","10.1.4.174","http://snfrpmnq.org/xsqvmdw","Squid_Proxy_Domain_CL",,"[""snfrpmnq"",""org""]",org,"9/19/2023, 11:20:55.461 AM","f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:08.353 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",92,"Recorded Future - Domains - Command and Control Activity",,"indicator--ef68f1ed-1f9b-4f90-9048-4f9dfc514708","9/19/2023, 7:07:38.169 PM",8BD4D42FFD595F366EA42C53950192F049B8D0F8E2BADF9A90272D0814364FB0,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New unknownmalware Dom: snfrpmnq[.]org IP: 169[.]50[.]13[.]61 NS: https://t.co/JxUb8f0Cir https://t.co/RCTjQ7czQd. Most recent link (May 5, 2020): https://twitter.com/DGAFeedAlerts/statuses/1257784471450980354\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1588714161000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1695056485635,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695056485614,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"snfrpmnq.org",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/16/2023, 4:05:13.099 PM",,,GET,"text/javascript","Squid_Proxy","ikomoouessgqekmc.xyz","TCP_MISS/200","10.1.70.199","http://ikomoouessgqekmc.xyz/qgdaxsi","Squid_Proxy_Domain_CL",,"[""ikomoouessgqekmc"",""xyz""]",xyz,"9/16/2023, 4:05:13.099 PM","f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:11.465 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",90,"Recorded Future - Domains - Command and Control Activity",,"indicator--72b32039-662f-4dca-9155-4f4d982e846f","9/19/2023, 7:07:40.318 PM",4B5338C3FB62BE62671A9C63A9FB11D83CE2B9E9DC70D082C46256A054D65280,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695057312382,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"ikomoouessgqekmc.xyz",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 4:05:12.176 PM",,,GET,"image/webp","Squid_Proxy","nihsxhvkfjwotm.bid","TCP_MISS/304","10.1.147.78","http://nihsxhvkfjwotm.bid/nkavfib","Squid_Proxy_Domain_CL",,"[""nihsxhvkfjwotm"",""bid""]",bid,"9/15/2023, 4:05:12.176 PM","f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:11.662 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",92,"Recorded Future - Domains - Command and Control Activity",,"indicator--640d024a-2112-4662-bd03-853659264c71","9/19/2023, 7:07:40.943 PM",95956A998E54BBE5EFCA1E68B6AE8DE2FF31FA3B286070A6931C18CD8FB19965,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported Botnet Domain\"",\""EvidenceString\"":\""9 sightings on 1 source: External Sensor Data Analysis. nihsxhvkfjwotm.bid is observed to be a botnet domain from which network attacks are launched. Attacks may include SPAM messages, DOS, SQL injections, proxy jacking, and other unsolicited contacts.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691544788241,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1695104194129,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695104194092,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"nihsxhvkfjwotm.bid",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 4:05:12.176 PM",,,GET,"image/webp","Squid_Proxy","nihsxhvkfjwotm.bid","TCP_MISS/304","10.1.147.78","http://nihsxhvkfjwotm.bid/nkavfib","Squid_Proxy_Domain_CL",,"[""nihsxhvkfjwotm"",""bid""]",bid,"9/15/2023, 4:05:12.176 PM","f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 7:08:50.963 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",92,"Recorded Future - Domains - Command and Control Activity",,"indicator--a5882cfd-0384-4071-b400-df9cfc514767","9/19/2023, 9:08:27.378 PM",95956A998E54BBE5EFCA1E68B6AE8DE2FF31FA3B286070A6931C18CD8FB19965,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported Botnet Domain\"",\""EvidenceString\"":\""9 sightings on 1 source: External Sensor Data Analysis. nihsxhvkfjwotm.bid is observed to be a botnet domain from which network attacks are launched. Attacks may include SPAM messages, DOS, SQL injections, proxy jacking, and other unsolicited contacts.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691544788241,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1695104194129,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695104194092,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"nihsxhvkfjwotm.bid",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/19/2023, 5:08:25.443 PM",,,GET,"text/css","Squid_Proxy","csyeywqwyikqaiim.xyz","TCP_MISS/304","10.1.203.27","http://csyeywqwyikqaiim.xyz/wixylmz","Squid_Proxy_Domain_CL",,"[""csyeywqwyikqaiim"",""xyz""]",xyz,"9/19/2023, 5:08:25.443 PM","f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 7:08:50.964 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",91,"Recorded Future - Domains - Command and Control Activity",,"indicator--e6b91855-bc05-4724-b425-b72faf48773a","9/19/2023, 9:08:27.494 PM",7E44E1F99140ED284EF6D4379ED8B40505BCA4A18FDDFECC3818DDA1ABB06581,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Twitter. Most recent link (Jul 5, 2023): https://twitter.com/0xToxin/statuses/1676578018985123841\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1688562323000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695139103510,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"csyeywqwyikqaiim.xyz",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/16/2023, 4:05:13.099 PM",,,GET,"text/javascript","Squid_Proxy","ikomoouessgqekmc.xyz","TCP_MISS/200","10.1.70.199","http://ikomoouessgqekmc.xyz/qgdaxsi","Squid_Proxy_Domain_CL",,"[""ikomoouessgqekmc"",""xyz""]",xyz,"9/16/2023, 4:05:13.099 PM","f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 7:08:51.412 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",90,"Recorded Future - Domains - Command and Control Activity",,"indicator--307dc0e1-825a-4b37-9b48-d380004c11ce","9/19/2023, 9:08:26.824 PM",4B5338C3FB62BE62671A9C63A9FB11D83CE2B9E9DC70D082C46256A054D65280,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695057312382,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"ikomoouessgqekmc.xyz",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/19/2023, 11:20:55.461 AM",,,GET,"text/css","Squid_Proxy","snfrpmnq.org","TCP_MISS/200","10.1.4.174","http://snfrpmnq.org/xsqvmdw","Squid_Proxy_Domain_CL",,"[""snfrpmnq"",""org""]",org,"9/19/2023, 11:20:55.461 AM","f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 7:08:51.904 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",92,"Recorded Future - Domains - Command and Control Activity",,"indicator--360a7529-56ba-4d31-85b0-3865aff91310","9/19/2023, 9:08:24.489 PM",8BD4D42FFD595F366EA42C53950192F049B8D0F8E2BADF9A90272D0814364FB0,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New unknownmalware Dom: snfrpmnq[.]org IP: 169[.]50[.]13[.]61 NS: https://t.co/JxUb8f0Cir https://t.co/RCTjQ7czQd. Most recent link (May 5, 2020): https://twitter.com/DGAFeedAlerts/statuses/1257784471450980354\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1588714161000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1695056485635,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695056485614,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"snfrpmnq.org",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] Computer RawData Action_s Content_Type_s Device_s Domain_s Response_s Src_IPv4_s URL_s Type _ResourceId parts tld DNS_TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] TenantId1 TimeGenerated1 [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] SourceSystem1 Action ActivityGroupNames AdditionalInformation ApplicationId AzureTenantId ConfidenceScore Description DiamondModel ExternalIndicatorId ExpirationDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] IndicatorId ThreatType Active KillChainActions KillChainC2 KillChainDelivery KillChainExploitation KillChainReconnaissance KillChainWeaponization KnownFalsePositives MalwareNames PassiveOnly ThreatSeverity Tags TrafficLightProtocolLevel EmailEncoding EmailLanguage EmailRecipient EmailSenderAddress EmailSenderName EmailSourceDomain EmailSourceIpAddress EmailSubject EmailXMailer FileCompileDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] FileCreatedDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] FileHashType FileHashValue FileMutexName FileName FilePacker FilePath FileSize FileType DomainName NetworkIP NetworkPort NetworkDestinationAsn NetworkDestinationCidrBlock NetworkDestinationIP NetworkCidrBlock NetworkDestinationPort NetworkProtocol NetworkSourceAsn NetworkSourceCidrBlock NetworkSourceIP NetworkSourcePort Url UserAgent IndicatorProvider Type1
2 f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/16/2023, 4:05:13.099 PM GET text/javascript Squid_Proxy ikomoouessgqekmc.xyz TCP_MISS/200 10.1.70.199 http://ikomoouessgqekmc.xyz/qgdaxsi Squid_Proxy_Domain_CL ["ikomoouessgqekmc","xyz"] xyz 9/16/2023, 4:05:13.099 PM f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/19/2023, 5:08:06.074 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 90 Recorded Future - Domains - Command and Control Activity indicator--b29ed22d-bc66-4ea3-9527-cb1f7d5996de 9/19/2023, 7:07:35.900 PM 4B5338C3FB62BE62671A9C63A9FB11D83CE2B9E9DC70D082C46256A054D65280 malicious-activity true ["[{\"Rule\":\"Recent C&C DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\",\"CriticalityLabel\":\"Very Malicious\",\"Timestamp\":1695057312382,\"MitigationString\":\"\",\"Criticality\":4}]"] unknown ikomoouessgqekmc.xyz ThreatIntelligenceIndicator
3 f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/15/2023, 4:05:12.176 PM GET image/webp Squid_Proxy nihsxhvkfjwotm.bid TCP_MISS/304 10.1.147.78 http://nihsxhvkfjwotm.bid/nkavfib Squid_Proxy_Domain_CL ["nihsxhvkfjwotm","bid"] bid 9/15/2023, 4:05:12.176 PM f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/19/2023, 5:08:06.117 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 92 Recorded Future - Domains - Command and Control Activity indicator--0fc20b4c-3c37-4321-b991-2eaafc2d744e 9/19/2023, 7:07:36.511 PM 95956A998E54BBE5EFCA1E68B6AE8DE2FF31FA3B286070A6931C18CD8FB19965 malicious-activity true ["[{\"Rule\":\"Historically Reported Botnet Domain\",\"EvidenceString\":\"9 sightings on 1 source: External Sensor Data Analysis. nihsxhvkfjwotm.bid is observed to be a botnet domain from which network attacks are launched. Attacks may include SPAM messages, DOS, SQL injections, proxy jacking, and other unsolicited contacts.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1691544788241,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1695104194129,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recent C&C DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\",\"CriticalityLabel\":\"Very Malicious\",\"Timestamp\":1695104194092,\"MitigationString\":\"\",\"Criticality\":4}]"] unknown nihsxhvkfjwotm.bid ThreatIntelligenceIndicator
4 f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/19/2023, 5:08:25.443 PM GET text/css Squid_Proxy csyeywqwyikqaiim.xyz TCP_MISS/304 10.1.203.27 http://csyeywqwyikqaiim.xyz/wixylmz Squid_Proxy_Domain_CL ["csyeywqwyikqaiim","xyz"] xyz 9/19/2023, 5:08:25.443 PM f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/19/2023, 5:08:06.343 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 91 Recorded Future - Domains - Command and Control Activity indicator--78c75a0a-c236-4f67-907f-facde94f5c6d 9/19/2023, 7:07:32.698 PM 7E44E1F99140ED284EF6D4379ED8B40505BCA4A18FDDFECC3818DDA1ABB06581 malicious-activity true ["[{\"Rule\":\"Historically Reported as a Defanged DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Twitter. Most recent link (Jul 5, 2023): https://twitter.com/0xToxin/statuses/1676578018985123841\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1688562323000,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recent C&C DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\",\"CriticalityLabel\":\"Very Malicious\",\"Timestamp\":1695051741313,\"MitigationString\":\"\",\"Criticality\":4}]"] unknown csyeywqwyikqaiim.xyz ThreatIntelligenceIndicator
5 f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/19/2023, 11:20:55.461 AM GET text/css Squid_Proxy snfrpmnq.org TCP_MISS/200 10.1.4.174 http://snfrpmnq.org/xsqvmdw Squid_Proxy_Domain_CL ["snfrpmnq","org"] org 9/19/2023, 11:20:55.461 AM f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/19/2023, 5:08:06.351 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 92 Recorded Future - Domains - Command and Control Activity indicator--027005e3-dfe2-41d2-bd06-e8ac80b9aab8 9/19/2023, 7:07:32.983 PM 8BD4D42FFD595F366EA42C53950192F049B8D0F8E2BADF9A90272D0814364FB0 malicious-activity true ["[{\"Rule\":\"Historically Reported as a Defanged DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New unknownmalware Dom: snfrpmnq[.]org IP: 169[.]50[.]13[.]61 NS: https://t.co/JxUb8f0Cir https://t.co/RCTjQ7czQd. Most recent link (May 5, 2020): https://twitter.com/DGAFeedAlerts/statuses/1257784471450980354\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1588714161000,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1695056485635,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recent C&C DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\",\"CriticalityLabel\":\"Very Malicious\",\"Timestamp\":1695056485614,\"MitigationString\":\"\",\"Criticality\":4}]"] unknown snfrpmnq.org ThreatIntelligenceIndicator
6 f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/19/2023, 5:08:25.443 PM GET text/css Squid_Proxy csyeywqwyikqaiim.xyz TCP_MISS/304 10.1.203.27 http://csyeywqwyikqaiim.xyz/wixylmz Squid_Proxy_Domain_CL ["csyeywqwyikqaiim","xyz"] xyz 9/19/2023, 5:08:25.443 PM f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/19/2023, 5:08:08.349 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 91 Recorded Future - Domains - Command and Control Activity indicator--edf873d9-031f-4512-9377-7c66b70d6d84 9/19/2023, 7:07:37.897 PM 7E44E1F99140ED284EF6D4379ED8B40505BCA4A18FDDFECC3818DDA1ABB06581 malicious-activity true ["[{\"Rule\":\"Historically Reported as a Defanged DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Twitter. Most recent link (Jul 5, 2023): https://twitter.com/0xToxin/statuses/1676578018985123841\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1688562323000,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recent C&C DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\",\"CriticalityLabel\":\"Very Malicious\",\"Timestamp\":1695051741313,\"MitigationString\":\"\",\"Criticality\":4}]"] unknown csyeywqwyikqaiim.xyz ThreatIntelligenceIndicator
7 f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/19/2023, 11:20:55.461 AM GET text/css Squid_Proxy snfrpmnq.org TCP_MISS/200 10.1.4.174 http://snfrpmnq.org/xsqvmdw Squid_Proxy_Domain_CL ["snfrpmnq","org"] org 9/19/2023, 11:20:55.461 AM f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/19/2023, 5:08:08.353 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 92 Recorded Future - Domains - Command and Control Activity indicator--ef68f1ed-1f9b-4f90-9048-4f9dfc514708 9/19/2023, 7:07:38.169 PM 8BD4D42FFD595F366EA42C53950192F049B8D0F8E2BADF9A90272D0814364FB0 malicious-activity true ["[{\"Rule\":\"Historically Reported as a Defanged DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New unknownmalware Dom: snfrpmnq[.]org IP: 169[.]50[.]13[.]61 NS: https://t.co/JxUb8f0Cir https://t.co/RCTjQ7czQd. Most recent link (May 5, 2020): https://twitter.com/DGAFeedAlerts/statuses/1257784471450980354\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1588714161000,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1695056485635,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recent C&C DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\",\"CriticalityLabel\":\"Very Malicious\",\"Timestamp\":1695056485614,\"MitigationString\":\"\",\"Criticality\":4}]"] unknown snfrpmnq.org ThreatIntelligenceIndicator
8 f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/16/2023, 4:05:13.099 PM GET text/javascript Squid_Proxy ikomoouessgqekmc.xyz TCP_MISS/200 10.1.70.199 http://ikomoouessgqekmc.xyz/qgdaxsi Squid_Proxy_Domain_CL ["ikomoouessgqekmc","xyz"] xyz 9/16/2023, 4:05:13.099 PM f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/19/2023, 5:08:11.465 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 90 Recorded Future - Domains - Command and Control Activity indicator--72b32039-662f-4dca-9155-4f4d982e846f 9/19/2023, 7:07:40.318 PM 4B5338C3FB62BE62671A9C63A9FB11D83CE2B9E9DC70D082C46256A054D65280 malicious-activity true ["[{\"Rule\":\"Recent C&C DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\",\"CriticalityLabel\":\"Very Malicious\",\"Timestamp\":1695057312382,\"MitigationString\":\"\",\"Criticality\":4}]"] unknown ikomoouessgqekmc.xyz ThreatIntelligenceIndicator
9 f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/15/2023, 4:05:12.176 PM GET image/webp Squid_Proxy nihsxhvkfjwotm.bid TCP_MISS/304 10.1.147.78 http://nihsxhvkfjwotm.bid/nkavfib Squid_Proxy_Domain_CL ["nihsxhvkfjwotm","bid"] bid 9/15/2023, 4:05:12.176 PM f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/19/2023, 5:08:11.662 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 92 Recorded Future - Domains - Command and Control Activity indicator--640d024a-2112-4662-bd03-853659264c71 9/19/2023, 7:07:40.943 PM 95956A998E54BBE5EFCA1E68B6AE8DE2FF31FA3B286070A6931C18CD8FB19965 malicious-activity true ["[{\"Rule\":\"Historically Reported Botnet Domain\",\"EvidenceString\":\"9 sightings on 1 source: External Sensor Data Analysis. nihsxhvkfjwotm.bid is observed to be a botnet domain from which network attacks are launched. Attacks may include SPAM messages, DOS, SQL injections, proxy jacking, and other unsolicited contacts.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1691544788241,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1695104194129,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recent C&C DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\",\"CriticalityLabel\":\"Very Malicious\",\"Timestamp\":1695104194092,\"MitigationString\":\"\",\"Criticality\":4}]"] unknown nihsxhvkfjwotm.bid ThreatIntelligenceIndicator
10 f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/15/2023, 4:05:12.176 PM GET image/webp Squid_Proxy nihsxhvkfjwotm.bid TCP_MISS/304 10.1.147.78 http://nihsxhvkfjwotm.bid/nkavfib Squid_Proxy_Domain_CL ["nihsxhvkfjwotm","bid"] bid 9/15/2023, 4:05:12.176 PM f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/19/2023, 7:08:50.963 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 92 Recorded Future - Domains - Command and Control Activity indicator--a5882cfd-0384-4071-b400-df9cfc514767 9/19/2023, 9:08:27.378 PM 95956A998E54BBE5EFCA1E68B6AE8DE2FF31FA3B286070A6931C18CD8FB19965 malicious-activity true ["[{\"Rule\":\"Historically Reported Botnet Domain\",\"EvidenceString\":\"9 sightings on 1 source: External Sensor Data Analysis. nihsxhvkfjwotm.bid is observed to be a botnet domain from which network attacks are launched. Attacks may include SPAM messages, DOS, SQL injections, proxy jacking, and other unsolicited contacts.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1691544788241,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1695104194129,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recent C&C DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\",\"CriticalityLabel\":\"Very Malicious\",\"Timestamp\":1695104194092,\"MitigationString\":\"\",\"Criticality\":4}]"] unknown nihsxhvkfjwotm.bid ThreatIntelligenceIndicator
11 f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/19/2023, 5:08:25.443 PM GET text/css Squid_Proxy csyeywqwyikqaiim.xyz TCP_MISS/304 10.1.203.27 http://csyeywqwyikqaiim.xyz/wixylmz Squid_Proxy_Domain_CL ["csyeywqwyikqaiim","xyz"] xyz 9/19/2023, 5:08:25.443 PM f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/19/2023, 7:08:50.964 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 91 Recorded Future - Domains - Command and Control Activity indicator--e6b91855-bc05-4724-b425-b72faf48773a 9/19/2023, 9:08:27.494 PM 7E44E1F99140ED284EF6D4379ED8B40505BCA4A18FDDFECC3818DDA1ABB06581 malicious-activity true ["[{\"Rule\":\"Historically Reported as a Defanged DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Twitter. Most recent link (Jul 5, 2023): https://twitter.com/0xToxin/statuses/1676578018985123841\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1688562323000,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recent C&C DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\",\"CriticalityLabel\":\"Very Malicious\",\"Timestamp\":1695139103510,\"MitigationString\":\"\",\"Criticality\":4}]"] unknown csyeywqwyikqaiim.xyz ThreatIntelligenceIndicator
12 f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/16/2023, 4:05:13.099 PM GET text/javascript Squid_Proxy ikomoouessgqekmc.xyz TCP_MISS/200 10.1.70.199 http://ikomoouessgqekmc.xyz/qgdaxsi Squid_Proxy_Domain_CL ["ikomoouessgqekmc","xyz"] xyz 9/16/2023, 4:05:13.099 PM f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/19/2023, 7:08:51.412 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 90 Recorded Future - Domains - Command and Control Activity indicator--307dc0e1-825a-4b37-9b48-d380004c11ce 9/19/2023, 9:08:26.824 PM 4B5338C3FB62BE62671A9C63A9FB11D83CE2B9E9DC70D082C46256A054D65280 malicious-activity true ["[{\"Rule\":\"Recent C&C DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\",\"CriticalityLabel\":\"Very Malicious\",\"Timestamp\":1695057312382,\"MitigationString\":\"\",\"Criticality\":4}]"] unknown ikomoouessgqekmc.xyz ThreatIntelligenceIndicator
13 f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/19/2023, 11:20:55.461 AM GET text/css Squid_Proxy snfrpmnq.org TCP_MISS/200 10.1.4.174 http://snfrpmnq.org/xsqvmdw Squid_Proxy_Domain_CL ["snfrpmnq","org"] org 9/19/2023, 11:20:55.461 AM f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/19/2023, 7:08:51.904 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 92 Recorded Future - Domains - Command and Control Activity indicator--360a7529-56ba-4d31-85b0-3865aff91310 9/19/2023, 9:08:24.489 PM 8BD4D42FFD595F366EA42C53950192F049B8D0F8E2BADF9A90272D0814364FB0 malicious-activity true ["[{\"Rule\":\"Historically Reported as a Defanged DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New unknownmalware Dom: snfrpmnq[.]org IP: 169[.]50[.]13[.]61 NS: https://t.co/JxUb8f0Cir https://t.co/RCTjQ7czQd. Most recent link (May 5, 2020): https://twitter.com/DGAFeedAlerts/statuses/1257784471450980354\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1588714161000,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1695056485635,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recent C&C DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\",\"CriticalityLabel\":\"Very Malicious\",\"Timestamp\":1695056485614,\"MitigationString\":\"\",\"Criticality\":4}]"] unknown snfrpmnq.org ThreatIntelligenceIndicator

6
Sample Data/Custom/Recoreded Future/RecordedFutureDomainWorkbook_ThreatIntelligenceIndicator_IngestedLogs.csv Normal file
Просмотреть файл

@ -0,0 +1,6 @@
TenantId,"TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",SourceSystem,Action,ActivityGroupNames,AdditionalInformation,ApplicationId,AzureTenantId,ConfidenceScore,Description,DiamondModel,ExternalIndicatorId,"ExpirationDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",IndicatorId,ThreatType,Active,KillChainActions,KillChainC2,KillChainDelivery,KillChainExploitation,KillChainReconnaissance,KillChainWeaponization,KnownFalsePositives,MalwareNames,PassiveOnly,ThreatSeverity,Tags,TrafficLightProtocolLevel,EmailEncoding,EmailLanguage,EmailRecipient,EmailSenderAddress,EmailSenderName,EmailSourceDomain,EmailSourceIpAddress,EmailSubject,EmailXMailer,"FileCompileDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]","FileCreatedDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",FileHashType,FileHashValue,FileMutexName,FileName,FilePacker,FilePath,FileSize,FileType,DomainName,NetworkIP,NetworkPort,NetworkDestinationAsn,NetworkDestinationCidrBlock,NetworkDestinationIP,NetworkCidrBlock,NetworkDestinationPort,NetworkProtocol,NetworkSourceAsn,NetworkSourceCidrBlock,NetworkSourceIP,NetworkSourcePort,Url,UserAgent,IndicatorProvider,Type,TenantId1,SourceSystem1,MG,ManagementGroupName,"TimeGenerated1 [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",Computer,RawData,"Action_s","Content_Type_s","Device_s","Domain_s","Response_s","Src_IPv4_s","URL_s",Type1,"_ResourceId",parts,tld,"DNS_TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]"
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:06.351 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",92,"Recorded Future - Domains - Command and Control Activity",,"indicator--027005e3-dfe2-41d2-bd06-e8ac80b9aab8","9/19/2023, 7:07:32.983 PM",8BD4D42FFD595F366EA42C53950192F049B8D0F8E2BADF9A90272D0814364FB0,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New unknownmalware Dom: snfrpmnq[.]org IP: 169[.]50[.]13[.]61 NS: https://t.co/JxUb8f0Cir https://t.co/RCTjQ7czQd. Most recent link (May 5, 2020): https://twitter.com/DGAFeedAlerts/statuses/1257784471450980354\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1588714161000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1695056485635,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695056485614,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"snfrpmnq.org",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/19/2023, 5:08:45.466 PM",,,GET,"text/css","Squid_Proxy","snfrpmnq.org","TCP_MISS/200","10.1.4.174","http://snfrpmnq.org/xsqvmdw","Squid_Proxy_Domain_CL",,"[""snfrpmnq"",""org""]",org,"9/19/2023, 5:08:45.466 PM"
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:06.351 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",92,"Recorded Future - Domains - Command and Control Activity",,"indicator--027005e3-dfe2-41d2-bd06-e8ac80b9aab8","9/19/2023, 7:07:32.983 PM",8BD4D42FFD595F366EA42C53950192F049B8D0F8E2BADF9A90272D0814364FB0,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New unknownmalware Dom: snfrpmnq[.]org IP: 169[.]50[.]13[.]61 NS: https://t.co/JxUb8f0Cir https://t.co/RCTjQ7czQd. Most recent link (May 5, 2020): https://twitter.com/DGAFeedAlerts/statuses/1257784471450980354\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1588714161000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1695056485635,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695056485614,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"snfrpmnq.org",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/19/2023, 11:20:55.461 AM",,,GET,"text/css","Squid_Proxy","snfrpmnq.org","TCP_MISS/200","10.1.4.174","http://snfrpmnq.org/xsqvmdw","Squid_Proxy_Domain_CL",,"[""snfrpmnq"",""org""]",org,"9/19/2023, 11:20:55.461 AM"
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:06.117 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",92,"Recorded Future - Domains - Command and Control Activity",,"indicator--0fc20b4c-3c37-4321-b991-2eaafc2d744e","9/19/2023, 7:07:36.511 PM",95956A998E54BBE5EFCA1E68B6AE8DE2FF31FA3B286070A6931C18CD8FB19965,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported Botnet Domain\"",\""EvidenceString\"":\""9 sightings on 1 source: External Sensor Data Analysis. nihsxhvkfjwotm.bid is observed to be a botnet domain from which network attacks are launched. Attacks may include SPAM messages, DOS, SQL injections, proxy jacking, and other unsolicited contacts.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691544788241,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1695104194129,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695104194092,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"nihsxhvkfjwotm.bid",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 4:05:12.176 PM",,,GET,"image/webp","Squid_Proxy","nihsxhvkfjwotm.bid","TCP_MISS/304","10.1.147.78","http://nihsxhvkfjwotm.bid/nkavfib","Squid_Proxy_Domain_CL",,"[""nihsxhvkfjwotm"",""bid""]",bid,"9/15/2023, 4:05:12.176 PM"
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:06.343 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",91,"Recorded Future - Domains - Command and Control Activity",,"indicator--78c75a0a-c236-4f67-907f-facde94f5c6d","9/19/2023, 7:07:32.698 PM",7E44E1F99140ED284EF6D4379ED8B40505BCA4A18FDDFECC3818DDA1ABB06581,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Twitter. Most recent link (Jul 5, 2023): https://twitter.com/0xToxin/statuses/1676578018985123841\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1688562323000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695051741313,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"csyeywqwyikqaiim.xyz",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/19/2023, 5:08:25.443 PM",,,GET,"text/css","Squid_Proxy","csyeywqwyikqaiim.xyz","TCP_MISS/304","10.1.203.27","http://csyeywqwyikqaiim.xyz/wixylmz","Squid_Proxy_Domain_CL",,"[""csyeywqwyikqaiim"",""xyz""]",xyz,"9/19/2023, 5:08:25.443 PM"
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:06.074 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",90,"Recorded Future - Domains - Command and Control Activity",,"indicator--b29ed22d-bc66-4ea3-9527-cb1f7d5996de","9/19/2023, 7:07:35.900 PM",4B5338C3FB62BE62671A9C63A9FB11D83CE2B9E9DC70D082C46256A054D65280,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Recent C&C DNS Name\"",\""EvidenceString\"":\""1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\"",\""CriticalityLabel\"":\""Very Malicious\"",\""Timestamp\"":1695057312382,\""MitigationString\"":\""\"",\""Criticality\"":4}]""]",unknown,,,,,,,,,,,,,,,,,,,,"ikomoouessgqekmc.xyz",,,,,,,,,,,,,,,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/16/2023, 4:05:13.099 PM",,,GET,"text/javascript","Squid_Proxy","ikomoouessgqekmc.xyz","TCP_MISS/200","10.1.70.199","http://ikomoouessgqekmc.xyz/qgdaxsi","Squid_Proxy_Domain_CL",,"[""ikomoouessgqekmc"",""xyz""]",xyz,"9/16/2023, 4:05:13.099 PM"
1 TenantId TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] SourceSystem Action ActivityGroupNames AdditionalInformation ApplicationId AzureTenantId ConfidenceScore Description DiamondModel ExternalIndicatorId ExpirationDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] IndicatorId ThreatType Active KillChainActions KillChainC2 KillChainDelivery KillChainExploitation KillChainReconnaissance KillChainWeaponization KnownFalsePositives MalwareNames PassiveOnly ThreatSeverity Tags TrafficLightProtocolLevel EmailEncoding EmailLanguage EmailRecipient EmailSenderAddress EmailSenderName EmailSourceDomain EmailSourceIpAddress EmailSubject EmailXMailer FileCompileDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] FileCreatedDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] FileHashType FileHashValue FileMutexName FileName FilePacker FilePath FileSize FileType DomainName NetworkIP NetworkPort NetworkDestinationAsn NetworkDestinationCidrBlock NetworkDestinationIP NetworkCidrBlock NetworkDestinationPort NetworkProtocol NetworkSourceAsn NetworkSourceCidrBlock NetworkSourceIP NetworkSourcePort Url UserAgent IndicatorProvider Type TenantId1 SourceSystem1 MG ManagementGroupName TimeGenerated1 [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] Computer RawData Action_s Content_Type_s Device_s Domain_s Response_s Src_IPv4_s URL_s Type1 _ResourceId parts tld DNS_TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]
2 f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/19/2023, 5:08:06.351 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 92 Recorded Future - Domains - Command and Control Activity indicator--027005e3-dfe2-41d2-bd06-e8ac80b9aab8 9/19/2023, 7:07:32.983 PM 8BD4D42FFD595F366EA42C53950192F049B8D0F8E2BADF9A90272D0814364FB0 malicious-activity true ["[{\"Rule\":\"Historically Reported as a Defanged DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New unknownmalware Dom: snfrpmnq[.]org IP: 169[.]50[.]13[.]61 NS: https://t.co/JxUb8f0Cir https://t.co/RCTjQ7czQd. Most recent link (May 5, 2020): https://twitter.com/DGAFeedAlerts/statuses/1257784471450980354\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1588714161000,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1695056485635,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recent C&C DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\",\"CriticalityLabel\":\"Very Malicious\",\"Timestamp\":1695056485614,\"MitigationString\":\"\",\"Criticality\":4}]"] unknown snfrpmnq.org ThreatIntelligenceIndicator f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/19/2023, 5:08:45.466 PM GET text/css Squid_Proxy snfrpmnq.org TCP_MISS/200 10.1.4.174 http://snfrpmnq.org/xsqvmdw Squid_Proxy_Domain_CL ["snfrpmnq","org"] org 9/19/2023, 5:08:45.466 PM
3 f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/19/2023, 5:08:06.351 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 92 Recorded Future - Domains - Command and Control Activity indicator--027005e3-dfe2-41d2-bd06-e8ac80b9aab8 9/19/2023, 7:07:32.983 PM 8BD4D42FFD595F366EA42C53950192F049B8D0F8E2BADF9A90272D0814364FB0 malicious-activity true ["[{\"Rule\":\"Historically Reported as a Defanged DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: @DGAFeedAlerts. Most recent tweet: New unknownmalware Dom: snfrpmnq[.]org IP: 169[.]50[.]13[.]61 NS: https://t.co/JxUb8f0Cir https://t.co/RCTjQ7czQd. Most recent link (May 5, 2020): https://twitter.com/DGAFeedAlerts/statuses/1257784471450980354\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1588714161000,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1695056485635,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recent C&C DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\",\"CriticalityLabel\":\"Very Malicious\",\"Timestamp\":1695056485614,\"MitigationString\":\"\",\"Criticality\":4}]"] unknown snfrpmnq.org ThreatIntelligenceIndicator f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/19/2023, 11:20:55.461 AM GET text/css Squid_Proxy snfrpmnq.org TCP_MISS/200 10.1.4.174 http://snfrpmnq.org/xsqvmdw Squid_Proxy_Domain_CL ["snfrpmnq","org"] org 9/19/2023, 11:20:55.461 AM
4 f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/19/2023, 5:08:06.117 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 92 Recorded Future - Domains - Command and Control Activity indicator--0fc20b4c-3c37-4321-b991-2eaafc2d744e 9/19/2023, 7:07:36.511 PM 95956A998E54BBE5EFCA1E68B6AE8DE2FF31FA3B286070A6931C18CD8FB19965 malicious-activity true ["[{\"Rule\":\"Historically Reported Botnet Domain\",\"EvidenceString\":\"9 sightings on 1 source: External Sensor Data Analysis. nihsxhvkfjwotm.bid is observed to be a botnet domain from which network attacks are launched. Attacks may include SPAM messages, DOS, SQL injections, proxy jacking, and other unsolicited contacts.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1691544788241,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 2 sources: Bambenek Consulting C&C Blocklist, Recently Viewed Integrations Indicators. Observed between Mar 5, 2023, and Mar 8, 2023.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1695104194129,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recent C&C DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\",\"CriticalityLabel\":\"Very Malicious\",\"Timestamp\":1695104194092,\"MitigationString\":\"\",\"Criticality\":4}]"] unknown nihsxhvkfjwotm.bid ThreatIntelligenceIndicator f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/15/2023, 4:05:12.176 PM GET image/webp Squid_Proxy nihsxhvkfjwotm.bid TCP_MISS/304 10.1.147.78 http://nihsxhvkfjwotm.bid/nkavfib Squid_Proxy_Domain_CL ["nihsxhvkfjwotm","bid"] bid 9/15/2023, 4:05:12.176 PM
5 f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/19/2023, 5:08:06.343 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 91 Recorded Future - Domains - Command and Control Activity indicator--78c75a0a-c236-4f67-907f-facde94f5c6d 9/19/2023, 7:07:32.698 PM 7E44E1F99140ED284EF6D4379ED8B40505BCA4A18FDDFECC3818DDA1ABB06581 malicious-activity true ["[{\"Rule\":\"Historically Reported as a Defanged DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Twitter. Most recent link (Jul 5, 2023): https://twitter.com/0xToxin/statuses/1676578018985123841\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1688562323000,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recent C&C DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\",\"CriticalityLabel\":\"Very Malicious\",\"Timestamp\":1695051741313,\"MitigationString\":\"\",\"Criticality\":4}]"] unknown csyeywqwyikqaiim.xyz ThreatIntelligenceIndicator f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/19/2023, 5:08:25.443 PM GET text/css Squid_Proxy csyeywqwyikqaiim.xyz TCP_MISS/304 10.1.203.27 http://csyeywqwyikqaiim.xyz/wixylmz Squid_Proxy_Domain_CL ["csyeywqwyikqaiim","xyz"] xyz 9/19/2023, 5:08:25.443 PM
6 f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/19/2023, 5:08:06.074 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 90 Recorded Future - Domains - Command and Control Activity indicator--b29ed22d-bc66-4ea3-9527-cb1f7d5996de 9/19/2023, 7:07:35.900 PM 4B5338C3FB62BE62671A9C63A9FB11D83CE2B9E9DC70D082C46256A054D65280 malicious-activity true ["[{\"Rule\":\"Recent C&C DNS Name\",\"EvidenceString\":\"1 sighting on 1 source: Bambenek Consulting C&C Blocklist.\",\"CriticalityLabel\":\"Very Malicious\",\"Timestamp\":1695057312382,\"MitigationString\":\"\",\"Criticality\":4}]"] unknown ikomoouessgqekmc.xyz ThreatIntelligenceIndicator f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/16/2023, 4:05:13.099 PM GET text/javascript Squid_Proxy ikomoouessgqekmc.xyz TCP_MISS/200 10.1.70.199 http://ikomoouessgqekmc.xyz/qgdaxsi Squid_Proxy_Domain_CL ["ikomoouessgqekmc","xyz"] xyz 9/16/2023, 4:05:13.099 PM

7
Sample Data/Custom/Recoreded Future/RecordedFutureHashWorkbook_ExampleHashFirewallLog_IngestedLogs.csv Normal file
Просмотреть файл

@ -0,0 +1,7 @@
TenantId,SourceSystem,MG,ManagementGroupName,"TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",Computer,RawData,"HashType_s","Hash_s","Computer_Name_s","Detection_Name_s","Device_s","Downloaded_by_s","File_Path_s","Hash_g","Hash_Type_s","Src_IPv4_s",Type,"_ResourceId",TenantId1,"TimeGenerated1 [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",SourceSystem1,Action,ActivityGroupNames,AdditionalInformation,ApplicationId,AzureTenantId,ConfidenceScore,Description,DiamondModel,ExternalIndicatorId,"ExpirationDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",IndicatorId,ThreatType,Active,KillChainActions,KillChainC2,KillChainDelivery,KillChainExploitation,KillChainReconnaissance,KillChainWeaponization,KnownFalsePositives,MalwareNames,PassiveOnly,ThreatSeverity,Tags,TrafficLightProtocolLevel,EmailEncoding,EmailLanguage,EmailRecipient,EmailSenderAddress,EmailSenderName,EmailSourceDomain,EmailSourceIpAddress,EmailSubject,EmailXMailer,"FileCompileDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]","FileCreatedDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",FileHashType,FileHashValue,FileMutexName,FileName,FilePacker,FilePath,FileSize,FileType,DomainName,NetworkIP,NetworkPort,NetworkDestinationAsn,NetworkDestinationCidrBlock,NetworkDestinationIP,NetworkCidrBlock,NetworkDestinationPort,NetworkProtocol,NetworkSourceAsn,NetworkSourceCidrBlock,NetworkSourceIP,NetworkSourcePort,Url,UserAgent,IndicatorProvider,Type1
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/12/2023, 9:09:01.011 AM",,,,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,vmhwhfcsfq,"Trojan.Gen.2",EndpointProtection,"c:/program files (x86)/ggggg/cccc/application/cccc.exe","C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe",,SHA2,"10.1.103.63","EndpointProtection_HASH_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/29/2023, 1:30:37.249 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",89,"Recorded Future - HASH - Observed in Underground Virus Testing Sites",,"indicator--b99735da-acc9-476b-99fa-516882ff25a8","8/30/2023, 1:30:28.501 PM",09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Threat Researcher\"",\""EvidenceString\"":\""4 sightings on 0 sources: Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1651376951669,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692878798728,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Linked to Attack Vector\"",\""EvidenceString\"":\""3 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Vulnerability\"",\""EvidenceString\"":\""1 sighting on 0 sources: 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1593698472800,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Cyber Attack\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Suspicious Behavior Detected\"",\""EvidenceString\"":\""2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1691100579000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Referenced by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1559001600000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Positive Malware Verdict\"",\""EvidenceString\"":\""6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1692814271000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1686268800000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Observed in Underground Virus Testing Sites\"",\""EvidenceString\"":\""2 sightings on 1 source: d-lVCC.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1667765120000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,SHA256,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,,,,,,,,,,,,,,,,,,,,,,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/12/2023, 9:09:01.011 AM",,,,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,vmhwhfcsfq,"Trojan.Gen.2",EndpointProtection,"c:/program files (x86)/ggggg/cccc/application/cccc.exe","C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe",,SHA2,"10.1.103.63","EndpointProtection_HASH_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/2/2023, 1:30:52.683 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",89,"Recorded Future - HASH - Observed in Underground Virus Testing Sites",,"indicator--eb5dc02d-b6e4-48a4-a20c-772b0ac6e513","9/3/2023, 1:30:41.681 PM",09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Threat Researcher\"",\""EvidenceString\"":\""4 sightings on 1 source: Bleepingcomputer Forums. Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1651376951669,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693584861111,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Linked to Attack Vector\"",\""EvidenceString\"":\""7 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Vulnerability\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1593698472800,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Cyber Attack\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Suspicious Behavior Detected\"",\""EvidenceString\"":\""2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1691100579000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Referenced by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1559001600000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Positive Malware Verdict\"",\""EvidenceString\"":\""6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1692814271000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1686268800000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Observed in Underground Virus Testing Sites\"",\""EvidenceString\"":\""2 sightings on 1 source: Special Collection Hashes.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1667765120000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,SHA256,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,,,,,,,,,,,,,,,,,,,,,,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/12/2023, 9:09:01.011 AM",,,,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,vmhwhfcsfq,"Trojan.Gen.2",EndpointProtection,"c:/program files (x86)/ggggg/cccc/application/cccc.exe","C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe",,SHA2,"10.1.103.63","EndpointProtection_HASH_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/1/2023, 1:30:28.339 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",89,"Recorded Future - HASH - Observed in Underground Virus Testing Sites",,"indicator--f89bc269-9025-4a2f-a7ab-891ce4d1f797","9/2/2023, 1:30:22.865 PM",09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Threat Researcher\"",\""EvidenceString\"":\""4 sightings on 1 source: Bleepingcomputer Forums. Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1651376951669,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693403523241,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Linked to Attack Vector\"",\""EvidenceString\"":\""3 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Vulnerability\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1593698472800,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Cyber Attack\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Suspicious Behavior Detected\"",\""EvidenceString\"":\""2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1691100579000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Referenced by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1559001600000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Positive Malware Verdict\"",\""EvidenceString\"":\""6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1692814271000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1686268800000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Observed in Underground Virus Testing Sites\"",\""EvidenceString\"":\""2 sightings on 1 source: Special Collection Hashes.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1667765120000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,SHA256,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,,,,,,,,,,,,,,,,,,,,,,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/12/2023, 9:09:01.011 AM",,,,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,vmhwhfcsfq,"Trojan.Gen.2",EndpointProtection,"c:/program files (x86)/ggggg/cccc/application/cccc.exe","C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe",,SHA2,"10.1.103.63","EndpointProtection_HASH_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/28/2023, 11:48:38.666 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",89,"Recorded Future - HASH - Observed in Underground Virus Testing Sites",,"indicator--b2d008bc-14b0-41bb-9b22-1c4b170984bb","8/29/2023, 11:48:30.985 AM",09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Threat Researcher\"",\""EvidenceString\"":\""4 sightings on 0 sources: Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1651376951669,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692878798728,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Linked to Attack Vector\"",\""EvidenceString\"":\""3 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Vulnerability\"",\""EvidenceString\"":\""1 sighting on 0 sources: 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1593698472800,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Cyber Attack\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Suspicious Behavior Detected\"",\""EvidenceString\"":\""2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1691100579000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Referenced by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1559001600000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Positive Malware Verdict\"",\""EvidenceString\"":\""6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1692814271000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1686268800000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Observed in Underground Virus Testing Sites\"",\""EvidenceString\"":\""2 sightings on 1 source: d-lVCC.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1667765120000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,SHA256,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,,,,,,,,,,,,,,,,,,,,,,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/12/2023, 9:09:01.011 AM",,,,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,vmhwhfcsfq,"Trojan.Gen.2",EndpointProtection,"c:/program files (x86)/ggggg/cccc/application/cccc.exe","C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe",,SHA2,"10.1.103.63","EndpointProtection_HASH_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/30/2023, 1:30:42.607 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",89,"Recorded Future - HASH - Observed in Underground Virus Testing Sites",,"indicator--0309b507-b602-4897-b50c-bc015630a0a1","8/31/2023, 1:30:26.336 PM",09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Threat Researcher\"",\""EvidenceString\"":\""4 sightings on 1 source: Bleepingcomputer Forums. Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1651376951669,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693317036271,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Linked to Attack Vector\"",\""EvidenceString\"":\""3 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Vulnerability\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1593698472800,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Cyber Attack\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Suspicious Behavior Detected\"",\""EvidenceString\"":\""2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1691100579000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Referenced by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1559001600000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Positive Malware Verdict\"",\""EvidenceString\"":\""6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1692814271000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1686268800000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Observed in Underground Virus Testing Sites\"",\""EvidenceString\"":\""2 sightings on 1 source: Special Collection Hashes.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1667765120000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,SHA256,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,,,,,,,,,,,,,,,,,,,,,,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/12/2023, 9:09:01.011 AM",,,,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,vmhwhfcsfq,"Trojan.Gen.2",EndpointProtection,"c:/program files (x86)/ggggg/cccc/application/cccc.exe","C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe",,SHA2,"10.1.103.63","EndpointProtection_HASH_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/31/2023, 1:30:02.605 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",89,"Recorded Future - HASH - Observed in Underground Virus Testing Sites",,"indicator--85469c8b-633d-495c-8f4b-db7e4e6722ac","9/1/2023, 1:29:57.634 PM",09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Threat Researcher\"",\""EvidenceString\"":\""4 sightings on 1 source: Bleepingcomputer Forums. Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1651376951669,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693403523241,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Linked to Attack Vector\"",\""EvidenceString\"":\""3 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Vulnerability\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1593698472800,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Cyber Attack\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Suspicious Behavior Detected\"",\""EvidenceString\"":\""2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1691100579000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Referenced by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1559001600000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Positive Malware Verdict\"",\""EvidenceString\"":\""6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1692814271000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1686268800000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Observed in Underground Virus Testing Sites\"",\""EvidenceString\"":\""2 sightings on 1 source: Special Collection Hashes.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1667765120000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,SHA256,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,,,,,,,,,,,,,,,,,,,,,,,ThreatIntelligenceIndicator
1 TenantId SourceSystem MG ManagementGroupName TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] Computer RawData HashType_s Hash_s Computer_Name_s Detection_Name_s Device_s Downloaded_by_s File_Path_s Hash_g Hash_Type_s Src_IPv4_s Type _ResourceId TenantId1 TimeGenerated1 [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] SourceSystem1 Action ActivityGroupNames AdditionalInformation ApplicationId AzureTenantId ConfidenceScore Description DiamondModel ExternalIndicatorId ExpirationDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] IndicatorId ThreatType Active KillChainActions KillChainC2 KillChainDelivery KillChainExploitation KillChainReconnaissance KillChainWeaponization KnownFalsePositives MalwareNames PassiveOnly ThreatSeverity Tags TrafficLightProtocolLevel EmailEncoding EmailLanguage EmailRecipient EmailSenderAddress EmailSenderName EmailSourceDomain EmailSourceIpAddress EmailSubject EmailXMailer FileCompileDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] FileCreatedDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] FileHashType FileHashValue FileMutexName FileName FilePacker FilePath FileSize FileType DomainName NetworkIP NetworkPort NetworkDestinationAsn NetworkDestinationCidrBlock NetworkDestinationIP NetworkCidrBlock NetworkDestinationPort NetworkProtocol NetworkSourceAsn NetworkSourceCidrBlock NetworkSourceIP NetworkSourcePort Url UserAgent IndicatorProvider Type1
2 f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/12/2023, 9:09:01.011 AM 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d vmhwhfcsfq Trojan.Gen.2 EndpointProtection c:/program files (x86)/ggggg/cccc/application/cccc.exe C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe SHA2 10.1.103.63 EndpointProtection_HASH_CL f233a343-df06-4d9a-8a18-5b3eb8942c7f 8/29/2023, 1:30:37.249 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 89 Recorded Future - HASH - Observed in Underground Virus Testing Sites indicator--b99735da-acc9-476b-99fa-516882ff25a8 8/30/2023, 1:30:28.501 PM 09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A malicious-activity true ["[{\"Rule\":\"Threat Researcher\",\"EvidenceString\":\"4 sightings on 0 sources: Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1651376951669,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1692878798728,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Linked to Attack Vector\",\"EvidenceString\":\"3 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Vulnerability\",\"EvidenceString\":\"1 sighting on 0 sources: 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1593698472800,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Cyber Attack\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Suspicious Behavior Detected\",\"EvidenceString\":\"2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1691100579000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Referenced by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1559001600000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Positive Malware Verdict\",\"EvidenceString\":\"6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1692814271000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Reported by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1686268800000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Observed in Underground Virus Testing Sites\",\"EvidenceString\":\"2 sightings on 1 source: d-lVCC.\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1667765120000,\"MitigationString\":\"\",\"Criticality\":3}]"] unknown SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d ThreatIntelligenceIndicator
3 f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/12/2023, 9:09:01.011 AM 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d vmhwhfcsfq Trojan.Gen.2 EndpointProtection c:/program files (x86)/ggggg/cccc/application/cccc.exe C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe SHA2 10.1.103.63 EndpointProtection_HASH_CL f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/2/2023, 1:30:52.683 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 89 Recorded Future - HASH - Observed in Underground Virus Testing Sites indicator--eb5dc02d-b6e4-48a4-a20c-772b0ac6e513 9/3/2023, 1:30:41.681 PM 09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A malicious-activity true ["[{\"Rule\":\"Threat Researcher\",\"EvidenceString\":\"4 sightings on 1 source: Bleepingcomputer Forums. Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1651376951669,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1693584861111,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Linked to Attack Vector\",\"EvidenceString\":\"7 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Vulnerability\",\"EvidenceString\":\"1 sighting on 1 source: Insikt Group. 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1593698472800,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Cyber Attack\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Suspicious Behavior Detected\",\"EvidenceString\":\"2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1691100579000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Referenced by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1559001600000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Positive Malware Verdict\",\"EvidenceString\":\"6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1692814271000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Reported by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1686268800000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Observed in Underground Virus Testing Sites\",\"EvidenceString\":\"2 sightings on 1 source: Special Collection Hashes.\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1667765120000,\"MitigationString\":\"\",\"Criticality\":3}]"] unknown SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d ThreatIntelligenceIndicator
4 f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/12/2023, 9:09:01.011 AM 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d vmhwhfcsfq Trojan.Gen.2 EndpointProtection c:/program files (x86)/ggggg/cccc/application/cccc.exe C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe SHA2 10.1.103.63 EndpointProtection_HASH_CL f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/1/2023, 1:30:28.339 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 89 Recorded Future - HASH - Observed in Underground Virus Testing Sites indicator--f89bc269-9025-4a2f-a7ab-891ce4d1f797 9/2/2023, 1:30:22.865 PM 09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A malicious-activity true ["[{\"Rule\":\"Threat Researcher\",\"EvidenceString\":\"4 sightings on 1 source: Bleepingcomputer Forums. Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1651376951669,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1693403523241,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Linked to Attack Vector\",\"EvidenceString\":\"3 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Vulnerability\",\"EvidenceString\":\"1 sighting on 1 source: Insikt Group. 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1593698472800,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Cyber Attack\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Suspicious Behavior Detected\",\"EvidenceString\":\"2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1691100579000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Referenced by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1559001600000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Positive Malware Verdict\",\"EvidenceString\":\"6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1692814271000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Reported by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1686268800000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Observed in Underground Virus Testing Sites\",\"EvidenceString\":\"2 sightings on 1 source: Special Collection Hashes.\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1667765120000,\"MitigationString\":\"\",\"Criticality\":3}]"] unknown SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d ThreatIntelligenceIndicator
5 f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/12/2023, 9:09:01.011 AM 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d vmhwhfcsfq Trojan.Gen.2 EndpointProtection c:/program files (x86)/ggggg/cccc/application/cccc.exe C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe SHA2 10.1.103.63 EndpointProtection_HASH_CL f233a343-df06-4d9a-8a18-5b3eb8942c7f 8/28/2023, 11:48:38.666 AM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 89 Recorded Future - HASH - Observed in Underground Virus Testing Sites indicator--b2d008bc-14b0-41bb-9b22-1c4b170984bb 8/29/2023, 11:48:30.985 AM 09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A malicious-activity true ["[{\"Rule\":\"Threat Researcher\",\"EvidenceString\":\"4 sightings on 0 sources: Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1651376951669,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1692878798728,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Linked to Attack Vector\",\"EvidenceString\":\"3 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Vulnerability\",\"EvidenceString\":\"1 sighting on 0 sources: 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1593698472800,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Cyber Attack\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Suspicious Behavior Detected\",\"EvidenceString\":\"2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1691100579000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Referenced by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1559001600000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Positive Malware Verdict\",\"EvidenceString\":\"6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1692814271000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Reported by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1686268800000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Observed in Underground Virus Testing Sites\",\"EvidenceString\":\"2 sightings on 1 source: d-lVCC.\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1667765120000,\"MitigationString\":\"\",\"Criticality\":3}]"] unknown SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d ThreatIntelligenceIndicator
6 f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/12/2023, 9:09:01.011 AM 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d vmhwhfcsfq Trojan.Gen.2 EndpointProtection c:/program files (x86)/ggggg/cccc/application/cccc.exe C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe SHA2 10.1.103.63 EndpointProtection_HASH_CL f233a343-df06-4d9a-8a18-5b3eb8942c7f 8/30/2023, 1:30:42.607 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 89 Recorded Future - HASH - Observed in Underground Virus Testing Sites indicator--0309b507-b602-4897-b50c-bc015630a0a1 8/31/2023, 1:30:26.336 PM 09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A malicious-activity true ["[{\"Rule\":\"Threat Researcher\",\"EvidenceString\":\"4 sightings on 1 source: Bleepingcomputer Forums. Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1651376951669,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1693317036271,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Linked to Attack Vector\",\"EvidenceString\":\"3 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Vulnerability\",\"EvidenceString\":\"1 sighting on 1 source: Insikt Group. 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1593698472800,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Cyber Attack\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Suspicious Behavior Detected\",\"EvidenceString\":\"2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1691100579000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Referenced by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1559001600000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Positive Malware Verdict\",\"EvidenceString\":\"6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1692814271000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Reported by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1686268800000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Observed in Underground Virus Testing Sites\",\"EvidenceString\":\"2 sightings on 1 source: Special Collection Hashes.\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1667765120000,\"MitigationString\":\"\",\"Criticality\":3}]"] unknown SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d ThreatIntelligenceIndicator
7 f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/12/2023, 9:09:01.011 AM 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d vmhwhfcsfq Trojan.Gen.2 EndpointProtection c:/program files (x86)/ggggg/cccc/application/cccc.exe C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe SHA2 10.1.103.63 EndpointProtection_HASH_CL f233a343-df06-4d9a-8a18-5b3eb8942c7f 8/31/2023, 1:30:02.605 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 89 Recorded Future - HASH - Observed in Underground Virus Testing Sites indicator--85469c8b-633d-495c-8f4b-db7e4e6722ac 9/1/2023, 1:29:57.634 PM 09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A malicious-activity true ["[{\"Rule\":\"Threat Researcher\",\"EvidenceString\":\"4 sightings on 1 source: Bleepingcomputer Forums. Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1651376951669,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1693403523241,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Linked to Attack Vector\",\"EvidenceString\":\"3 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Vulnerability\",\"EvidenceString\":\"1 sighting on 1 source: Insikt Group. 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1593698472800,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Cyber Attack\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Suspicious Behavior Detected\",\"EvidenceString\":\"2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1691100579000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Referenced by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1559001600000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Positive Malware Verdict\",\"EvidenceString\":\"6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1692814271000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Reported by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1686268800000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Observed in Underground Virus Testing Sites\",\"EvidenceString\":\"2 sightings on 1 source: Special Collection Hashes.\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1667765120000,\"MitigationString\":\"\",\"Criticality\":3}]"] unknown SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d ThreatIntelligenceIndicator

5
Sample Data/Custom/Recoreded Future/RecordedFutureHashWorkbook_ThreatIntelligenceIndicator_IngestedLogs.csv Normal file
Просмотреть файл

@ -0,0 +1,5 @@
TenantId,"TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",SourceSystem,Action,ActivityGroupNames,AdditionalInformation,ApplicationId,AzureTenantId,ConfidenceScore,Description,DiamondModel,ExternalIndicatorId,"ExpirationDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",IndicatorId,ThreatType,Active,KillChainActions,KillChainC2,KillChainDelivery,KillChainExploitation,KillChainReconnaissance,KillChainWeaponization,KnownFalsePositives,MalwareNames,PassiveOnly,ThreatSeverity,Tags,TrafficLightProtocolLevel,EmailEncoding,EmailLanguage,EmailRecipient,EmailSenderAddress,EmailSenderName,EmailSourceDomain,EmailSourceIpAddress,EmailSubject,EmailXMailer,"FileCompileDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]","FileCreatedDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",FileHashType,FileHashValue,FileMutexName,FileName,FilePacker,FilePath,FileSize,FileType,DomainName,NetworkIP,NetworkPort,NetworkDestinationAsn,NetworkDestinationCidrBlock,NetworkDestinationIP,NetworkCidrBlock,NetworkDestinationPort,NetworkProtocol,NetworkSourceAsn,NetworkSourceCidrBlock,NetworkSourceIP,NetworkSourcePort,Url,UserAgent,IndicatorProvider,Type,TenantId1,SourceSystem1,MG,ManagementGroupName,"TimeGenerated1 [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",Computer,RawData,"HashType_s","Hash_s","Computer_Name_s","Detection_Name_s","Device_s","Downloaded_by_s","File_Path_s","Hash_g","Hash_Type_s","Src_IPv4_s",Type1,"_ResourceId"
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/28/2023, 11:48:38.666 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",89,"Recorded Future - HASH - Observed in Underground Virus Testing Sites",,"indicator--b2d008bc-14b0-41bb-9b22-1c4b170984bb","8/29/2023, 11:48:30.985 AM",09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Threat Researcher\"",\""EvidenceString\"":\""4 sightings on 0 sources: Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1651376951669,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692878798728,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Linked to Attack Vector\"",\""EvidenceString\"":\""3 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Vulnerability\"",\""EvidenceString\"":\""1 sighting on 0 sources: 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1593698472800,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Cyber Attack\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Suspicious Behavior Detected\"",\""EvidenceString\"":\""2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1691100579000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Referenced by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1559001600000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Positive Malware Verdict\"",\""EvidenceString\"":\""6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1692814271000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1686268800000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Observed in Underground Virus Testing Sites\"",\""EvidenceString\"":\""2 sightings on 1 source: d-lVCC.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1667765120000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,SHA256,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,,,,,,,,,,,,,,,,,,,,,,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/12/2023, 10:09:03.118 PM",,,,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,vmhwhfcsfq,"Trojan.Gen.2",EndpointProtection,"c:/program files (x86)/ggggg/cccc/application/cccc.exe","C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe",,SHA2,"10.1.103.63","EndpointProtection_HASH_CL",
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/28/2023, 11:48:38.666 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",89,"Recorded Future - HASH - Observed in Underground Virus Testing Sites",,"indicator--b2d008bc-14b0-41bb-9b22-1c4b170984bb","8/29/2023, 11:48:30.985 AM",09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Threat Researcher\"",\""EvidenceString\"":\""4 sightings on 0 sources: Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1651376951669,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692878798728,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Linked to Attack Vector\"",\""EvidenceString\"":\""3 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Vulnerability\"",\""EvidenceString\"":\""1 sighting on 0 sources: 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1593698472800,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Cyber Attack\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Suspicious Behavior Detected\"",\""EvidenceString\"":\""2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1691100579000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Referenced by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1559001600000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Positive Malware Verdict\"",\""EvidenceString\"":\""6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1692814271000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1686268800000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Observed in Underground Virus Testing Sites\"",\""EvidenceString\"":\""2 sightings on 1 source: d-lVCC.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1667765120000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,SHA256,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,,,,,,,,,,,,,,,,,,,,,,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/12/2023, 9:09:01.011 AM",,,,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,vmhwhfcsfq,"Trojan.Gen.2",EndpointProtection,"c:/program files (x86)/ggggg/cccc/application/cccc.exe","C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe",,SHA2,"10.1.103.63","EndpointProtection_HASH_CL",
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/28/2023, 11:48:38.666 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",89,"Recorded Future - HASH - Observed in Underground Virus Testing Sites",,"indicator--b2d008bc-14b0-41bb-9b22-1c4b170984bb","8/29/2023, 11:48:30.985 AM",09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Threat Researcher\"",\""EvidenceString\"":\""4 sightings on 0 sources: Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1651376951669,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692878798728,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Linked to Attack Vector\"",\""EvidenceString\"":\""3 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Vulnerability\"",\""EvidenceString\"":\""1 sighting on 0 sources: 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1593698472800,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Cyber Attack\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Suspicious Behavior Detected\"",\""EvidenceString\"":\""2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1691100579000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Referenced by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1559001600000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Positive Malware Verdict\"",\""EvidenceString\"":\""6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1692814271000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1686268800000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Observed in Underground Virus Testing Sites\"",\""EvidenceString\"":\""2 sightings on 1 source: d-lVCC.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1667765120000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,SHA256,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,,,,,,,,,,,,,,,,,,,,,,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/12/2023, 7:09:01.215 AM",,,,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,vmhwhfcsfq,"Trojan.Gen.2",EndpointProtection,"c:/program files (x86)/ggggg/cccc/application/cccc.exe","C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe",,SHA2,"10.1.103.63","EndpointProtection_HASH_CL",
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/28/2023, 11:48:38.666 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",89,"Recorded Future - HASH - Observed in Underground Virus Testing Sites",,"indicator--b2d008bc-14b0-41bb-9b22-1c4b170984bb","8/29/2023, 11:48:30.985 AM",09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Threat Researcher\"",\""EvidenceString\"":\""4 sightings on 0 sources: Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1651376951669,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported in Threat List\"",\""EvidenceString\"":\""Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692878798728,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Linked to Attack Vector\"",\""EvidenceString\"":\""3 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Vulnerability\"",\""EvidenceString\"":\""1 sighting on 0 sources: 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1593698472800,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Linked to Cyber Attack\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group.\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1686347161530,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Suspicious Behavior Detected\"",\""EvidenceString\"":\""2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1691100579000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Referenced by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\"",\""CriticalityLabel\"":\""Suspicious\"",\""Timestamp\"":1559001600000,\""MitigationString\"":\""\"",\""Criticality\"":2},{\""Rule\"":\""Positive Malware Verdict\"",\""EvidenceString\"":\""6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1692814271000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1686268800000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Observed in Underground Virus Testing Sites\"",\""EvidenceString\"":\""2 sightings on 1 source: d-lVCC.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1667765120000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,SHA256,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,,,,,,,,,,,,,,,,,,,,,,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/12/2023, 10:08:55.873 AM",,,,237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d,vmhwhfcsfq,"Trojan.Gen.2",EndpointProtection,"c:/program files (x86)/ggggg/cccc/application/cccc.exe","C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe",,SHA2,"10.1.103.63","EndpointProtection_HASH_CL",
1 TenantId TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] SourceSystem Action ActivityGroupNames AdditionalInformation ApplicationId AzureTenantId ConfidenceScore Description DiamondModel ExternalIndicatorId ExpirationDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] IndicatorId ThreatType Active KillChainActions KillChainC2 KillChainDelivery KillChainExploitation KillChainReconnaissance KillChainWeaponization KnownFalsePositives MalwareNames PassiveOnly ThreatSeverity Tags TrafficLightProtocolLevel EmailEncoding EmailLanguage EmailRecipient EmailSenderAddress EmailSenderName EmailSourceDomain EmailSourceIpAddress EmailSubject EmailXMailer FileCompileDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] FileCreatedDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] FileHashType FileHashValue FileMutexName FileName FilePacker FilePath FileSize FileType DomainName NetworkIP NetworkPort NetworkDestinationAsn NetworkDestinationCidrBlock NetworkDestinationIP NetworkCidrBlock NetworkDestinationPort NetworkProtocol NetworkSourceAsn NetworkSourceCidrBlock NetworkSourceIP NetworkSourcePort Url UserAgent IndicatorProvider Type TenantId1 SourceSystem1 MG ManagementGroupName TimeGenerated1 [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] Computer RawData HashType_s Hash_s Computer_Name_s Detection_Name_s Device_s Downloaded_by_s File_Path_s Hash_g Hash_Type_s Src_IPv4_s Type1 _ResourceId
2 f233a343-df06-4d9a-8a18-5b3eb8942c7f 8/28/2023, 11:48:38.666 AM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 89 Recorded Future - HASH - Observed in Underground Virus Testing Sites indicator--b2d008bc-14b0-41bb-9b22-1c4b170984bb 8/29/2023, 11:48:30.985 AM 09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A malicious-activity true ["[{\"Rule\":\"Threat Researcher\",\"EvidenceString\":\"4 sightings on 0 sources: Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1651376951669,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1692878798728,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Linked to Attack Vector\",\"EvidenceString\":\"3 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Vulnerability\",\"EvidenceString\":\"1 sighting on 0 sources: 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1593698472800,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Cyber Attack\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Suspicious Behavior Detected\",\"EvidenceString\":\"2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1691100579000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Referenced by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1559001600000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Positive Malware Verdict\",\"EvidenceString\":\"6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1692814271000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Reported by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1686268800000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Observed in Underground Virus Testing Sites\",\"EvidenceString\":\"2 sightings on 1 source: d-lVCC.\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1667765120000,\"MitigationString\":\"\",\"Criticality\":3}]"] unknown SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d ThreatIntelligenceIndicator f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/12/2023, 10:09:03.118 PM 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d vmhwhfcsfq Trojan.Gen.2 EndpointProtection c:/program files (x86)/ggggg/cccc/application/cccc.exe C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe SHA2 10.1.103.63 EndpointProtection_HASH_CL
3 f233a343-df06-4d9a-8a18-5b3eb8942c7f 8/28/2023, 11:48:38.666 AM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 89 Recorded Future - HASH - Observed in Underground Virus Testing Sites indicator--b2d008bc-14b0-41bb-9b22-1c4b170984bb 8/29/2023, 11:48:30.985 AM 09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A malicious-activity true ["[{\"Rule\":\"Threat Researcher\",\"EvidenceString\":\"4 sightings on 0 sources: Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1651376951669,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1692878798728,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Linked to Attack Vector\",\"EvidenceString\":\"3 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Vulnerability\",\"EvidenceString\":\"1 sighting on 0 sources: 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1593698472800,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Cyber Attack\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Suspicious Behavior Detected\",\"EvidenceString\":\"2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1691100579000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Referenced by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1559001600000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Positive Malware Verdict\",\"EvidenceString\":\"6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1692814271000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Reported by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1686268800000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Observed in Underground Virus Testing Sites\",\"EvidenceString\":\"2 sightings on 1 source: d-lVCC.\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1667765120000,\"MitigationString\":\"\",\"Criticality\":3}]"] unknown SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d ThreatIntelligenceIndicator f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/12/2023, 9:09:01.011 AM 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d vmhwhfcsfq Trojan.Gen.2 EndpointProtection c:/program files (x86)/ggggg/cccc/application/cccc.exe C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe SHA2 10.1.103.63 EndpointProtection_HASH_CL
4 f233a343-df06-4d9a-8a18-5b3eb8942c7f 8/28/2023, 11:48:38.666 AM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 89 Recorded Future - HASH - Observed in Underground Virus Testing Sites indicator--b2d008bc-14b0-41bb-9b22-1c4b170984bb 8/29/2023, 11:48:30.985 AM 09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A malicious-activity true ["[{\"Rule\":\"Threat Researcher\",\"EvidenceString\":\"4 sightings on 0 sources: Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1651376951669,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1692878798728,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Linked to Attack Vector\",\"EvidenceString\":\"3 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Vulnerability\",\"EvidenceString\":\"1 sighting on 0 sources: 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1593698472800,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Cyber Attack\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Suspicious Behavior Detected\",\"EvidenceString\":\"2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1691100579000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Referenced by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1559001600000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Positive Malware Verdict\",\"EvidenceString\":\"6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1692814271000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Reported by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1686268800000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Observed in Underground Virus Testing Sites\",\"EvidenceString\":\"2 sightings on 1 source: d-lVCC.\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1667765120000,\"MitigationString\":\"\",\"Criticality\":3}]"] unknown SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d ThreatIntelligenceIndicator f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/12/2023, 7:09:01.215 AM 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d vmhwhfcsfq Trojan.Gen.2 EndpointProtection c:/program files (x86)/ggggg/cccc/application/cccc.exe C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe SHA2 10.1.103.63 EndpointProtection_HASH_CL
5 f233a343-df06-4d9a-8a18-5b3eb8942c7f 8/28/2023, 11:48:38.666 AM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 89 Recorded Future - HASH - Observed in Underground Virus Testing Sites indicator--b2d008bc-14b0-41bb-9b22-1c4b170984bb 8/29/2023, 11:48:30.985 AM 09DD8F81D936AD6704EF8449BED37AB8E5118A23E42A17FD1A02AD4B05CE4F7A malicious-activity true ["[{\"Rule\":\"Threat Researcher\",\"EvidenceString\":\"4 sightings on 0 sources: Most recent link (May 1, 2022): https://www.bleepingcomputer.com/forums/t/771489/norton-blocked-an-attack-by-system-infected-trojanbackdoor-activity-578/#entry5354492\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1651376951669,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported in Threat List\",\"EvidenceString\":\"Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between Jun 24, 2021, and Jul 2, 2021.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1692878798728,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Linked to Attack Vector\",\"EvidenceString\":\"3 sightings on 1 source: Insikt Group. 9 related attack vectors including Powershell Attack, VBA Malware, Phishing, Cross site scripting, Web Application Exploitation.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Vulnerability\",\"EvidenceString\":\"1 sighting on 0 sources: 11 related cyber vulnerabilities including CWE-20, CVE-2017-11882, CVE-2017-8759, CVE-2018-15982, CVE-2018-8174.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1593698472800,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Linked to Cyber Attack\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group.\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1686347161530,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Suspicious Behavior Detected\",\"EvidenceString\":\"2 sightings on 1 source: Recorded Future Triage Malware Analysis. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 03, 2023. Triage score: 7 (Shows suspicious behavior). No malware detections. Contains: 3 ATT&CK behaviors, 0 command and control indicators, and 8 signatures. Most recent link (Aug 3, 2023): https://tria.ge/230803-11kf2she5s\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1691100579000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Referenced by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Cheap and Flexible, AZORult Remains Viable Commodity Malware for Less-Experienced Threat Actors. Most recent link (Jul 02, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:eZyfXH\",\"CriticalityLabel\":\"Suspicious\",\"Timestamp\":1559001600000,\"MitigationString\":\"\",\"Criticality\":2},{\"Rule\":\"Positive Malware Verdict\",\"EvidenceString\":\"6 sightings on 4 sources: Recorded Future Triage Malware Analysis, PolySwarm PolyUnite, ReversingLabs, PolySwarm. Malware sandbox report for 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d on August 23, 2023. Triage score: 10 (Known bad). No malware detections. Contains: 1 ATT&CK behavior, 0 command and control indicators, and 12 signatures. Most recent link (Aug 23, 2023): https://tria.ge/230823-wqncqsgb5y\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1692814271000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Reported by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 1 report: Casbaneiro Banking Trojan Variant Distributed Via COVID-19 Lure, Shared on Twitter. Most recent link (Mar 25, 2020): https://app.recordedfuture.com/portal/analyst-note/doc:dUts77\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1686268800000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Observed in Underground Virus Testing Sites\",\"EvidenceString\":\"2 sightings on 1 source: d-lVCC.\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1667765120000,\"MitigationString\":\"\",\"Criticality\":3}]"] unknown SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d ThreatIntelligenceIndicator f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/12/2023, 10:08:55.873 AM 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d vmhwhfcsfq Trojan.Gen.2 EndpointProtection c:/program files (x86)/ggggg/cccc/application/cccc.exe C:\Users\user1\Downloads\XXXXXX Start Orb Changer.exe SHA2 10.1.103.63 EndpointProtection_HASH_CL

13
Sample Data/Custom/Recoreded Future/RecordedFutureIPWorkbook_ExampleIPFirewallLog_IngestedLogs.csv Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

19
Sample Data/Custom/Recoreded Future/RecordedFutureIPWorkbook_ThreatIntelligenceIndicator_IngestedLogs.csv Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

0
Solutions/Recorded Future/Sample Data/RecordedFutureRisklist_IngestedLogs.csv → Sample Data/Custom/Recoreded Future/RecordedFutureRisklist_IngestedLogs.csv
Просмотреть файл

0
Solutions/Recorded Future/Sample Data/RecordedFutureRisklist_RawLogs.json → Sample Data/Custom/Recoreded Future/RecordedFutureRisklist_RawLogs.json
Просмотреть файл

744
Sample Data/Custom/Recoreded Future/RecordedFutureUrlWorkbook_ExampleUrlProxyLog_IngestedLogs.csv Normal file
Просмотреть файл

@ -0,0 +1,744 @@
TenantId,SourceSystem,MG,ManagementGroupName,"TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",Computer,RawData,"Action_s","Content_Type_s","Device_s","Domain_s","Response_s","Src_IPv4_s","URL_s",Type,"_ResourceId",TenantId1,"TimeGenerated1 [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",SourceSystem1,Action,ActivityGroupNames,AdditionalInformation,ApplicationId,AzureTenantId,ConfidenceScore,Description,DiamondModel,ExternalIndicatorId,"ExpirationDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",IndicatorId,ThreatType,Active,KillChainActions,KillChainC2,KillChainDelivery,KillChainExploitation,KillChainReconnaissance,KillChainWeaponization,KnownFalsePositives,MalwareNames,PassiveOnly,ThreatSeverity,Tags,TrafficLightProtocolLevel,EmailEncoding,EmailLanguage,EmailRecipient,EmailSenderAddress,EmailSenderName,EmailSourceDomain,EmailSourceIpAddress,EmailSubject,EmailXMailer,"FileCompileDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]","FileCreatedDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",FileHashType,FileHashValue,FileMutexName,FileName,FilePacker,FilePath,FileSize,FileType,DomainName,NetworkIP,NetworkPort,NetworkDestinationAsn,NetworkDestinationCidrBlock,NetworkDestinationIP,NetworkCidrBlock,NetworkDestinationPort,NetworkProtocol,NetworkSourceAsn,NetworkSourceCidrBlock,NetworkSourceIP,NetworkSourcePort,Url,UserAgent,IndicatorProvider,Type1
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 3:58:57.906 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3cf01705-9adb-4406-a149-dbfc568951cc","9/8/2023, 3:08:34.483 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",false,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 4:45:45.619 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--998f5603-ee14-4ca8-a393-68a8de04cd0f","9/8/2023, 3:08:24.883 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",false,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 4:52:23.054 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--998f5603-ee14-4ca8-a393-68a8de04cd0f","9/8/2023, 3:08:24.883 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",false,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 5:36:38.010 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9f3dcc51-29c6-4181-98a3-28b9c39eb02a","9/8/2023, 9:08:23.707 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",false,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/9/2023, 11:45:23.429 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4261dfe6-0916-4337-8ad3-b515cc61f232","9/10/2023, 11:45:08.831 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/9/2023, 11:45:23.440 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c45a51de-1ed9-4f6f-900e-bbbeab678cd1","9/10/2023, 11:45:09.316 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/9/2023, 11:45:29.337 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--387ffa39-6350-4c28-88cf-2c26f3b7af6e","9/10/2023, 11:45:18.367 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/9/2023, 11:45:38.542 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--631ff8f1-60a3-47da-8988-e76369ed3091","9/10/2023, 11:45:28.777 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/9/2023, 11:45:38.632 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e18e1ed4-2985-4c2b-b767-29a63ca6dd95","9/10/2023, 11:45:29.308 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/12/2023, 11:45:23.111 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c14a74be-53e2-4edf-98a2-b303c6a1034b","9/13/2023, 11:45:08.991 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/12/2023, 11:45:23.311 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--58d16d22-7ad7-4ba3-8188-d99a8ee60738","9/13/2023, 11:45:12.052 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/12/2023, 11:45:29.360 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f6dff631-1ca9-41d6-87f9-91a12154d783","9/13/2023, 11:45:13.674 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/12/2023, 11:45:29.429 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9ccf92ba-e9f0-49cd-ab8c-7213e35b66d0","9/13/2023, 11:45:13.454 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/12/2023, 11:52:28.875 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--28a1d0a1-6b87-47e4-b57c-23cdea373657","9/13/2023, 11:45:31.556 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/29/2023, 11:45:41.968 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ec0c90c3-5210-41ad-9937-a4ab7f0358e3","8/30/2023, 11:45:22.249 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/29/2023, 11:45:42.527 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--63756c29-fb16-41a4-b0b2-03cec7e4b378","8/30/2023, 11:45:21.359 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""5 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692247301339,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/28/2023, 11:45:37.436 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0868128c-2a51-4514-880c-a207eee6a4c0","8/29/2023, 11:45:14.917 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""6 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/28/2023, 11:45:43.068 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f8f7a1ae-0690-4423-a1f1-8f9ecdd02db6","8/29/2023, 11:45:18.632 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""15 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""3 sightings on 1 source: DHS Automated Indicator Sharing. 3 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/28/2023, 11:46:02.129 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--24da7ca1-a933-4fa0-8398-c5f0132f7d69","8/29/2023, 11:45:38.488 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/28/2023, 11:46:07.552 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--15ab8d31-a93c-496b-b42c-4147bed2cd0a","8/29/2023, 11:45:39.066 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""5 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692247301339,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/28/2023, 11:46:27.026 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--10edc673-06e7-4d0b-98cd-a35f7d1e3263","8/29/2023, 11:45:57.423 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/3/2023, 11:45:27.878 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6358278c-c011-415a-ac3e-03e221a4ace4","9/4/2023, 11:45:10.522 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/3/2023, 11:45:37.217 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8fd4a260-daa2-4b68-bfac-ab3162115b2c","9/4/2023, 11:45:14.702 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/3/2023, 11:45:37.985 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c7c7adce-adfd-4a40-94b3-ef2e4a169ff3","9/4/2023, 11:45:19.364 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/3/2023, 11:45:48.337 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b88e4053-823e-4463-91e7-c0aea8ae6faf","9/4/2023, 11:45:23.037 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/3/2023, 11:55:17.716 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--738a44c8-32d0-48b0-846f-72a4645baa41","9/4/2023, 11:45:43.912 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/2/2023, 11:45:24.198 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--412cbdf0-aebe-481a-8b0d-286c2c003b72","9/3/2023, 11:45:05.037 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/2/2023, 11:45:43.032 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--12b028ed-6c81-41c3-a54e-54a2be90a55e","9/3/2023, 11:45:18.225 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""15 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/2/2023, 11:45:43.213 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--94738acc-835b-487b-bac1-2b772beee4ce","9/3/2023, 11:45:16.655 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""6 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/2/2023, 11:45:52.591 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7d20f173-9409-46dd-8561-d60690fd5ab8","9/3/2023, 11:45:28.993 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/2/2023, 11:54:32.675 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--df8b460f-76ff-4c03-8f4e-d310bee4317e","9/3/2023, 11:45:22.754 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/10/2023, 11:45:23.478 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--78b17a6e-8fa5-437c-b4b7-349e7e3b087d","9/11/2023, 11:45:10.277 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/10/2023, 11:45:23.497 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6898f7ac-cbf9-4171-b3e7-ba151c8847a9","9/11/2023, 11:45:08.739 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/10/2023, 11:45:27.936 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fd92c253-be9e-497f-b338-2d658183fb19","9/11/2023, 11:45:16.411 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/10/2023, 11:45:33.000 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--5866a8d3-f7ae-44c8-a5b2-d153858cbb36","9/11/2023, 11:45:20.766 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/10/2023, 11:50:52.961 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--97854d8b-740e-4967-ad97-7b986c6013dc","9/11/2023, 11:45:34.094 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 5:08:16.520 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ff37d457-2854-400a-8714-9a8267fb8a46","9/16/2023, 7:08:05.445 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 5:08:16.662 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d66e2735-d1cd-494d-a2d4-a85dce35534c","9/16/2023, 7:08:02.698 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 5:08:20.262 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a44744ac-4897-4ed9-b40b-4c66c5a20878","9/16/2023, 7:08:06.893 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 5:08:40.791 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--109eec66-ecfa-4d69-a2f2-fa3d4c762c3c","9/16/2023, 7:08:20.352 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 5:08:40.829 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0fba9232-ad9d-486a-b5a2-a56836d84f95","9/16/2023, 7:08:20.962 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 7:08:16.245 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6d705784-3b3e-46cc-a70e-7df5c4c1d987","9/16/2023, 9:07:59.956 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 7:08:30.740 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bc29b080-b595-47ca-82d0-25541dbadac0","9/16/2023, 9:08:04.454 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 7:08:35.419 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--13b867c2-5207-4f96-b411-413249c28ef5","9/16/2023, 9:08:18.706 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 7:08:35.474 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--39a10dc3-b6ef-4fee-a11b-723d3654da97","9/16/2023, 9:08:17.589 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 7:08:40.382 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1821e8b5-abd8-4ac3-b702-6683fb5f7a3d","9/16/2023, 9:08:20.662 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 9:08:26.286 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--44a0a44d-2d5f-42f9-be34-3392ed8144d9","9/16/2023, 11:08:02.329 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 9:08:27.816 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--03c584f0-2907-43a6-a769-79e100f3b58a","9/16/2023, 11:08:04.683 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 9:08:40.795 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--699c5359-49cd-4219-86c4-e15251e1ce42","9/16/2023, 11:08:13.671 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 9:09:04.429 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--03c584f0-2907-43a6-a769-79e100f3b58a","9/16/2023, 11:08:04.683 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 9:09:04.682 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--59868f1c-a303-44a2-835e-c5d740520c90","9/16/2023, 11:08:23.132 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 9:11:55.839 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0adba859-888c-403e-bbdc-eea31a2ffde0","9/16/2023, 11:08:21.932 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 11:08:10.644 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--906fde2e-8dd5-4f23-b4e4-172aa993f45f","9/16/2023, 1:08:01.438 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 11:08:19.652 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a4f3d3f1-af5d-4513-8492-ec35645c5def","9/16/2023, 1:08:06.577 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 11:08:20.225 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0d42fd59-e35d-47b9-883c-fe649f8ed123","9/16/2023, 1:08:04.459 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 11:08:29.693 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c067aac1-a604-4de2-9c50-25d894ae5c4c","9/16/2023, 1:08:22.560 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 11:08:29.729 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d6fcbf4b-3556-495c-aa88-0acd255044c9","9/16/2023, 1:08:23.485 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 11:45:37.196 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7bee95cd-e324-486b-9117-41300f09b262","9/17/2023, 11:45:16.023 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 11:45:37.208 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--63ee3a9d-3cf4-4d2e-b22b-1271449e2cc5","9/17/2023, 11:45:16.688 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 11:45:43.048 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a9c78653-9487-4d89-8b67-608928bd917a","9/17/2023, 11:45:20.556 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 11:45:53.978 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--2af1d1cb-e7ad-4b16-b468-73907fcb06a1","9/17/2023, 11:45:33.575 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 11:55:38.461 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--826f2365-1d60-4766-a0d9-6e23d71eaa54","9/17/2023, 11:45:33.976 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 1:08:17.104 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d0726261-7e12-4661-87d5-97a065b37617","9/16/2023, 3:08:01.999 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 1:08:21.903 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c7223660-e7c4-4c5a-9cec-41f6906bce77","9/16/2023, 3:08:05.946 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 1:08:29.869 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--59e7a941-8779-46b6-8d36-73e6242c86c6","9/16/2023, 3:08:03.342 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 1:08:34.944 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a074809f-57d3-4fa9-87da-f04486d3d526","9/16/2023, 3:08:20.134 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 1:11:40.681 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--727a3fe8-a151-4d2a-9f92-6fc8385c3d30","9/16/2023, 3:08:21.447 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 3:08:36.163 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--98ed521f-2599-4319-a58d-cc8817ad062c","9/16/2023, 5:08:06.299 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 3:08:55.209 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d36c6237-6b5c-4ad0-a0f2-9a3ec3fcc650","9/16/2023, 5:08:19.031 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 3:08:55.281 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4b1341aa-5506-432a-83f2-b48c4e993deb","9/16/2023, 5:08:13.460 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 3:08:55.845 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--08e671c6-7a05-4105-a128-d4e846b62f51","9/16/2023, 5:08:19.423 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 3:09:15.273 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7cca7d95-1898-4218-bc97-76303a8fb6ba","9/16/2023, 5:08:03.586 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 5:08:45.411 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8d25369a-bb6e-4aa5-8813-537080fd7352","9/16/2023, 7:08:31.163 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 5:08:45.930 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--897a8a7b-633c-424a-8ce3-7c688ce0e856","9/16/2023, 7:08:29.020 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 5:08:46.115 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a2c0b170-6f99-4a25-8be5-1c3f493833d9","9/16/2023, 7:08:33.693 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 5:08:51.001 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--afd13915-4eb8-4189-abd2-185f9bf9a3ef","9/16/2023, 7:08:40.153 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 5:08:57.308 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9aaf0a9d-5446-495d-87af-bfe2efea5607","9/16/2023, 7:08:46.873 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 7:08:15.679 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e5d6fd74-72aa-4d81-ac96-f0b2364fa269","9/16/2023, 9:08:02.306 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 7:08:15.728 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a8285ac3-8d43-4f0b-87d6-ab91004b8170","9/16/2023, 9:08:02.951 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 7:08:20.923 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--85a0d062-0628-4adc-b045-502c55ac2eb2","9/16/2023, 9:08:06.498 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 7:08:26.010 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7e3f2d34-e666-4651-a1ff-271f4b4e8d1e","9/16/2023, 9:08:17.134 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 7:11:51.585 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e24c92d2-1a46-4671-b92d-01d73c473131","9/16/2023, 9:08:19.447 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 9:08:06.301 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--997a6852-d265-4f58-8ac9-bd7e72c67650","9/16/2023, 11:08:00.790 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 9:08:15.179 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ea2d23e3-9fd3-47c6-b3ae-76878b72b662","9/16/2023, 11:08:06.415 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 9:08:20.340 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7a19aeae-c52f-4c7c-8031-b106532d6f4d","9/16/2023, 11:08:14.842 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 9:08:35.380 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c884a120-d72c-4535-9f15-713bd1aa6efd","9/16/2023, 11:08:21.187 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 9:11:55.876 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--dff53a65-93d4-498c-a057-ac5afce09b0f","9/16/2023, 11:08:25.567 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 11:08:57.493 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--08478444-8d5f-4208-ab3a-0cb12a9bf07f","9/17/2023, 1:08:21.134 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 11:08:57.848 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--17532b11-4f26-4be0-b622-41a03297a1ae","9/17/2023, 1:08:17.661 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 11:09:00.585 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--32ef9451-0210-40f2-a336-9e583337e35c","9/17/2023, 1:08:24.505 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 11:09:01.148 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b96eec3a-fd4d-48b5-8619-b62e35c4dcc1","9/17/2023, 1:08:27.086 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 11:11:55.839 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f997ee53-0055-4c99-b29a-a6921e60556e","9/17/2023, 1:08:44.756 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 1:08:25.848 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f9bea367-1bc8-4a84-8bdf-f24cbddd16fe","9/17/2023, 3:08:00.851 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 1:08:30.675 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e537e690-c403-4ebe-b10f-d30bdd2247b4","9/17/2023, 3:08:05.079 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 1:08:30.713 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8185af3e-567f-44e0-9603-b63bbe63ba36","9/17/2023, 3:08:06.418 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 1:08:30.828 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--48eb7bd8-aa44-4497-ae29-10ee8d440906","9/17/2023, 3:08:04.273 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 1:08:35.297 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--070780e3-46d5-46da-917f-ac70c12c1b15","9/17/2023, 3:08:10.720 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 9:08:35.586 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d7129dd9-0689-4c04-ba37-d540e791ccd5","9/17/2023, 11:08:01.975 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 9:08:40.989 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4a88d374-5fab-49ac-814c-ab2512d8b84d","9/17/2023, 11:08:07.936 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 9:08:41.511 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--36292b9b-c990-487b-a248-2e48bd931bfb","9/17/2023, 11:08:07.372 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 9:08:41.547 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fc6279d4-dff0-4df3-9284-898c7fcd9c7d","9/17/2023, 11:08:10.318 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 9:12:40.441 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4481d3fb-6a10-4be8-ac2b-42890a41b69a","9/17/2023, 11:08:22.480 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 3:08:07.579 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bcce22b5-8ab9-424b-bfef-5adf76382b70","9/17/2023, 5:08:01.745 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 3:08:15.503 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0b3a3374-7c53-4b8c-9c4f-8df4148cf300","9/17/2023, 5:08:07.758 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 3:08:15.644 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--598dcf10-d6c7-45aa-bd16-86a0e2ed6832","9/17/2023, 5:08:11.090 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 3:08:35.369 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b2dddac7-f103-4c30-851e-0225df291ffd","9/17/2023, 5:08:20.660 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 3:12:05.942 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e23a5030-d8ad-4a42-b646-d492a6ba63ea","9/17/2023, 5:08:22.051 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 5:08:36.298 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f4401aea-1513-4c1a-99f9-b1874dbe04e1","9/17/2023, 7:08:01.575 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 5:08:36.409 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ee25b9c8-82a1-4107-95cf-5b55eec45776","9/17/2023, 7:08:05.377 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 5:08:40.142 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--badadd53-3070-4dfa-a2d2-7b7ea3429c5f","9/17/2023, 7:08:07.018 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 5:08:41.052 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--08c73732-370a-424b-8392-6e0d042a7320","9/17/2023, 7:08:11.273 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 5:08:41.494 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1facf7ea-f39d-48a2-8c6d-39a6cd48cd5e","9/17/2023, 7:08:11.324 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 7:08:06.234 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e7ef1ec4-a850-4328-8e64-adffc33022bb","9/17/2023, 9:08:00.585 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 7:08:16.958 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--5cd83102-6753-4289-b53f-70b995380a66","9/17/2023, 9:08:09.944 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 7:08:16.992 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9d78a97e-2e6a-4f37-a71b-e5dcdfd490f4","9/17/2023, 9:08:11.119 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 7:08:17.311 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3e9cc5e7-00a4-4b2a-a380-23ccf91e2668","9/17/2023, 9:08:12.549 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 7:08:20.245 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--5f745c58-1d64-4c4f-8e22-c049e331fee3","9/17/2023, 9:08:16.700 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 9:08:36.170 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--35d737ee-1de6-4034-8718-cd62c309db75","9/17/2023, 11:08:02.032 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 9:08:37.322 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1067229f-47b0-4887-a27a-8d9baa9ff186","9/17/2023, 11:08:05.549 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 9:08:37.329 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d0188ac3-f91b-4bc9-9eeb-9bb49d62b281","9/17/2023, 11:08:06.069 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 9:08:40.334 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1232506b-88b5-4f29-97eb-e60e7b4e9134","9/17/2023, 11:08:06.328 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 9:12:15.955 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ea47ae45-35e5-4483-8c6c-f7930b193276","9/17/2023, 11:08:22.608 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 11:08:36.267 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--71ca8c34-1a88-43f4-afbb-07b2d243d4c3","9/17/2023, 1:08:01.478 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 11:08:36.889 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--09b5431e-c66f-491e-be3e-5d1dc3b6f770","9/17/2023, 1:08:02.926 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 11:08:40.220 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--98c9ac66-bdac-442a-be90-586e48035f2a","9/17/2023, 1:08:07.351 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 11:08:46.766 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--71b78f26-a7a4-46c0-9a90-ade983fb8f48","9/17/2023, 1:08:35.274 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 11:08:46.771 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--85349c40-f695-4c2b-9841-2e330dbf0844","9/17/2023, 1:08:35.562 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 11:45:24.219 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bfd19ab5-ce7c-4019-a7f1-464ea242bdd8","9/18/2023, 11:45:12.365 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 11:45:24.235 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8bf0e8c8-29d5-443b-bb75-29f9ee18ae55","9/18/2023, 11:45:13.112 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 11:45:25.649 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--121b12c6-2c66-42cc-86bd-465615ff4e36","9/18/2023, 11:45:21.105 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 11:45:53.432 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--26877643-d7ae-4e6d-b393-bfad90b4bb23","9/18/2023, 11:45:38.254 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 11:45:53.442 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bfb652dc-8be0-4d91-bf14-08633386ef9b","9/18/2023, 11:45:38.809 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 1:08:41.234 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4cc646c9-8183-4d55-86b0-f29a12a8f496","9/17/2023, 3:08:35.800 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 1:08:46.535 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7ccfa0f1-a6e8-4d00-93f1-88815300b82d","9/17/2023, 3:08:36.445 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 1:08:47.458 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9e4c6bf6-addf-4287-97d1-e19d06f1b43d","9/17/2023, 3:08:30.511 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 1:09:05.771 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ee8091bf-e01f-4bef-9e9e-fec7e6019d74","9/17/2023, 3:08:50.607 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 1:09:05.801 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7242417d-6608-4474-b71a-3c99beab08f5","9/17/2023, 3:08:50.939 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 3:08:19.772 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--409aa10d-03e2-40bf-875f-5a4e9d7bd113","9/17/2023, 5:08:07.201 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 3:08:19.971 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d3ad68b8-e403-4713-bfc4-70abb564be53","9/17/2023, 5:08:10.259 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 3:08:20.110 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a081028f-c1c5-4501-aff2-2f958f790879","9/17/2023, 5:08:09.690 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 3:08:25.303 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--52c77e79-7dc5-4f4e-a6d7-4c141d5c58b6","9/17/2023, 5:08:05.871 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 3:08:42.407 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--14202087-0bbc-4279-8d5d-88ab05357a55","9/17/2023, 5:08:39.313 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 5:08:26.230 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--90a46bf7-7013-4cc0-8086-7e852e3e1775","9/17/2023, 7:08:03.439 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 5:08:27.295 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6367c5b9-685b-42d7-a293-59c3a542a1c3","9/17/2023, 7:08:05.759 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 5:08:27.326 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--aa7edb1d-62c9-4cd4-87e2-ff980b662861","9/17/2023, 7:08:07.388 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 5:08:31.364 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--298df983-0ee0-4b7e-b906-58d8d54c0f05","9/17/2023, 7:08:10.503 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 5:08:36.173 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e9119bb6-c2a2-438c-8140-c23a0d0d7a29","9/17/2023, 7:08:23.782 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 7:08:35.065 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--188e383b-15ec-45bb-8d31-60f3295933e2","9/17/2023, 9:08:02.800 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 7:08:36.012 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--74124284-ae35-4d11-b116-a5a3deef6a26","9/17/2023, 9:08:04.869 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 7:08:41.400 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b9d17e02-4f48-4d1e-b4b6-00f67e98f32f","9/17/2023, 9:08:09.742 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 7:08:46.322 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3d964976-8313-49c3-bfca-b6e34a9af11f","9/17/2023, 9:08:06.146 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 7:08:50.966 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a34c0b9d-aa2a-4ea3-a167-27b7ddde58ee","9/17/2023, 9:08:23.502 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 3:20:22.800 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d97bf35c-4199-4659-b645-6c83505238bc","9/8/2023, 1:07:47.630 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",false,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 3:30:14.409 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d97bf35c-4199-4659-b645-6c83505238bc","9/8/2023, 1:07:47.630 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",false,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 4:19:53.646 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3b6701a1-11f4-4b79-83cb-08a09c9c2903","9/8/2023, 5:07:34.020 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 4:22:56.327 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9ac70d21-1550-4280-ad30-95d3e4deaa91","9/8/2023, 1:07:23.608 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",false,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 4:40:36.304 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--38de68d2-f8bf-47cf-a96c-ad5264907c0c","9/8/2023, 3:07:24.670 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",false,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 5:07:45.743 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bd6a74ea-372a-4860-a816-18316991a719","9/8/2023, 7:07:27.174 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 5:48:50.978 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a8b90276-de99-414f-a153-2f9a4f8969c2","9/8/2023, 7:07:23.803 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 5:48:54.517 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ce9c9b42-e010-459f-b642-b683eabad8b2","9/8/2023, 7:07:33.497 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 6:19:39.684 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--485767f0-2ea1-4a9f-99c2-38abca126ac9","9/8/2023, 5:07:54.870 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",false,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 11:45:23.313 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--893441bd-2394-42f3-90f5-c3ed88d7d7f5","9/9/2023, 11:45:10.229 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 11:45:23.326 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c0559336-987b-4453-ac12-7a850df5763b","9/9/2023, 11:45:10.669 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 11:45:23.522 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--307935bd-059a-4669-8ad9-8dc6e8085d9a","9/9/2023, 11:45:07.493 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 11:51:56.298 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bd6a74ea-372a-4860-a816-18316991a719","9/8/2023, 7:07:27.174 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",false,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 11:55:08.970 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--eb787288-43c3-4eda-a1e8-df49612485ad","9/8/2023, 9:08:09.648 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",false,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 12:11:47.637 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bd6a74ea-372a-4860-a816-18316991a719","9/8/2023, 7:07:27.174 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",false,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 12:47:20.542 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c8de5703-7eda-4d5f-a24e-111e86ac431b","9/8/2023, 7:07:47.674 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",false,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 12:47:23.454 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--19e7dad9-3189-4451-9717-aaaf1d282318","9/8/2023, 5:07:35.634 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",false,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 12:49:50.401 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--21c84f7e-5f6b-489a-98c2-8a99300f23a4","9/9/2023, 11:45:33.294 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 12:49:50.408 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c354b7eb-3858-47f5-a3b9-be838d542abc","9/9/2023, 11:45:33.396 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 1:05:34.596 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--57599bcf-de5a-410f-b557-6af559f4ec3e","9/8/2023, 7:07:26.377 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",false,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 1:08:35.381 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6de6cf19-6932-4519-916b-8d70bc0944c3","9/8/2023, 3:08:12.263 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 1:08:45.996 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--528070cb-73c8-4a59-b1b0-9283368e4e1c","9/8/2023, 3:08:24.642 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 1:08:51.791 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1094883a-d708-49b8-821e-05faa7414ce4","9/8/2023, 3:08:37.003 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 1:14:24.123 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--eaeda867-9870-43fc-8380-50a2248f9f04","9/8/2023, 11:08:40.439 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",false,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 1:08:15.179 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9a4a9b27-09f9-4c7f-9758-f5f0a9c058d5","9/19/2023, 3:08:08.717 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 1:08:20.943 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1b0371f0-59c6-435f-99f1-8518770fa8a2","9/19/2023, 3:08:15.581 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 1:08:25.510 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7d11115d-7898-49dc-a65d-d6a5d14d22ca","9/19/2023, 3:08:19.687 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 1:08:25.531 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--61688cb7-a2cf-42d4-99a8-9f9aaaa587dd","9/19/2023, 3:08:21.024 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 1:08:25.533 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e7bf2a06-e4e2-413d-bdeb-77586bce43b3","9/19/2023, 3:08:20.566 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 3:08:36.239 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ba253edc-5380-4c00-ab4a-8558ca6146bf","9/19/2023, 5:08:10.495 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 3:08:38.347 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6b79df96-91c5-4223-94c9-6e41f6eef288","9/19/2023, 5:08:13.182 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 3:08:41.406 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--03ba2c8a-89ec-441f-9416-f07bf1346b4b","9/19/2023, 5:08:16.061 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 3:08:45.961 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--00680bc3-14a3-4c19-8eed-1a32767c0c97","9/19/2023, 5:08:19.989 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 3:08:52.202 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--92a77d8a-4c1b-48d1-b206-dbf03a8f7a6f","9/19/2023, 5:08:34.822 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:09:05.604 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f03683b6-47eb-4a46-a8bd-ccdd40e154e8","9/19/2023, 7:08:33.350 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:09:10.669 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--2e76d0aa-6b03-4659-bb92-04af0a487c7d","9/19/2023, 7:08:38.932 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:09:10.676 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ba69d238-66eb-4a55-afef-6ceae0622f7b","9/19/2023, 7:08:39.563 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:09:20.180 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--2d38d324-f505-492f-8cce-96870835641a","9/19/2023, 7:08:55.410 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:09:20.182 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--51066a4f-70ef-4eda-8b69-a0e622a4fa2e","9/19/2023, 7:08:55.494 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 7:08:36.776 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--28717638-9236-47cb-8e06-d154051d563e","9/19/2023, 9:08:09.407 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 7:08:40.898 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--2b8f213a-29c4-4cda-b0a5-8ac99fdf4e21","9/19/2023, 9:08:18.151 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 7:08:46.603 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0556b49b-abb7-4c39-960f-7bb223a03db3","9/19/2023, 9:08:20.250 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 7:08:46.661 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--872c8ff8-a3a6-4159-9246-992c9cef1b1c","9/19/2023, 9:08:21.169 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 7:08:50.566 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1c5c94e0-90be-4a90-8f79-16f14f2f90c4","9/19/2023, 9:08:37.495 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 9:08:40.743 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--57399e5a-3c22-4cc5-87c0-c575f651b5bd","9/19/2023, 11:08:13.862 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 9:08:40.888 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--80fa883a-bdda-4f54-9d5c-5026c0390711","9/19/2023, 11:08:15.382 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 9:08:41.564 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d3e9bae4-49e9-4e49-9d71-06d565e336e0","9/19/2023, 11:08:15.784 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 9:08:46.639 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9d842811-d837-4c85-ae4a-bc89dcd4dc6d","9/19/2023, 11:08:22.866 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 9:08:50.379 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--dadf21bf-e72b-49b2-814d-1f7f1419394d","9/19/2023, 11:08:35.684 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 11:08:41.128 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7db90c38-ec58-4bdf-83db-bbec46c10e62","9/19/2023, 1:08:18.444 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 11:08:41.344 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1ff50fc0-ea5b-445f-a893-a54ebe80ab04","9/19/2023, 1:08:15.802 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 11:08:41.476 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b5783b25-6d44-4a70-ac52-b2b6c5bdc8d2","9/19/2023, 1:08:10.659 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 11:08:45.408 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--62d30968-0058-4c4b-a90b-3d92202be982","9/19/2023, 1:08:24.026 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 11:08:51.316 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fccc65c0-3b0a-4ff7-9759-6350d78f163d","9/19/2023, 1:08:38.065 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 11:45:22.928 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--36cb0776-e25f-491a-a527-4a71dcd4fb34","9/20/2023, 11:45:12.794 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 11:45:28.888 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a390bb63-9970-4192-8c5d-0a3e6ecef4db","9/20/2023, 11:45:16.092 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 11:45:33.474 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0095ce90-8fe1-4bc0-802e-dc6fec766e39","9/20/2023, 11:45:17.919 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 11:45:37.588 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ef564bc2-bea6-4e61-983d-d5245444af8a","9/20/2023, 11:45:23.584 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 11:52:27.281 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8b11e8e9-f36d-47d4-b355-35ccdc23bf77","9/20/2023, 11:45:41.059 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 1:08:25.975 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9dbd1490-67ce-4cc6-a513-c567f010ed21","9/19/2023, 3:08:15.447 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 1:08:26.171 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--718fd6df-79e3-4e20-8c1a-2f481a03ef91","9/19/2023, 3:08:18.166 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 1:08:30.485 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--566e100a-ab35-441e-911a-cf7cf7d2b5a1","9/19/2023, 3:08:20.580 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 1:08:30.544 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--635c9d35-c499-4c77-953c-d5f588430a95","9/19/2023, 3:08:19.781 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 1:08:40.980 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--5e162abe-0369-4ff8-91a2-d29baa640ed5","9/19/2023, 3:08:34.474 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 3:08:15.321 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bd0e9361-c575-44dd-9ba5-b043ef4fb8e3","9/19/2023, 5:08:09.365 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 3:08:20.535 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f2971233-3546-480d-836e-97bdd054bdbf","9/19/2023, 5:08:16.432 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 3:08:20.722 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--aeb0307f-2262-43cd-b953-506257e8fa34","9/19/2023, 5:08:14.541 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 3:08:26.372 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7cf3f7b1-529c-4a3c-b34e-a6e58f90f282","9/19/2023, 5:08:18.928 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 3:08:26.787 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--99dee17f-4834-4795-a747-b9434eca68bd","9/19/2023, 5:08:22.196 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:20.763 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c5fbfd91-2c54-4602-bfd2-730abe3b5ac6","9/19/2023, 7:08:13.031 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:24.757 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bf3eec45-7676-4a5a-86bc-973d86b0ed45","9/19/2023, 7:08:18.363 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:30.567 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c2c6ad4a-fdc3-4951-bbb8-2ff9b2833afa","9/19/2023, 7:08:25.054 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:08:30.988 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3fec7701-4ab7-465d-8141-2849db6d2111","9/19/2023, 7:08:24.379 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 5:09:05.682 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6b2dc331-8cc9-4b55-9ec9-ee2e241ec263","9/19/2023, 7:08:55.118 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 7:09:06.058 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--463ff200-f6f0-421b-b2da-c07a4ec324b1","9/19/2023, 9:08:49.499 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 7:09:06.068 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--419764c2-0f94-4ef2-a9be-c1f1aa493d45","9/19/2023, 9:08:54.043 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 7:09:10.598 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--327f416c-7445-42b6-b9c2-0fd61da74fb0","9/19/2023, 9:08:56.907 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 7:09:20.449 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--5cf3c360-59bf-46ea-a991-887fb929b62e","9/19/2023, 9:09:11.129 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/19/2023, 7:09:20.478 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f696f5f5-bc62-4e07-b94f-de74c5c71b06","9/19/2023, 9:09:12.400 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 11:08:55.415 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6125e71d-3fdb-4b7f-80bf-11331196cb27","9/18/2023, 1:08:47.576 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 11:08:55.648 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a2afc016-243c-481c-8b4a-4542d6b55e13","9/18/2023, 1:08:49.816 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 11:09:00.191 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c652a2e5-809d-461a-b5c6-1e9276a40133","9/18/2023, 1:08:57.617 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 11:09:00.647 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--69a3df96-fb49-4967-9eff-35e808f23fd8","9/18/2023, 1:08:55.257 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 11:12:46.885 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1f5ac907-6b5b-4a1e-bdc5-72ab7f1215c1","9/18/2023, 1:09:11.665 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 1:08:35.987 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8b8e460c-65ce-4808-89d7-b5e0211a0113","9/18/2023, 3:08:02.505 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 1:08:41.888 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f4e75b7f-8f4c-455f-9410-b67a48e311f4","9/18/2023, 3:08:06.706 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 1:08:41.909 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--717aaf2a-82c4-49bf-94d3-1f3a6f4d2ad5","9/18/2023, 3:08:07.917 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 1:08:49.888 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--04304128-6380-4c4d-9d9a-a60f7f21e2b7","9/18/2023, 3:08:25.105 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 1:12:50.233 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6bc73687-7476-4854-9aeb-488133b95f58","9/18/2023, 3:08:27.032 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 3:09:05.063 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--98fddd53-14ec-40c6-ad04-37df97e63876","9/18/2023, 5:08:31.809 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 3:09:11.147 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e0625903-457c-4d30-b458-4e469c6fc37c","9/18/2023, 5:08:33.957 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 3:09:11.279 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0fc01585-6c9b-4958-b72c-5c03c54101f5","9/18/2023, 5:08:35.473 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 3:09:11.295 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--65e11d53-4145-4019-8d65-1aa72d149883","9/18/2023, 5:08:35.616 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 3:09:20.763 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b6df2215-cbf1-40ac-9692-4bca5deae4c5","9/18/2023, 5:08:53.266 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 5:08:15.270 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c248c920-4e53-4c4e-8fb5-65f2d97394fa","9/18/2023, 7:08:09.559 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 5:08:15.302 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--434e98e9-e122-49b1-9986-c67b98fe9af1","9/18/2023, 7:08:10.440 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 5:08:20.449 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9ed65827-850b-48fc-8de2-77a6ebe16ef0","9/18/2023, 7:08:14.204 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 5:08:25.796 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--624453e4-2568-459e-b3ad-ea600b37942e","9/18/2023, 7:08:17.427 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 5:13:00.073 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--289c3733-9077-4623-96a1-7d2286057307","9/18/2023, 7:08:42.576 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 7:08:12.301 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--87e33f12-1e66-43d1-9296-dd504e9df042","9/18/2023, 9:08:06.495 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 7:08:15.793 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--199260bc-b896-47a0-9951-676bb9a84a71","9/18/2023, 9:08:06.847 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 7:08:17.047 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--082d0f96-6a35-41e0-8aac-3ce43d2e1235","9/18/2023, 9:08:13.273 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 7:08:21.052 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--98623e0b-689f-4468-97a6-4fd736f5a7a8","9/18/2023, 9:08:14.702 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 7:08:21.421 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e19c0cc1-fb76-453b-b294-6d10a170304a","9/18/2023, 9:08:15.250 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 9:09:20.321 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--01f2ff3e-dac8-4169-926d-ab826694abb5","9/18/2023, 11:08:46.313 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 9:09:20.826 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--27067593-4e58-4a26-b372-4ce3b2f60e39","9/18/2023, 11:08:50.838 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 9:09:26.136 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c7192309-901a-4145-81f0-ed94f187cd31","9/18/2023, 11:08:56.156 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 9:09:26.804 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4accdeb3-e09b-42ec-ab89-9fb1e4fea36f","9/18/2023, 11:08:55.148 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 9:09:36.625 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--01f6ac4e-cb34-4e13-86e4-8d8143f58b7f","9/18/2023, 11:09:12.415 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 11:08:36.307 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ccf9ca0b-b745-4310-ade2-b0f58a9773c4","9/18/2023, 1:08:04.963 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 11:08:36.316 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--2ccac31b-ff38-4e2b-9bdb-f9723c1f3dbc","9/18/2023, 1:08:08.741 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 11:08:41.648 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--37432d7a-4a67-4598-8c90-b314fcbebf7c","9/18/2023, 1:08:13.452 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 11:08:42.151 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8949fcd9-890e-4ada-ae05-2bd62c170f7b","9/18/2023, 1:08:17.819 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 11:08:51.483 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d5c08de1-0ca2-42bd-a89a-554af0fc5210","9/18/2023, 1:08:32.869 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 11:45:23.421 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0485d0bc-d077-4249-b00f-5dbbfd7f97af","9/19/2023, 11:45:10.113 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 11:45:28.157 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--31a65f3f-19a3-420e-aa42-1de74570eed3","9/19/2023, 11:45:13.472 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 11:45:28.319 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--591ce82e-ed1b-45dd-a285-387646c93e95","9/19/2023, 11:45:17.485 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 11:45:37.880 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1ec22163-07f8-47a3-8ed2-5aa24256dd9c","9/19/2023, 11:45:27.425 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 11:45:57.907 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--21ab12b4-3d26-44ca-93b2-cf748eebbced","9/19/2023, 11:45:39.868 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 1:08:37.761 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--31a560b5-66b6-4ae1-9ee6-bbf40e14bc14","9/18/2023, 3:08:07.828 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 1:08:45.586 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d82ef420-e25a-40e7-b1d7-b20e434401d3","9/18/2023, 3:08:13.237 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 1:08:45.613 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--94034a97-d2ec-42d8-b19a-63db7a662aff","9/18/2023, 3:08:15.059 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 1:08:45.776 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6cd1e3c7-4bd6-4ab5-adc1-7f9d94defb3e","9/18/2023, 3:08:16.582 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 1:08:45.801 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1804dd37-01f0-429e-a767-b6d0b0b40fae","9/18/2023, 3:08:18.326 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 3:08:15.423 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3d81534b-9b08-45c2-91c6-02f7aa52d083","9/18/2023, 5:08:12.039 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 3:08:20.539 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--dc83bec0-2ecd-4c72-bde2-3976d9217208","9/18/2023, 5:08:12.598 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 3:08:20.936 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e40b6c74-5a2f-4f8c-b166-2649ae22ab78","9/18/2023, 5:08:17.391 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 3:08:35.796 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fff85ee7-bfd2-456f-af24-53aaa3112023","9/18/2023, 5:08:28.851 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 3:08:44.609 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--644c2254-5beb-4dc3-ac1a-ae278ff24a42","9/18/2023, 5:08:39.170 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 5:08:37.228 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--570785f6-8027-487a-86aa-d30d5c9abcbc","9/18/2023, 7:08:06.756 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 5:08:37.279 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--aa0e13a7-4484-4dfd-910d-bdf63d546490","9/18/2023, 7:08:13.005 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 5:08:42.908 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b96d7668-c57a-4752-be78-19af05cdb53b","9/18/2023, 7:08:17.654 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 5:08:45.777 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--17361014-20be-466f-8232-c67445d912a3","9/18/2023, 7:08:22.006 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 5:08:50.696 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--2cc782fd-2321-47de-b7ea-e887a44633f2","9/18/2023, 7:08:45.150 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 5:15:30.273 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--570785f6-8027-487a-86aa-d30d5c9abcbc","9/18/2023, 7:08:06.756 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 5:19:35.651 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--570785f6-8027-487a-86aa-d30d5c9abcbc","9/18/2023, 7:08:06.756 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 7:08:35.808 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--85b308bb-d1cd-4364-8b0a-cf79f08a1c8f","9/18/2023, 9:08:10.227 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 7:08:35.840 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8559901e-538e-4759-bda3-aa0a4bd62a52","9/18/2023, 9:08:11.187 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 7:08:42.371 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4aef1056-d8c5-4153-bdfa-8e0a944fbacf","9/18/2023, 9:08:20.000 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 7:09:05.084 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4a7148fc-5c0a-4f5b-936f-f9e275d46829","9/18/2023, 9:08:47.284 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 7:09:05.097 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--41048f2e-d967-475d-b5dc-1f0953746b5e","9/18/2023, 9:08:48.033 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 9:08:35.194 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c301d98e-a0cb-4ebe-9efa-f06b4858cfa8","9/18/2023, 11:08:10.824 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 9:08:40.246 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--5b364ebf-9fd4-45ff-94ee-9ea261b10ac4","9/18/2023, 11:08:11.641 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 9:08:40.281 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--5423cbab-37d4-4a1f-9de1-c91448ed0320","9/18/2023, 11:08:15.125 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 9:08:45.966 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--406a6028-be22-4cfb-aa7e-0568fae67cbc","9/18/2023, 11:08:20.595 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 9:08:50.711 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ac1a4556-925d-4d95-9a2f-0d5874d6da21","9/18/2023, 11:08:46.401 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 11:08:40.696 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--48468012-0870-4a62-947a-039a2d94e57d","9/19/2023, 1:08:12.464 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 11:08:42.358 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--dfb18fa7-4170-485c-b331-e7d80eb549c6","9/19/2023, 1:08:10.788 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""23 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""4 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 11:08:45.689 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ddce8005-e9ab-48f1-a9f1-1aa58d8d3a03","9/19/2023, 1:08:15.525 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 11:08:46.158 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--5afc27d2-96d1-48b5-b9aa-6cd9e5154b4c","9/19/2023, 1:08:19.540 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/18/2023, 11:08:49.848 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8d14deb0-db4c-42bf-8ac7-e619d5082b11","9/19/2023, 1:08:30.060 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky SecureList and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/11/2023, 11:45:32.354 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b087305c-60da-4091-89c0-24cea4437438","9/12/2023, 11:45:14.453 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/11/2023, 11:45:38.605 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1a08f47c-fd0d-4f0b-9b8d-fa50bd322bd1","9/12/2023, 11:45:17.519 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/11/2023, 11:45:47.973 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a19bf28c-f51e-4283-a152-f64c8b40a00c","9/12/2023, 11:45:22.661 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/11/2023, 11:45:54.180 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0738a9cb-3be4-45a5-87b6-d1baaacd3e54","9/12/2023, 11:45:40.149 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/11/2023, 11:45:54.195 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--5e90e377-be7a-4b9e-8b3c-c210291d1f75","9/12/2023, 11:45:39.811 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 11:45:23.346 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d5ee9223-035e-47f0-a0e5-816fa8732103","9/5/2023, 11:45:05.567 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 11:45:29.238 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--728da831-6812-48d6-b6eb-a363ced36875","9/5/2023, 11:45:10.016 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 11:45:38.708 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--76800644-c596-48b9-9597-6426e4dd6dda","9/5/2023, 11:45:17.915 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 11:45:42.493 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--09d8f629-19bf-468e-888e-a1661bcf9fbf","9/5/2023, 11:45:23.908 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 11:45:42.813 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fdb1f09c-09ae-4a77-a2be-d5d645b2adc8","9/5/2023, 11:45:25.533 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 3:07:27.011 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--32aa91d8-2e83-4fad-ba68-e0726a10f354","9/4/2023, 5:07:14.125 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 3:07:30.352 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fd8869f7-5d5c-4944-a699-e2814fb77abf","9/4/2023, 5:07:18.364 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 3:07:30.433 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--353fae35-3de1-4cb3-b55b-0596fa71c597","9/4/2023, 5:07:20.301 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 3:07:36.469 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d8349e15-f063-4c17-91c2-0b8b360bce13","9/4/2023, 5:07:33.170 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 3:07:41.738 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--966b8f98-92a4-40f5-a7e6-64cd5de62959","9/4/2023, 5:07:34.340 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 5:07:20.562 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3b509b76-c8a2-4ab3-a9ed-c8990c023aa0","9/5/2023, 7:07:16.993 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 5:07:20.640 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7ac8a634-85a2-4d04-aeb2-cf38b74decf7","9/5/2023, 7:07:16.609 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 5:07:31.530 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7c7b93bc-ff94-4ae0-b9f2-a91e862cc66e","9/5/2023, 7:07:26.914 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 5:07:36.640 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d69cca53-b393-49ec-bbb8-49d01dc61d54","9/5/2023, 7:07:31.514 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 5:07:45.637 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--17a9d2bf-5077-42aa-8903-3fb32382ccb1","9/5/2023, 7:07:38.561 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 7:07:21.369 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4b73b403-3350-4c7e-bdd6-e607411e6a80","9/5/2023, 9:07:15.352 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 7:07:25.888 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--07c217b0-e837-4ec1-ac87-d6e5b17a7bdc","9/5/2023, 9:07:18.473 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 7:07:31.306 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--66deb504-8125-492f-8bec-53a72a05772d","9/5/2023, 9:07:22.823 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 7:07:35.831 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fd23550a-e752-4cc4-9939-2b91f4c165d7","9/5/2023, 9:07:30.050 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 7:07:40.770 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--42987eed-2029-4427-be4f-f827e5727b4d","9/5/2023, 9:07:36.278 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 9:07:26.125 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--5e2827f1-c5af-4cb3-9980-e6822f5395bc","9/5/2023, 11:07:16.725 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 9:07:36.534 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--504a1712-548c-4236-a7ee-83aa40c9f3ce","9/5/2023, 11:07:23.866 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 9:07:37.242 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a9c74d2b-fd5c-4d7e-8ace-d69de0e88240","9/5/2023, 11:07:27.366 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 9:07:46.564 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8c9850a7-7205-4e02-ab2b-ad434dae60a1","9/5/2023, 11:07:40.209 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 9:07:46.568 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a29805ed-29cb-4b04-9806-1e047cee03c6","9/5/2023, 11:07:40.305 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 11:07:26.178 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8a9f0bf1-aaec-44ce-8943-53b3c102684b","9/6/2023, 1:07:17.051 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 11:07:30.778 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f6b4c876-ebe2-4481-b3da-2bc15934eda0","9/6/2023, 1:07:19.787 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 11:07:31.254 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--2116325b-9b6d-4ee4-8a9e-e1aac1962d12","9/6/2023, 1:07:21.356 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 11:07:42.039 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d4d4e9dc-2a9d-4161-873c-83d80ecdc194","9/6/2023, 1:07:32.525 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 11:07:50.133 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a0c8048e-3c20-4c94-875f-874e1ee76f63","9/6/2023, 1:07:40.906 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 1:07:25.773 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4d7c684c-7880-4f30-878c-b0a869d8362b","9/6/2023, 3:07:15.652 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 1:07:31.454 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d93c757d-fbb6-424d-a96f-a54462f88f3f","9/6/2023, 3:07:19.914 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 1:07:36.650 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--38bccc2e-a746-4a3b-a72e-f6d49f6fb46b","9/6/2023, 3:07:22.150 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 1:07:41.396 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--38936a8e-d40d-4495-8bba-88bb4e603b7d","9/6/2023, 3:07:30.842 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 1:07:41.729 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6e2e47bf-4631-4b86-b22a-41f123efe60f","9/6/2023, 3:07:29.863 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 3:07:31.149 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7b273e6f-f50f-4a40-9fd9-48471873b9e1","9/6/2023, 5:07:16.133 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 3:07:36.074 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--cfef7946-5a3d-4443-8bd7-5d36055a9629","9/6/2023, 5:07:19.879 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 3:07:45.004 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ada7d27f-c1c8-432b-afd6-b250ace62f21","9/6/2023, 5:07:26.923 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 3:07:56.690 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9f746e14-1b3b-4769-a057-83dfb17ac2d1","9/6/2023, 5:07:41.948 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 3:07:56.695 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a446a8b4-5d27-45ac-ba4b-6420d134fdac","9/6/2023, 5:07:41.966 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 5:07:25.796 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0f1ef799-fb3b-49be-8600-839f3007846f","9/6/2023, 7:07:18.375 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 5:07:35.427 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0868de98-3232-40c9-896a-7a11345f2cb3","9/6/2023, 7:07:24.863 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 5:07:36.332 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b64bdcd1-2cc4-48ca-93f8-bdd0797b2374","9/6/2023, 7:07:28.626 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 5:07:50.789 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ea3caa70-e3ea-4885-a27e-1883bf5abf5e","9/6/2023, 7:07:43.991 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 5:07:57.386 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--2576c690-0639-4f3e-b0b9-951ea8971393","9/6/2023, 7:07:42.592 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 7:07:25.558 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3787eae6-080e-4091-a9da-f4f0109402a4","9/6/2023, 9:07:16.221 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 7:07:34.847 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8939f72c-66cd-4280-bbc1-a790b4a30b8f","9/6/2023, 9:07:20.843 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 7:07:41.098 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--26d7beed-7231-47cf-9297-13a8de5b1ec0","9/6/2023, 9:07:27.540 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 7:07:51.317 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--70b30161-e26c-409d-9e15-0835a13dc46c","9/6/2023, 9:07:37.669 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 7:07:51.459 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--2b90c2bf-28f1-4f2c-81e6-475e77b4d580","9/6/2023, 9:07:39.557 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 9:07:26.456 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d8d3c3fb-574e-44c1-94bc-82760aaa6a21","9/6/2023, 11:07:16.565 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 9:07:34.726 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a3ec1027-394a-47aa-99de-0164a55af0ac","9/6/2023, 11:07:21.279 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 9:07:35.508 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bbd3462c-6970-4049-bd17-c768b788f641","9/6/2023, 11:07:24.058 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 9:07:46.573 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--afd04ad5-513c-4a2b-b521-f0703c0b0cc0","9/6/2023, 11:07:38.986 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 9:07:49.848 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--07fa8150-83a6-4ff0-a5d1-03b811903d12","9/6/2023, 11:07:42.621 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 11:07:25.211 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b064d0f8-b597-4ed6-82ee-80456610e87a","9/6/2023, 1:07:18.208 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 11:07:34.918 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--eaa475aa-208d-452b-a495-f82192a8e053","9/6/2023, 1:07:22.577 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 11:07:39.631 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fe99feb3-f5ca-4f25-85fd-3ce3b7400b64","9/6/2023, 1:07:26.935 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 11:07:51.825 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9a8cae3d-29eb-45d8-94c2-dde450b34543","9/6/2023, 1:07:37.070 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 11:08:01.125 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6ce10354-e748-4bd7-a480-11743f7de0f2","9/6/2023, 1:07:54.824 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 11:45:22.965 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0de0b631-35b7-4000-b658-2d50cc34ac45","9/7/2023, 11:45:07.453 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 11:45:27.979 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--33bcd8db-b224-47a3-9a27-120dfe830115","9/7/2023, 11:45:16.980 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 11:45:28.074 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ee6e1df0-1178-4a02-ad26-fc799eca1ea5","9/7/2023, 11:45:12.550 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 11:45:32.881 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--aad38262-dc08-4120-9568-f98f52d42f40","9/7/2023, 11:45:27.272 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 11:45:32.885 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c895f834-2355-4b72-a749-94723290904a","9/7/2023, 11:45:23.377 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 1:07:30.745 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fcac8dd3-7149-4cc9-9112-d1714bc7042c","9/6/2023, 3:07:20.996 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 1:07:30.783 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9dd11f15-22db-490f-95f5-14a95e5c749d","9/6/2023, 3:07:21.126 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 1:07:35.503 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--997194ea-b3c0-41a9-88c3-959128d42f5f","9/6/2023, 3:07:24.573 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 1:07:45.966 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8cd64efa-7a0d-44a1-b6be-248b7439d7c9","9/6/2023, 3:07:32.213 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 1:07:56.846 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ff0936f4-3f57-431f-b8de-bcd29f98f63a","9/6/2023, 3:07:51.976 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/1/2023, 11:45:23.438 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b8e33a9e-745f-4e0e-b90b-2028faae4c37","9/2/2023, 11:45:05.932 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/1/2023, 11:45:28.156 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--66581aca-eb17-4d3f-894d-4f64b82a63ae","9/2/2023, 11:45:10.405 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""6 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/1/2023, 11:45:33.052 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--5e1bf5f3-fdd8-4712-8b6e-dcdda845e8ac","9/2/2023, 11:45:22.291 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""5 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692247301339,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/1/2023, 11:45:52.491 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--344a0f7f-5be6-4755-af10-360dea2c251b","9/2/2023, 11:45:45.845 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""15 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""3 sightings on 1 source: DHS Automated Indicator Sharing. 3 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/1/2023, 11:45:52.611 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--96f7d9a1-b944-4dec-b68e-60efd75fa56b","9/2/2023, 11:45:46.724 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 7:08:15.474 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--63f58a39-8ad0-43c3-aa52-e4dad18b581e","9/15/2023, 9:07:53.456 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 7:08:15.834 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b4131cb2-5a07-4d96-acb0-35c90ce23da7","9/15/2023, 9:07:59.412 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 7:08:15.924 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1972edc6-4a2c-42a6-8694-29b8b4f7def7","9/15/2023, 9:08:00.644 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 7:08:25.253 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ffdc3c9e-d47c-4b8d-94de-705103c0e414","9/15/2023, 9:08:12.061 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 7:08:30.438 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--cfe88178-421b-438b-bd0c-a90df2604155","9/15/2023, 9:08:16.997 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 9:10:11.409 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--de79b290-5e16-473d-9d5e-e92cd4e3fec6","9/15/2023, 11:09:21.551 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 9:10:27.488 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ebdcbaf7-1398-4c44-b404-97f05b0b9359","9/15/2023, 11:09:28.026 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 9:10:35.455 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--aa2e51ba-564f-4ed1-b3e5-965463155a58","9/15/2023, 11:09:40.176 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 9:10:41.194 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7a374743-00a4-4e8f-854b-19abb792d88a","9/15/2023, 11:09:44.371 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 9:10:41.767 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--91d14ed3-5310-4b72-ba23-c96f8f7b31a4","9/15/2023, 11:09:19.481 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 9:12:54.439 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7a374743-00a4-4e8f-854b-19abb792d88a","9/15/2023, 11:09:44.371 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 11:08:28.170 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f0422e61-1493-454f-a950-84b8db4d21d8","9/15/2023, 1:07:54.733 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 11:08:31.875 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--67403531-6b94-48ac-bff1-ad3df3d96d80","9/15/2023, 1:07:57.598 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 11:08:41.188 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3d275648-8c6f-404b-a13f-148ad7df34f4","9/15/2023, 1:08:05.810 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 11:09:05.168 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f315a880-2d35-49b0-9e71-06d66f68a4bf","9/15/2023, 1:08:22.786 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 11:09:05.773 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1f49c367-0e1d-4a26-ab6b-4ee75ce545d4","9/15/2023, 1:08:26.671 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 11:45:28.942 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6e8bab8f-d598-4af0-ae7f-3f4d88234543","9/16/2023, 11:45:10.709 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 11:45:33.634 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a9339ea8-2e72-4728-a697-d50c6ec944cd","9/16/2023, 11:45:12.985 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 11:45:47.219 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a8cc06fa-f0b3-439f-8d99-45befb1bc72b","9/16/2023, 11:45:33.040 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 11:45:52.491 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--baad8853-824f-4bba-bc47-b1a789791c7d","9/16/2023, 11:45:37.178 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 12:04:43.249 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0b2050bf-4e66-4c53-9605-f10ad878c5a7","9/16/2023, 11:45:19.804 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 1:08:25.941 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7b45458f-e7b2-4bd2-b5eb-674ea91d7e58","9/15/2023, 3:08:02.763 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 1:08:25.949 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a4dc4053-6ce8-4c01-89c1-e689f0d32bce","9/15/2023, 3:08:03.316 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 1:08:35.526 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--add76e7f-8a08-4e71-93fb-1406e8e91b98","9/15/2023, 3:08:14.366 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 1:08:40.824 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--48c02544-3a17-446c-8756-6167221a2406","9/15/2023, 3:08:22.092 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 1:10:50.713 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--243dea3a-ef3c-4c4b-b29c-b2d386759f73","9/15/2023, 3:08:24.687 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 3:08:50.369 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--13e55d73-4a42-4d5c-be2c-f394102aba6e","9/15/2023, 5:08:12.426 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 3:08:56.559 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6e1beff3-d515-47e0-b603-1e295d64ef51","9/15/2023, 5:08:13.093 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 3:09:00.437 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--437e13bb-b1d6-49c2-93bb-3cf5dfb3e20a","9/15/2023, 5:08:15.295 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 3:09:26.600 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6c3d207c-9d3d-4583-8a23-8d2958026a12","9/15/2023, 5:08:34.140 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 3:09:35.651 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bc6e07dd-89bc-4b96-a583-ae1a65520a21","9/15/2023, 5:08:36.918 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 3:12:48.502 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bc6e07dd-89bc-4b96-a583-ae1a65520a21","9/15/2023, 5:08:36.918 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 5:08:05.629 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fac4c210-caad-4f33-b1d9-55d9d83bde0a","9/15/2023, 7:07:53.865 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 5:08:10.939 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8d794c74-e1f6-44b9-96cb-f70cc2b2d15c","9/15/2023, 7:07:59.238 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 5:08:16.758 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0c4a8410-73af-4028-a86d-06e9de5ac7f8","9/15/2023, 7:08:04.119 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 5:08:26.526 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--23313353-23dc-424e-9541-039c2508d5ef","9/15/2023, 7:08:16.099 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 5:11:00.793 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--2d4d4f90-4b97-446f-81d3-baa81100c5a9","9/15/2023, 7:08:19.306 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 7:08:58.282 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--54e0bb5b-ab56-404f-850c-03878c690f8a","9/15/2023, 9:08:16.952 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 7:09:11.827 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--eafee012-31d4-4042-8e3e-c69408f64a86","9/15/2023, 9:08:24.335 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 7:09:26.351 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b206e6d2-b714-49a5-bccd-b3b3d003e9bf","9/15/2023, 9:08:34.708 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 7:09:26.352 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c4a0ca23-2e34-4297-9d17-000f8779e6e0","9/15/2023, 9:08:34.722 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 7:09:35.025 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f00b01fe-325b-44cc-92af-bc220fad068e","9/15/2023, 9:08:44.280 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 9:08:15.756 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--130c1f09-7613-4dca-a6e2-b7d7b7aa4337","9/15/2023, 11:08:01.154 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 9:08:20.659 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--269c89ba-5cf8-4e87-acc0-e105388b25f5","9/15/2023, 11:08:07.518 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 9:08:25.716 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1f0553da-c39d-4fa7-80e0-ed526a120693","9/15/2023, 11:08:09.623 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 9:08:30.304 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7d509716-fc49-4b56-bcb3-837837a2df76","9/15/2023, 11:08:18.534 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 9:08:35.363 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--31b76793-1fb2-4bf2-a564-21310f93475b","9/15/2023, 11:08:20.911 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 11:08:11.428 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a1aaac36-3cd5-4f60-810c-df8ff0da8a18","9/16/2023, 1:07:57.962 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 11:08:15.780 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--94281c10-70ba-4606-aff3-a2f5815d39c0","9/16/2023, 1:08:04.662 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 11:08:20.777 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--14075afb-04a1-4957-905b-b5e3bbf8872d","9/16/2023, 1:08:02.691 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 11:08:25.842 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7d3db047-6660-489c-8ca3-5885de839745","9/16/2023, 1:08:06.744 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 11:08:35.975 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1a2aae41-4e93-44b4-aa05-ae9acb37b623","9/16/2023, 1:08:23.778 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 1:08:10.763 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c4684267-f980-4fb1-80ca-7f1f7bae6379","9/16/2023, 3:07:58.708 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 1:08:21.718 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ae389ad5-3d7f-4355-af8c-d92939d26894","9/16/2023, 3:08:04.120 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 1:08:26.408 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d0b7f2d0-0379-464c-967f-d7175ce8d022","9/16/2023, 3:08:07.223 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 1:08:35.174 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4b563084-398e-47ba-a046-413d7510a1f0","9/16/2023, 3:08:12.154 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 1:08:40.511 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--da6548fb-47e5-4ab8-a7f2-457e8c4e4a28","9/16/2023, 3:08:26.245 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 3:08:11.371 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c5fe5710-66e5-4d73-ae46-275d1dbe80b5","9/16/2023, 5:07:59.652 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 3:08:20.709 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0f17ecba-9ea3-4219-9f5e-ea0dbd9017aa","9/16/2023, 5:08:03.095 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 3:08:20.791 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--38005e85-1d53-4abb-8dbb-c3be4f91a328","9/16/2023, 5:08:04.525 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 3:08:35.403 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6b7793b0-f3d6-4223-9c55-4036e7a1d981","9/16/2023, 5:08:23.063 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/16/2023, 3:11:15.428 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--75bb8b79-89a0-42ae-8893-e927482c18f5","9/16/2023, 5:08:21.434 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/30/2023, 11:45:23.110 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--cc425f68-6874-405d-800a-89b2e73991a1","8/31/2023, 11:45:08.839 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/30/2023, 11:45:29.086 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--cd4baef5-50eb-4b9a-ad1a-964a95f756fe","8/31/2023, 11:45:16.944 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""6 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/30/2023, 11:45:32.689 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7acdc054-0295-444d-a664-6f5a82afb165","8/31/2023, 11:45:19.233 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""15 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""3 sightings on 1 source: DHS Automated Indicator Sharing. 3 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/30/2023, 11:45:32.720 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8da7e428-4760-425e-aac6-fe976f957172","8/31/2023, 11:45:21.566 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""5 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692247301339,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 1:07:31.496 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d29072c0-9386-4879-8c6b-5bfa72ef172b","9/7/2023, 3:07:22.638 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 1:07:36.601 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--322d71aa-d34e-4d95-bb75-858aa8f20fa9","9/7/2023, 3:07:25.276 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 1:07:50.875 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--76487970-82eb-4636-a751-363101b587fa","9/7/2023, 3:07:32.529 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 1:07:51.108 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7b51486c-0179-4f49-b9b9-ed010a2d3509","9/7/2023, 3:07:34.428 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 1:07:56.616 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--318d54d4-2d75-44a2-b9e8-e3512cce0288","9/7/2023, 3:07:45.346 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 3:07:26.128 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fd5ea7c7-dda4-471e-beb4-00dd960635dd","9/7/2023, 5:07:22.215 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 3:07:30.913 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e0d1c312-387f-4d00-81bc-7ae97445e9f8","9/7/2023, 5:07:22.030 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 3:07:37.201 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b0ab4619-0577-4127-afe2-d95a5d11bc75","9/7/2023, 5:07:33.778 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 3:07:51.366 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fa05ac38-dcdd-43c9-a898-e9a795689eb3","9/7/2023, 5:07:47.229 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 3:07:56.085 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ef28cdab-be67-4bc9-9b56-18f07d8cb3af","9/7/2023, 5:07:46.889 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 5:07:45.687 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--47bee001-e846-4a6a-938e-6e5fbbda8c49","9/7/2023, 7:07:23.121 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 5:07:46.022 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--72aab46a-7531-4b23-8d14-aff5a03120d6","9/7/2023, 7:07:25.819 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 5:07:51.029 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f4432a09-afce-4ae9-bea1-ed7e35a62e43","9/7/2023, 7:07:27.635 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 5:08:00.594 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3caaff8e-4299-465f-8328-63efe8ae73f7","9/7/2023, 7:07:47.467 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 5:08:06.210 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fa43199b-6569-4764-987f-45bcd2aeba2d","9/7/2023, 7:07:36.895 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 7:07:50.508 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f63ce06b-3e4a-413a-a778-fe55d45cd62b","9/7/2023, 9:07:25.374 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 7:07:50.521 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1f59e25e-07bd-4ae8-93de-1a2989029b73","9/7/2023, 9:07:26.009 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 7:07:50.661 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9faf4bb2-2c8e-4fcb-af3c-f8f7073a41c2","9/7/2023, 9:07:22.561 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 7:07:56.744 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b40cb0f1-bbd8-465f-96fb-be078c7717e7","9/7/2023, 9:07:27.993 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 7:08:16.079 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ed156d01-27b0-4efb-b07f-1132b3e2d0fa","9/7/2023, 9:07:44.260 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 9:08:35.965 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--68da597f-be57-4da8-92a9-ad4047508dc0","9/8/2023, 11:08:12.148 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 9:08:40.720 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--679f36ee-3816-4aa5-acaa-4d9648c51ca6","9/8/2023, 11:08:14.944 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 9:08:41.236 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--56855af0-414f-452e-9c8b-cfcc3424b6b7","9/8/2023, 11:08:17.557 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 9:08:55.421 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6a253df8-a260-44cd-98f1-d8607637a61e","9/8/2023, 11:08:28.080 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 5:07:21.134 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c226ddb1-03f3-4658-949f-5795d1287619","9/4/2023, 7:07:12.327 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 5:07:21.806 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3f7a8e3b-f030-4b07-a974-3198f89a205a","9/4/2023, 7:07:17.389 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 5:07:21.891 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--abc79038-8d6c-476f-a014-b2dae104b424","9/4/2023, 7:07:14.810 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 5:07:30.872 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--596b6f46-48d4-4472-a2f4-ef850a72911c","9/4/2023, 7:07:27.535 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 5:07:36.094 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--671f5ea8-31d8-4db3-a335-07f7bfd8c012","9/4/2023, 7:07:31.632 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 7:07:20.502 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4986b434-8066-48a8-836f-519080ba1c41","9/4/2023, 9:07:11.269 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 7:07:25.830 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9442e831-0470-4064-81f3-cfdaa9065174","9/4/2023, 9:07:15.072 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 7:07:29.047 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b6736063-65c0-46ec-83fd-ecf582fb57bb","9/4/2023, 9:07:18.503 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 7:07:37.243 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--518253f5-5bbc-4978-bd1f-54e45d45f2e2","9/4/2023, 9:07:32.423 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 7:07:37.833 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--432ca638-682b-4ff9-9e4e-ed520728aa9c","9/4/2023, 9:07:27.901 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 9:07:40.562 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3364c2dc-86b1-4b0d-8197-d18b61624131","9/4/2023, 11:07:33.739 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 9:07:40.582 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--21061758-32c4-4c2f-8a68-af6d89914c6f","9/4/2023, 11:07:30.216 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 9:07:50.937 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--cf17c272-6ce2-4223-892a-5f4abfcd6e44","9/4/2023, 11:07:39.215 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 9:07:55.449 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--5f35004c-e91e-46ed-bf5a-fce370350486","9/4/2023, 11:07:49.584 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 9:08:04.660 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c891d554-5ce2-4915-991b-b0ca20b60a42","9/4/2023, 11:07:50.727 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 11:07:21.762 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--41f607b1-9e71-43b5-86a5-779c8399124a","9/5/2023, 1:07:11.541 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 11:07:24.836 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--cd848bce-5e97-45a6-a20b-87baf38d65ff","9/5/2023, 1:07:11.875 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 11:07:25.645 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e2d8f97f-d2d2-4e34-aa98-2251839f042b","9/5/2023, 1:07:14.656 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 11:07:36.113 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9f962517-7f07-47af-af90-980c8804fa83","9/5/2023, 1:07:29.947 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/4/2023, 11:07:45.484 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--03429a56-4f4c-4449-b387-013003abbd65","9/5/2023, 1:07:38.336 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 1:07:26.829 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--124845e8-7b63-445c-a058-5f47d09ceb2c","9/5/2023, 3:07:13.141 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 1:07:30.108 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6a2449fe-980e-4dd2-855b-77733c7f3b3e","9/5/2023, 3:07:17.554 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 1:07:35.752 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--13c64bf9-b65a-438b-aebf-029b991ecc54","9/5/2023, 3:07:21.711 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 1:07:45.916 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--258810b6-33cd-4b74-a1ef-95950b76b852","9/5/2023, 3:07:36.730 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 1:07:46.241 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--da11013a-d24d-4a1f-b6ae-43b2363298eb","9/5/2023, 3:07:37.494 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 3:08:06.358 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--45269453-6771-4889-9264-df97559508b8","9/5/2023, 5:07:34.293 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 3:08:06.521 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b891cd79-213d-4dbd-9ffe-b0052ae61911","9/5/2023, 5:07:36.203 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 3:08:06.802 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--13565e39-320d-4e8e-a4e4-2429f02baa90","9/5/2023, 5:07:31.897 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 3:08:11.725 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4397367d-d158-41b5-aa02-05cc61663ab5","9/5/2023, 5:07:43.361 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 3:08:16.058 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f1a271eb-b403-4b33-9ad4-8cebd5364178","9/5/2023, 5:07:50.366 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 5:09:06.003 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0e9c021a-9f16-4c1d-ae19-faaf10aea1d5","9/5/2023, 7:08:56.662 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 5:09:16.412 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ac19d3b2-152c-4b89-ad04-cd86979be91e","9/5/2023, 7:09:00.852 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 5:09:21.381 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--af5a80c1-79eb-4a77-95cb-6c59e2ab963f","9/5/2023, 7:09:06.138 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 5:09:25.964 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--06e7f262-e9ac-4055-ae37-47eaaab231ea","9/5/2023, 7:09:16.074 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 5:09:27.939 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--62845440-c183-4a69-8ba7-ca2a4b704852","9/5/2023, 7:09:16.950 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 5:14:07.819 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0e9c021a-9f16-4c1d-ae19-faaf10aea1d5","9/5/2023, 7:08:56.662 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 7:07:22.096 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--02c799db-d535-47cf-acd2-34c2f0dcef8b","9/5/2023, 9:07:18.227 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 7:07:25.868 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--55144e47-1ca5-4c2c-8caf-1dd97357a465","9/5/2023, 9:07:22.703 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 7:07:35.305 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--42773071-cc72-483d-bc0c-2d24ea845ac3","9/5/2023, 9:07:28.652 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 7:07:40.931 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e7e5c7eb-0244-4aae-af75-6044c96d08cc","9/5/2023, 9:07:37.821 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 7:07:45.548 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1d17b9fa-8c83-4ddf-9326-48913d4a91f2","9/5/2023, 9:07:39.286 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 9:07:19.917 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--57b8ec1c-16ed-48a5-b307-e575cfa45696","9/5/2023, 11:07:13.659 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 9:07:20.364 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f7da2362-305b-4d6e-9d90-deb734494049","9/5/2023, 11:07:17.365 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 9:07:30.363 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1254bd84-a742-4727-a88a-5b080b9aafb2","9/5/2023, 11:07:23.700 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 9:07:36.302 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1818028f-0d4f-4130-b7ed-cc82cfa6e454","9/5/2023, 11:07:32.114 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 9:07:41.778 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c48f53d1-f813-4ed6-ae27-f0b29d051def","9/5/2023, 11:07:37.130 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 11:07:26.769 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a45e8359-a4de-45a1-9ef3-7612f0ca8b60","9/5/2023, 1:07:15.843 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 11:07:35.172 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--32a44164-b099-4aa3-b7ba-8fcb3afffd7e","9/5/2023, 1:07:23.212 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 11:07:41.096 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4098c698-54fb-4dc2-9b08-f97bff24564d","9/5/2023, 1:07:27.424 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 11:07:47.148 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--af954681-8e66-4929-a4c5-675cb0deeaf7","9/5/2023, 1:07:38.967 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 11:07:47.318 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ebd7b233-e514-485a-89a9-ba4a068bfb01","9/5/2023, 1:07:38.208 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 11:45:25.182 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9abdf5c0-5410-4527-a728-731967d89468","9/6/2023, 11:45:06.843 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 11:45:32.739 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8d0d4740-2f99-4909-9a48-eec920480f89","9/6/2023, 11:45:12.458 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 11:45:42.662 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f57caaa1-893d-43e6-ba47-466c40d7ff4a","9/6/2023, 11:45:27.854 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 11:45:42.667 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3f94cf57-39cc-4ea0-a4bc-d4d2a072c52e","9/6/2023, 11:45:29.556 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 11:45:43.620 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--508e3bb7-b475-41ef-9ead-02a942746f0f","9/6/2023, 11:45:17.166 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 1:07:30.831 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--01c38d5b-976f-4926-98ff-91c312b3909f","9/5/2023, 3:07:15.140 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 1:07:36.656 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e5b776c9-3ad2-4271-a6ee-4958c8f7502e","9/5/2023, 3:07:16.819 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 1:07:41.972 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d52b1814-36b4-4542-8dfd-f67984e8a4cf","9/5/2023, 3:07:23.068 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 1:07:42.747 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--092abfa4-43ef-4464-8d17-751a56206d33","9/5/2023, 3:07:28.647 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 1:07:45.788 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fa7d9d5b-44b9-45eb-bda3-b1061812e4f5","9/5/2023, 3:07:30.148 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 3:07:35.611 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--61e924e4-1c21-4048-b8ac-da9566819f8e","9/5/2023, 5:07:19.407 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 3:07:36.022 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--938f0865-4612-44a7-8584-cf0213e052be","9/5/2023, 5:07:22.304 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 3:07:41.122 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--31fbbea8-2e67-4054-85c6-846574a00ab8","9/5/2023, 5:07:25.116 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 3:07:45.681 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--529a4de9-ef60-4756-9f43-e69979d0c912","9/5/2023, 5:07:36.790 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/5/2023, 3:07:50.769 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--2c58047a-fd20-4135-88a8-73b94419439b","9/5/2023, 5:07:43.818 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/31/2023, 11:45:28.344 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0ff19d85-b055-4cd1-ba1a-d306d9e9fa21","9/1/2023, 11:45:08.939 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""6 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686567620800,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/31/2023, 11:45:33.703 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3adab4d3-e0b9-4d5b-a818-ab2c9bdd9503","9/1/2023, 11:45:14.850 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""5 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692247301339,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/31/2023, 11:45:37.292 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9bc98fd9-561a-420c-a235-f8197eb9927f","9/1/2023, 11:45:19.014 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","8/31/2023, 11:45:37.306 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--859987f2-7c82-4fe4-970c-3aeaddb488f0","9/1/2023, 11:45:17.313 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""15 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""3 sightings on 1 source: DHS Automated Indicator Sharing. 3 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 3:07:55.478 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d9641cdf-b756-4d9d-84d6-dbc8bad16a72","9/6/2023, 5:07:22.496 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 3:07:55.759 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--98684f27-baca-475a-a081-638c848a0351","9/6/2023, 5:07:23.249 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 3:07:55.984 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d678dce9-d1fe-454e-afad-178387bd385a","9/6/2023, 5:07:26.349 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 3:08:20.743 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b7a15e07-88a5-47ae-9910-b6b82f974e5e","9/6/2023, 5:07:37.783 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 3:08:30.149 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--60030ffa-a379-434c-904b-5603b5c8bbbe","9/6/2023, 5:07:43.223 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 5:07:36.011 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--06dbdab3-92f9-489c-ae2d-5c709b4b43d6","9/6/2023, 7:07:22.188 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 5:07:36.404 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b7e6120b-f981-4851-a389-4f309bb5901d","9/6/2023, 7:07:22.799 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 5:07:36.840 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fcac6e25-ffac-421e-9b5e-4222eb18475b","9/6/2023, 7:07:24.085 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 5:07:56.078 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--5a4c8b7c-00a1-4ef6-bfc7-51edab44f466","9/6/2023, 7:07:48.436 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 5:07:56.914 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fd47baa6-3203-4f6b-8ab9-fb77cae3772b","9/6/2023, 7:07:46.669 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 7:07:34.396 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8f2a2fe1-7f36-480c-8d55-61859c48d438","9/6/2023, 9:07:27.076 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 7:07:40.631 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--372615ee-6da5-4039-9ee9-a3ae8e56d1ee","9/6/2023, 9:07:31.466 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 7:07:40.730 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1f6b9783-6dc7-475c-94d5-598841a1d737","9/6/2023, 9:07:35.399 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 7:07:56.631 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b85906f0-251f-40c7-9664-69bec256deeb","9/6/2023, 9:07:48.286 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 7:07:57.987 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8e579335-6aa9-4f5c-b4a2-0fd5be2f9c43","9/6/2023, 9:07:49.538 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 9:07:35.890 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--da03723e-2db8-477b-910a-6236a6a1cd5d","9/6/2023, 11:07:22.316 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 9:07:36.231 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9ef6ca57-5eb3-48bc-a5e0-040ab95f1be6","9/6/2023, 11:07:21.115 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 9:07:36.415 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7f58d127-778b-4d28-a1f7-b03fc5523db0","9/6/2023, 11:07:19.797 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 9:07:52.147 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f602db84-f192-44db-84c7-29be4559cc26","9/6/2023, 11:07:36.413 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 9:08:00.533 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0f79dc57-e775-4260-bd89-1745a4f7f922","9/6/2023, 11:07:44.304 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 11:07:31.112 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c3ccdf57-35e3-4296-98c4-56a2cb41aa3a","9/7/2023, 1:07:20.207 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 11:07:35.169 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b93f177b-18fd-4812-afbb-c7fd151ee782","9/7/2023, 1:07:22.915 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 11:07:40.857 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f7c68aaa-c0c7-4ea3-898d-90bee394515f","9/7/2023, 1:07:24.616 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 11:07:41.028 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f0acfafc-90db-4188-be76-669d236670aa","9/7/2023, 1:07:25.023 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/6/2023, 11:07:57.540 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d1e105f7-141f-4cd4-a99f-bd4c3638fba7","9/7/2023, 1:07:43.649 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 1:07:30.891 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ecf46d2f-5f18-4f2b-bdeb-f5cb49d81d8d","9/7/2023, 3:07:19.756 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 1:07:31.900 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--875f1613-ea11-4dd8-b688-2971e304998a","9/7/2023, 3:07:21.420 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 1:07:50.672 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--417f7c9b-dc48-4286-bafa-6bac007a4cf8","9/7/2023, 3:07:32.564 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 1:07:50.727 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8550da1f-3d70-43ac-9299-818baa67db9f","9/7/2023, 3:07:33.256 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 1:08:00.044 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fb5d98fc-ad61-4ffb-a542-1b4aa42e5303","9/7/2023, 3:07:47.041 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 3:07:40.699 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--41bd7516-f7e4-47a7-afc3-bda25753b4b6","9/7/2023, 5:07:29.579 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 3:07:40.869 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c28ecd80-e947-4c44-8ba5-afdf7b3d4a19","9/7/2023, 5:07:28.067 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 3:07:45.657 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9f229c5b-7479-48ba-8933-56457d911b92","9/7/2023, 5:07:33.958 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 3:07:50.803 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bb53b503-db79-4a45-84db-e545e7c5fe2f","9/7/2023, 5:07:39.408 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 3:08:05.635 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3f883d5d-6a5f-49d0-86a1-ac3b32767d51","9/7/2023, 5:07:55.375 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 5:07:55.638 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--45f45ac7-52d7-476c-80bb-b56f77ecb67e","9/7/2023, 7:07:32.670 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 5:08:01.152 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ebf37e0e-a425-401f-bcd5-8f804dcde2e6","9/7/2023, 7:07:36.891 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 5:08:06.448 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--28a11b92-b8e1-4d18-8773-df1edde61f4f","9/7/2023, 7:07:42.718 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 5:08:16.875 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--eed08f19-0181-42a4-aa17-881fb01ab668","9/7/2023, 7:07:49.749 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 5:08:21.280 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--03c266a0-b671-44c1-b319-63f05483b323","9/7/2023, 7:08:00.061 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 7:07:30.958 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--77b06c36-972e-42a2-a90a-8c066d0f98dd","9/7/2023, 9:07:21.920 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 7:07:35.549 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3ecbe356-5d1b-47cc-adef-aee5a2d23c7f","9/7/2023, 9:07:24.700 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 7:07:35.664 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--04a86ebf-5bd1-416b-8672-d971f436788d","9/7/2023, 9:07:23.703 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 7:07:44.934 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--cff35864-bd11-488c-b448-5a2b623cc50b","9/7/2023, 9:07:34.750 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""18 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 7:07:55.639 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0f6d7603-244e-4ced-a999-cc5e252b2aba","9/7/2023, 9:07:43.397 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 9:07:31.126 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3b0f6460-15fd-40c1-a46c-1575af29e497","9/7/2023, 11:07:23.572 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 9:07:31.899 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1ef9e580-227b-48e2-8ea8-625bb1b3173c","9/7/2023, 11:07:21.804 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 9:07:36.483 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fa7aacb6-ebde-4aba-b415-1cbcd08f46d1","9/7/2023, 11:07:24.725 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 9:07:51.494 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--33ff3d30-706e-4e6a-91e6-b184707cf382","9/7/2023, 11:07:34.084 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 9:07:55.742 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7577cf17-ba6f-4ee9-810c-a16be3bafe42","9/7/2023, 11:07:51.571 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 11:07:31.925 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--5bc1fb45-170e-40b4-a46e-cc42f2541ab2","9/7/2023, 1:07:22.585 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 11:07:35.539 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--23392de3-3b17-4df8-943d-7a6b3e68c2fb","9/7/2023, 1:07:24.158 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 11:07:45.503 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d9d91fc4-2617-4678-bc02-d58ed41bd64f","9/7/2023, 1:07:30.896 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 11:07:50.791 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--145bb6a7-99fb-4ddc-9203-fbe7dce9d7d0","9/7/2023, 1:07:44.497 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 11:07:56.115 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--96d7f02f-4366-4be8-86bf-1a70d7ef446e","9/7/2023, 1:07:49.768 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 11:45:23.310 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bdbfa234-273d-4e60-941b-f7e18436ff32","9/8/2023, 11:45:08.224 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 11:45:28.463 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b3725f8c-408c-4633-a74c-e03131404b51","9/8/2023, 11:45:09.967 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 11:45:32.899 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c7c0cb9a-3c34-4938-9d40-fb481b0bcc16","9/8/2023, 11:45:16.918 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 11:45:37.866 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--599cda6d-d768-4d8d-95bd-fda9623e3688","9/8/2023, 11:45:26.836 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 11:45:42.331 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4bd4597a-0d8d-41e2-ae9e-ad3a10b6b092","9/8/2023, 11:45:30.350 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 9:15:26.228 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--363d1fb1-53fd-41e4-91df-1eb8ded13c92","9/7/2023, 11:07:24.976 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 9:29:03.782 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ae012fde-7856-49ca-aabd-28fdb9633617","9/7/2023, 11:07:33.578 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 9:46:58.179 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ce85fe96-3ae1-4eb5-928a-183ef8776f81","9/7/2023, 11:07:43.346 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 9:46:58.216 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f6ebb0f2-b58c-4830-a518-7bb4207c1003","9/7/2023, 11:07:44.592 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 9:51:38.808 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1ae2b11f-acda-4828-9e15-06d9eab57217","9/7/2023, 11:07:33.120 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 11:07:40.729 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--96bb6716-451a-48b1-9ab6-2f79894963a4","9/8/2023, 1:07:28.859 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 11:07:41.185 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--808c3640-bfc3-4141-a80f-88d243aa6275","9/8/2023, 1:07:27.375 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/7/2023, 11:07:41.239 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--777441d5-25bb-4af6-ad2c-215dfc4c5c6f","9/8/2023, 1:07:28.491 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 6:38:34.688 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f0a5bd3d-1837-4c0b-9bab-59147842eb8c","9/8/2023, 5:07:32.654 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",false,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 7:08:26.552 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--2e943c19-84eb-4b92-8fae-150409e77fdf","9/8/2023, 9:08:07.541 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 7:08:50.614 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--51caa893-ea6d-4159-ba4f-d401156c7b79","9/8/2023, 9:08:35.254 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 7:08:50.618 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--14564931-c1eb-4ffe-9e8d-b82107734397","9/8/2023, 9:08:35.762 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 1:07:50.998 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--34996512-f309-473d-b8de-5a1b50425da0","9/8/2023, 3:07:22.219 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 1:08:24.616 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d4316cab-ebc9-469d-8dfd-78e66fc707fd","9/8/2023, 3:07:43.117 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 1:22:26.999 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--efcaa7f2-3ffc-489e-9080-e206e2d93d8d","9/8/2023, 3:07:43.654 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 2:22:23.555 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--197864cf-2f2d-432f-999a-d9a8b3575707","9/8/2023, 3:07:23.550 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 2:23:34.946 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--197864cf-2f2d-432f-999a-d9a8b3575707","9/8/2023, 3:07:23.550 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 2:23:47.118 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--197864cf-2f2d-432f-999a-d9a8b3575707","9/8/2023, 3:07:23.550 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 3:08:02.691 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f11aca0e-dd2d-450a-986f-5a65bfdf9e91","9/8/2023, 5:07:31.657 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 11:07:51.682 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bfe8fb60-bf6f-46e8-8d3c-08e7857d8609","9/8/2023, 1:07:25.237 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 11:07:52.621 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--abb9db07-56fc-4132-ad68-82bddd719228","9/8/2023, 1:07:27.674 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 11:07:52.625 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7964dabe-258e-4b1f-96b9-6792e0384341","9/8/2023, 1:07:27.957 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 11:08:21.419 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--131275ac-8593-4c48-8338-b9ea0dbf1b99","9/8/2023, 1:07:57.412 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""31 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, unsafe.sh. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 11:08:23.895 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--23debd76-f9d4-4cf2-8164-89938885410e","9/8/2023, 1:07:56.471 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/8/2023, 11:16:14.392 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bfe8fb60-bf6f-46e8-8d3c-08e7857d8609","9/8/2023, 1:07:25.237 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 9:08:25.687 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7e0d3b09-54f4-43a1-872d-ae2d03b200b3","9/14/2023, 11:07:54.827 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 9:08:25.694 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--27b48f67-f765-4bf9-a12a-ce9d4fa6314b","9/14/2023, 11:07:54.394 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 9:08:36.260 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bfeae2a7-4698-440b-a64c-8b23d89f65a4","9/14/2023, 11:08:06.757 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 9:08:36.275 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d162bfa1-b19e-4f30-9750-abdbe728cab3","9/14/2023, 11:08:14.787 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 9:09:49.575 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--df5c436a-23f2-4310-869c-3c21214060e0","9/14/2023, 11:08:16.465 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 11:08:01.558 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--77d56653-f3d6-4939-bf3a-d72cbd9e5da4","9/14/2023, 1:07:53.807 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 11:08:05.750 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e34e6f9e-7219-4d1e-9ce1-b4dd6fc1c559","9/14/2023, 1:07:57.341 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 11:08:11.593 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--acd690a5-4434-468a-b0da-c7b8074462dd","9/14/2023, 1:08:06.017 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 11:08:21.636 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--31db7f78-a377-4906-87bb-20d8aa7baac0","9/14/2023, 1:08:15.841 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 11:09:51.246 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--30641f69-1d5a-4e76-afdc-cecf26916da1","9/14/2023, 1:08:20.554 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 11:45:29.433 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3b40bf69-06e8-45f8-8f46-cdd865c95a33","9/15/2023, 11:45:12.918 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 11:45:32.604 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3958d6cf-fc79-4405-bf1d-3eb8e542e2dd","9/15/2023, 11:45:16.331 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 11:45:49.309 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8e8065b2-1476-49cc-8287-0b52db4fe42e","9/15/2023, 11:45:23.318 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 11:45:58.424 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d2ed9733-cb48-4630-a31b-8762aef721be","9/15/2023, 11:45:34.211 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 11:54:03.497 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b5f32674-cfe0-4ac5-8671-639dfc1b172c","9/15/2023, 11:45:31.892 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 1:07:56.305 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a6a0f5ef-53bb-445e-8376-153559cc089a","9/14/2023, 3:07:50.850 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 1:08:01.145 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a8e909a4-e987-460a-b253-d64f2fa27c1b","9/14/2023, 3:07:52.693 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 1:08:06.452 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--63e65fe5-80ad-40a6-9798-8179827fa617","9/14/2023, 3:07:55.084 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 1:08:06.920 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1fa42a0e-cd8e-4719-8238-b371160662f8","9/14/2023, 3:07:56.913 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 1:09:55.920 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--85f500b0-9ad5-4603-9f3e-50547c6c08cc","9/14/2023, 3:08:20.022 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 3:08:15.953 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--15350ff9-d80f-4403-93b6-456e722f54c2","9/14/2023, 5:08:00.076 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 3:08:25.622 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--b64896cd-e4c7-44c9-9022-ecafa5e1141d","9/14/2023, 5:08:09.800 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 3:08:41.550 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1fec2184-67fa-4aa7-90dc-b65cecd6267b","9/14/2023, 5:08:36.121 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 3:09:16.822 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e7c3d7f4-4294-4a3d-8dd9-4ca92ba8c1cd","9/14/2023, 5:08:51.070 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 3:09:20.569 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3a45eaa7-81d0-4d74-af17-05c55459baec","9/14/2023, 5:08:57.836 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 5:08:26.652 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fa4fb3d5-a494-4f08-919c-1fc70c533b24","9/14/2023, 7:07:59.238 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 5:08:35.652 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--861a4318-a3ee-4337-8874-fadd60aecc15","9/14/2023, 7:08:02.796 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 5:08:40.857 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ad0e2d14-6b67-40d9-a0e9-a41f3c12f5b4","9/14/2023, 7:08:10.841 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 5:09:00.347 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1e1b37c2-370a-42a8-833c-568aea265abd","9/14/2023, 7:08:27.010 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 5:09:05.374 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--31afae3e-5ad6-4c8d-a09d-670ea31c57d7","9/14/2023, 7:08:28.172 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 7:08:22.427 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d1cf6a11-584a-4ed6-b188-7bc922a5a144","9/14/2023, 9:07:57.156 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 7:08:30.524 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e20a2b15-9def-476d-8102-3482414a83c8","9/14/2023, 9:08:07.327 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 7:08:35.371 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c608a60b-71ad-40f8-a00c-79765d4bb6b2","9/14/2023, 9:08:08.688 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 7:08:35.683 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a76e638d-e43e-409e-8f54-d841d8cf4140","9/14/2023, 9:08:23.195 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 7:10:10.855 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--642a82ba-58d8-45fe-af18-7f4ffeb161a8","9/14/2023, 9:08:24.631 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 9:08:16.162 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--074133f8-5918-4b6f-b8aa-29945b12cd42","9/14/2023, 11:07:55.930 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 9:08:21.285 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--438b8874-bc19-44c8-9422-46b33e8ae74e","9/14/2023, 11:07:56.443 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 9:08:31.429 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c49d28ad-39d9-4cb8-821c-5abf48f690e2","9/14/2023, 11:08:05.409 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 9:08:40.520 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--cd365926-ccf7-48fc-b4e1-3d78b04b128c","9/14/2023, 11:08:14.725 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 9:08:40.700 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--18a6006c-c89d-4338-89d2-93d52844f8df","9/14/2023, 11:08:16.451 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 11:08:55.986 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3cf51c32-b33f-4083-8f8f-108cfa857dc8","9/15/2023, 1:08:17.518 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 11:09:00.752 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a7b6e1ef-7e24-416f-8c7f-50abcc16c0a9","9/15/2023, 1:08:21.653 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 11:09:07.625 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0e0ea676-6582-4426-8f3a-40b1acbb56b7","9/15/2023, 1:08:24.677 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 11:09:11.674 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--5476b219-32ce-4518-9893-d7607a8b6754","9/15/2023, 1:08:25.882 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 11:09:25.661 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bf220549-12ed-44df-a4e0-1758857ecbef","9/15/2023, 1:08:44.910 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 1:09:56.609 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f8c3550f-7338-4057-8db8-ae7de09786bb","9/15/2023, 3:09:15.283 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 1:10:01.782 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--587832c8-4e6c-4fc7-9db6-7dd3cb08faa4","9/15/2023, 3:09:19.155 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 1:10:05.918 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ac0c5cf6-b2a1-4189-ad12-0f267ba8b5d7","9/15/2023, 3:09:21.065 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 1:10:26.250 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3a9c3f54-4aae-4b5a-986b-d47743a03258","9/15/2023, 3:09:37.399 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 1:10:35.121 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--837c33a3-1d16-4d19-aca3-126b99ec992d","9/15/2023, 3:09:41.340 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 3:08:15.221 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--649a5bec-654d-4c18-9e2f-d79c414fc346","9/15/2023, 5:07:55.960 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 3:08:15.247 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--aa8940a4-f69b-40f3-aa7f-d7013102ee7d","9/15/2023, 5:07:57.637 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 3:08:21.225 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--385ac63c-23d0-47bb-b577-861e95ebf4a4","9/15/2023, 5:07:58.845 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 3:08:27.165 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--45169a49-d5b9-437e-96da-122ec384483d","9/15/2023, 5:08:06.694 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 3:08:35.208 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f3327724-9573-4047-9112-284aa860eff3","9/15/2023, 5:08:17.729 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 5:08:26.168 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e53d4ff5-20b7-4859-9072-fd781a49633a","9/15/2023, 7:08:10.806 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 5:08:26.599 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d35dac52-da36-4505-8e62-e2f3e74b1d34","9/15/2023, 7:08:08.325 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 5:08:40.734 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c8da906f-4d69-451f-be69-86e9fbf7c516","9/15/2023, 7:08:22.234 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 5:08:40.797 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4940f3c3-00b0-426d-a806-ba8f9659e240","9/15/2023, 7:08:22.247 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/15/2023, 5:08:50.981 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--382ae4c0-e370-432e-b6c9-c5f339a449cb","9/15/2023, 7:08:29.769 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 11:45:28.308 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--be6a7b75-4b58-4b00-aef8-340f72340857","9/14/2023, 11:45:14.925 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 11:45:28.324 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--060ccba8-4fbe-4e96-bb83-4e76a6965138","9/14/2023, 11:45:15.366 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 11:45:32.570 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--f4cc8dce-5c07-41de-b418-85b2e37e79e3","9/14/2023, 11:45:23.632 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 11:45:38.833 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--be234f74-7d0f-4017-820c-688b1cb73341","9/14/2023, 11:45:28.573 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 11:45:39.787 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8db96f06-6359-4d6e-aaba-925a84de25ae","9/14/2023, 11:45:31.777 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 1:08:01.288 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--5e27c3b6-f329-425b-8690-c1f68cb7e572","9/13/2023, 3:07:49.450 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 1:08:05.481 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--07b3b9de-ba03-47ff-aa25-5af717ac1d00","9/13/2023, 3:07:51.826 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 1:08:11.425 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--512f8871-0187-4be9-ad16-856a47a08138","9/13/2023, 3:08:07.197 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 1:08:12.403 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e6ad714e-42bf-453e-bc32-6a8d94571201","9/13/2023, 3:07:59.594 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 1:09:10.237 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a4ff9751-6c4c-41a7-a11e-54df5051ac6e","9/13/2023, 3:08:09.793 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 3:07:52.320 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--bf8429dd-930c-45b6-a59d-e5f6a4b55253","9/13/2023, 5:07:44.305 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 3:07:55.410 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--7bb799d8-c211-4863-9b83-7ee793eb3ab0","9/13/2023, 5:07:51.215 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 3:07:55.573 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4cbee811-dd9b-4ab5-8af6-60360c5617fd","9/13/2023, 5:07:49.597 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 3:08:11.304 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--dc34aac7-dd1e-408d-936f-5056e675c19d","9/13/2023, 5:08:02.668 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 3:08:15.891 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--36c865e9-ffde-4b7e-a8a8-79c5675585ac","9/13/2023, 5:08:09.491 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 5:07:50.357 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--dac9f2be-fc6b-4238-bf7d-25f1960b5552","9/13/2023, 7:07:46.003 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 5:07:55.814 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a6c10d71-77c1-49f1-9f5a-04dfda9c617a","9/13/2023, 7:07:49.037 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 5:07:55.990 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--18d3c1d8-411c-4a5f-a8da-373bad287b49","9/13/2023, 7:07:50.249 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 5:08:07.002 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0923776f-9be1-49dd-b7c0-fbd7a7469488","9/13/2023, 7:08:00.959 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 5:08:21.026 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--806be070-5fbb-4bbe-af78-658f0c8853cb","9/13/2023, 7:08:09.048 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 7:09:06.166 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--33cdfdd2-e32a-4fd4-b169-ac7df2224c65","9/13/2023, 9:08:30.135 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 7:09:11.621 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9e543e32-68ac-446f-9c7b-0dff944a311d","9/13/2023, 9:08:34.003 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 7:09:11.624 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--43c620fb-4173-4a24-a9b1-0c19f2e6ae30","9/13/2023, 9:08:34.174 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 7:09:20.616 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e5156a3b-994e-426c-a42c-40a25aa26ef0","9/13/2023, 9:08:48.193 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 7:09:21.515 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--8e7ef9c9-18e8-4946-9a8b-118c24ee394e","9/13/2023, 9:08:58.476 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 9:08:24.915 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--53015a09-f0ee-4341-b6dc-bb14d52c6b66","9/13/2023, 11:07:49.674 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 9:08:25.180 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--ca07beae-1262-450a-9c21-19f606d650a2","9/13/2023, 11:07:52.340 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 9:08:32.046 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4607f6f5-c1eb-463b-be6c-f9d21618bb03","9/13/2023, 11:08:00.984 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 9:08:35.157 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9e570e31-efe8-4189-92a8-521be7a700c0","9/13/2023, 11:08:07.727 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 9:09:24.648 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--75133179-7c98-46ce-ab52-25dab4392749","9/13/2023, 11:08:12.728 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 11:08:21.321 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--135d7ce6-67d7-4941-ae3d-de573bcac4af","9/14/2023, 1:07:47.773 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 11:08:26.021 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--381e40cc-bac3-4587-b34c-e9569a8dd0ce","9/14/2023, 1:07:51.860 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 11:08:26.147 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--9541b48e-53fe-4d3c-b831-005d66c8e127","9/14/2023, 1:07:51.625 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 11:08:34.824 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--1a6fe549-2e5b-4aa4-ad5b-943eabfc8b6b","9/14/2023, 1:08:01.330 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/13/2023, 11:09:25.382 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--2b9d0059-9fe8-4499-8263-b8fbeff02f30","9/14/2023, 1:08:11.893 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 1:08:45.450 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a1e9f443-4c36-4425-95ab-bc9280555e4f","9/14/2023, 3:08:05.118 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 1:08:50.229 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--2bf931d8-ee89-42bc-aac0-71ab46843a4e","9/14/2023, 3:08:09.620 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 1:08:50.611 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--105dad15-303e-4314-bf68-90846c357cdd","9/14/2023, 3:08:08.918 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 1:08:56.241 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fee484f7-baec-41b5-b16d-8caf45388f87","9/14/2023, 3:08:21.583 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 1:09:29.727 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--60eec802-5cf0-451f-bf15-37d869cd75ab","9/14/2023, 3:08:26.978 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 3:08:26.020 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--a545308b-7560-4579-b5e3-b139eb85e8f7","9/14/2023, 5:07:53.767 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 3:08:26.255 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3e6cc431-9819-43fa-9de3-8bc70576f66a","9/14/2023, 5:07:50.763 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 3:08:26.593 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e5909119-8052-4d45-bc27-f08aa93d3c79","9/14/2023, 5:07:53.926 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 3:08:36.342 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--db240044-8913-4267-8a9a-9dc09c862b45","9/14/2023, 5:08:01.114 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 3:08:42.268 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--e5a719ad-1948-40ff-8679-24dbf06ba57f","9/14/2023, 5:08:17.847 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 5:08:51.247 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--5daa67dc-b751-4964-92e5-762ad43f7a5e","9/14/2023, 7:08:20.046 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 5:08:55.832 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c55c42e4-038d-4687-a919-a8be22a21509","9/14/2023, 7:08:23.990 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 5:08:55.845 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--c4c2ddac-e081-463e-b117-8fba71839c0a","9/14/2023, 7:08:23.242 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 5:09:05.888 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6fb0173a-2e48-4634-a0b0-2f65e054b386","9/14/2023, 7:08:41.091 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 5:09:05.998 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--6725e3ab-ee3f-49c0-af0e-c88fd1106313","9/14/2023, 7:08:41.606 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 7:08:25.684 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--402844a5-11cf-4905-a846-2615274df075","9/14/2023, 9:07:52.357 AM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""1 sighting on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 7:08:26.386 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--0e95224f-8b87-4c46-8296-6719241e7b6c","9/14/2023, 9:07:55.484 AM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 7:08:29.906 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--3dca6811-6f49-4dda-9099-30a874ae334c","9/14/2023, 9:07:56.762 AM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 7:08:51.899 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",80,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--515156fc-68e5-4f5c-9f28-2f6f4b57157c","9/14/2023, 9:08:08.018 AM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1693329672336,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator
"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/14/2023, 7:09:46.049 AM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4b197e88-d43d-4844-acd9-454f8533276d","9/14/2023, 9:08:12.066 AM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator
Не удается отобразить этот файл, потому что он слишком большой.

6
Sample Data/Custom/Recoreded Future/RecordedFutureUrlWorkbook_ThreatIntelligenceIndicator_IngestedLogs.csv Normal file
Просмотреть файл

@ -0,0 +1,6 @@
TenantId,"TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",SourceSystem,Action,ActivityGroupNames,AdditionalInformation,ApplicationId,AzureTenantId,ConfidenceScore,Description,DiamondModel,ExternalIndicatorId,"ExpirationDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",IndicatorId,ThreatType,Active,KillChainActions,KillChainC2,KillChainDelivery,KillChainExploitation,KillChainReconnaissance,KillChainWeaponization,KnownFalsePositives,MalwareNames,PassiveOnly,ThreatSeverity,Tags,TrafficLightProtocolLevel,EmailEncoding,EmailLanguage,EmailRecipient,EmailSenderAddress,EmailSenderName,EmailSourceDomain,EmailSourceIpAddress,EmailSubject,EmailXMailer,"FileCompileDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]","FileCreatedDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",FileHashType,FileHashValue,FileMutexName,FileName,FilePacker,FilePath,FileSize,FileType,DomainName,NetworkIP,NetworkPort,NetworkDestinationAsn,NetworkDestinationCidrBlock,NetworkDestinationIP,NetworkCidrBlock,NetworkDestinationPort,NetworkProtocol,NetworkSourceAsn,NetworkSourceCidrBlock,NetworkSourceIP,NetworkSourcePort,Url,UserAgent,IndicatorProvider,Type,TenantId1,SourceSystem1,MG,ManagementGroupName,"TimeGenerated1 [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]",Computer,RawData,"Action_s","Content_Type_s","Device_s","Domain_s","Response_s","Src_IPv4_s","URL_s",Type1,"_ResourceId","IP_TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]"
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 9:08:41.547 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--fc6279d4-dff0-4df3-9284-898c7fcd9c7d","9/17/2023, 11:08:10.318 PM",222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1680178676798,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://azuredeploystore.com/cloud/services",,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/30/2023, 1:03:23.582 PM",,,GET,"image/x-icon","Squid_Proxy","azuredeploystore.com","TCP_MISS/304","10.1.207.199","https://azuredeploystore.com/cloud/services","Squid_Proxy_URL_CL",,"8/30/2023, 1:03:23.582 PM"
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 9:08:35.586 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",79,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--d7129dd9-0689-4c04-ba37-d540e791ccd5","9/17/2023, 11:08:01.975 PM",2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1681284451000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1692930527787,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1680652800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://glcloudservice.com/v1/console",,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/5/2023, 1:03:26.577 PM",,,GET,"image/jpeg","Squid_Proxy","glcloudservice.com","TCP_MISS/304","10.1.3.187","https://glcloudservice.com/v1/console","Squid_Proxy_URL_CL",,"9/5/2023, 1:03:26.577 PM"
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 9:08:40.989 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",73,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4a88d374-5fab-49ac-814c-ab2512d8b84d","9/17/2023, 11:08:07.936 PM",AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689787888000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1691893608192,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1683244800000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://f6.beautycam.xyz",,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"8/26/2023, 1:03:23.114 PM",,,GET,"text/javascript","Squid_Proxy","f6.beautycam.xyz - DIRECT","TCP_MISS/304","10.1.141.80","http://f6.beautycam.xyz","Squid_Proxy_URL_CL",,"8/26/2023, 1:03:23.114 PM"
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 9:08:41.511 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",83,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--36292b9b-c990-487b-a248-2e48bd931bfb","9/17/2023, 11:08:07.372 PM",5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686096000000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported as a Defanged URL\"",\""EvidenceString\"":\""2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694467954193,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Reported by DHS AIS\"",\""EvidenceString\"":\""1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1686306198000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1676103783000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Detected Malware Distribution\"",\""EvidenceString\"":\""1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1694440866462,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"http://qweastradoc.com/gate.php",,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/3/2023, 1:03:25.820 PM",,,GET,"application/msword","Squid_Proxy","qweastradoc.com","TCP_MISS/200","10.1.128.138","http://qweastradoc.com/gate.php","Squid_Proxy_URL_CL",,"9/3/2023, 1:03:25.820 PM"
"f233a343-df06-4d9a-8a18-5b3eb8942c7f","9/17/2023, 9:12:40.441 PM","Recorded Future",alert,,,,"ce7c0437-29b2-4139-8c26-0babf2d3738c",76,"Recorded Future - URL - Recently Reported by Insikt Group",,"indicator--4481d3fb-6a10-4be8-ac2b-42890a41b69a","9/17/2023, 11:08:22.480 PM",ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E,"malicious-activity",true,,,,,,,,,,,"[""[{\""Rule\"":\""Historically Reported as a Defanged URL\"",\""EvidenceString\"":\""7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1689074563170,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historically Detected Malware Distribution\"",\""EvidenceString\"":\""3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1694110926208,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Historical Suspected C&C URL\"",\""EvidenceString\"":\""1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\"",\""CriticalityLabel\"":\""Unusual\"",\""Timestamp\"":1683351916000,\""MitigationString\"":\""\"",\""Criticality\"":1},{\""Rule\"":\""Recently Reported by DHS AIS\"",\""EvidenceString\"":\""2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1689937516000,\""MitigationString\"":\""\"",\""Criticality\"":3},{\""Rule\"":\""Recently Reported by Insikt Group\"",\""EvidenceString\"":\""1 sighting on 1 source: Insikt Group. 1 report: CISAs Joint Cybersecurity Advisory About the New Truebot Variants Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\"",\""CriticalityLabel\"":\""Malicious\"",\""Timestamp\"":1688947200000,\""MitigationString\"":\""\"",\""Criticality\"":3}]""]",unknown,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"https://dremmfyttrred.com/dns.php",,,ThreatIntelligenceIndicator,"f233a343-df06-4d9a-8a18-5b3eb8942c7f",RestAPI,,,"9/15/2023, 1:03:31.973 PM",,,GET,"text/plain","Squid_Proxy","dremmfyttrred.com","TCP_MISS/304","10.1.150.146","https://dremmfyttrred.com/dns.php","Squid_Proxy_URL_CL",,"9/15/2023, 1:03:31.973 PM"
1 TenantId TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] SourceSystem Action ActivityGroupNames AdditionalInformation ApplicationId AzureTenantId ConfidenceScore Description DiamondModel ExternalIndicatorId ExpirationDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] IndicatorId ThreatType Active KillChainActions KillChainC2 KillChainDelivery KillChainExploitation KillChainReconnaissance KillChainWeaponization KnownFalsePositives MalwareNames PassiveOnly ThreatSeverity Tags TrafficLightProtocolLevel EmailEncoding EmailLanguage EmailRecipient EmailSenderAddress EmailSenderName EmailSourceDomain EmailSourceIpAddress EmailSubject EmailXMailer FileCompileDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] FileCreatedDateTime [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] FileHashType FileHashValue FileMutexName FileName FilePacker FilePath FileSize FileType DomainName NetworkIP NetworkPort NetworkDestinationAsn NetworkDestinationCidrBlock NetworkDestinationIP NetworkCidrBlock NetworkDestinationPort NetworkProtocol NetworkSourceAsn NetworkSourceCidrBlock NetworkSourceIP NetworkSourcePort Url UserAgent IndicatorProvider Type TenantId1 SourceSystem1 MG ManagementGroupName TimeGenerated1 [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna] Computer RawData Action_s Content_Type_s Device_s Domain_s Response_s Src_IPv4_s URL_s Type1 _ResourceId IP_TimeGenerated [Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna]
2 f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/17/2023, 9:08:41.547 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 79 Recorded Future - URL - Recently Reported by Insikt Group indicator--fc6279d4-dff0-4df3-9284-898c7fcd9c7d 9/17/2023, 11:08:10.318 PM 222A2962DA75618542D41BF1C27068A91CAEBA4AD4C9E0CA3E62515B35DFDA59 malicious-activity true ["[{\"Rule\":\"Historically Reported as a Defanged URL\",\"EvidenceString\":\"36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1681284451000,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Detected Malware Distribution\",\"EvidenceString\":\"1 sighting on 1 source: External Sensor Data Analysis. https://azuredeploystore.com/cloud/services is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1680178676798,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recently Reported by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1680652800000,\"MitigationString\":\"\",\"Criticality\":3}]"] unknown https://azuredeploystore.com/cloud/services ThreatIntelligenceIndicator f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 8/30/2023, 1:03:23.582 PM GET image/x-icon Squid_Proxy azuredeploystore.com TCP_MISS/304 10.1.207.199 https://azuredeploystore.com/cloud/services Squid_Proxy_URL_CL 8/30/2023, 1:03:23.582 PM
3 f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/17/2023, 9:08:35.586 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 79 Recorded Future - URL - Recently Reported by Insikt Group indicator--d7129dd9-0689-4c04-ba37-d540e791ccd5 9/17/2023, 11:08:01.975 PM 2C011E0DE727B28C2F51B520D3F1CD0FCEDE621B25CB21AF90427828059CF8A8 malicious-activity true ["[{\"Rule\":\"Historically Reported as a Defanged URL\",\"EvidenceString\":\"36 sightings on 13 sources including: Malware Analysis News and Indicators Latest Posts, Palo Alto Networks, ASEC Blog Japan, CloudSEK, FreeBufCOM. Most recent link (Apr 12, 2023): https://asec.ahnlab.com/jp/51060/\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1681284451000,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Detected Malware Distribution\",\"EvidenceString\":\"6 sightings on 1 source: External Sensor Data Analysis. https://glcloudservice.com/v1/console is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1692930527787,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recently Reported by Insikt Group\",\"EvidenceString\":\"2 sightings on 1 source: Insikt Group. 2 reports including Trojanized 3CXDesktopApp Binary Files Deployed in Supply Chain Attack. Most recent link (Apr 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:qsTw3m\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1680652800000,\"MitigationString\":\"\",\"Criticality\":3}]"] unknown https://glcloudservice.com/v1/console ThreatIntelligenceIndicator f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/5/2023, 1:03:26.577 PM GET image/jpeg Squid_Proxy glcloudservice.com TCP_MISS/304 10.1.3.187 https://glcloudservice.com/v1/console Squid_Proxy_URL_CL 9/5/2023, 1:03:26.577 PM
4 f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/17/2023, 9:08:40.989 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 73 Recorded Future - URL - Recently Reported by Insikt Group indicator--4a88d374-5fab-49ac-814c-ab2512d8b84d 9/17/2023, 11:08:07.936 PM AA24EB448BFDC4B590CBF2A4AA3A1AF7E45C69A07CE64E912DC168FB3B8EAFC3 malicious-activity true ["[{\"Rule\":\"Historically Reported as a Defanged URL\",\"EvidenceString\":\"38 sightings on 7 sources including: thesecmaster.com, XSS (ex DamageLab) Forum, unsafe.sh, Kaspersky Securelist and Lab, Malware Analysis News and Indicators Latest Posts. Most recent link (Jul 19, 2023): https://Probiv%20Forum%20(Obfuscated)/threads/prilozhenija-s-sjurprizom-novoe-semejstvo-podpisochnyx-trojancev-v-google-play.136347/post-1127080\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1689787888000,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Detected Malware Distribution\",\"EvidenceString\":\"2 sightings on 1 source: External Sensor Data Analysis. http://f6.beautycam.xyz is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1691893608192,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recently Reported by Insikt Group\",\"EvidenceString\":\"1 sighting on 1 source: Insikt Group. 1 report: New Fleckpe Android Subscription Trojan Advertised Legitimate Applications on Google Play Store. Most recent link (May 05, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:rHX4Vo\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1683244800000,\"MitigationString\":\"\",\"Criticality\":3}]"] unknown http://f6.beautycam.xyz ThreatIntelligenceIndicator f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 8/26/2023, 1:03:23.114 PM GET text/javascript Squid_Proxy f6.beautycam.xyz - DIRECT TCP_MISS/304 10.1.141.80 http://f6.beautycam.xyz Squid_Proxy_URL_CL 8/26/2023, 1:03:23.114 PM
5 f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/17/2023, 9:08:41.511 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 83 Recorded Future - URL - Recently Reported by Insikt Group indicator--36292b9b-c990-487b-a248-2e48bd931bfb 9/17/2023, 11:08:07.372 PM 5B6CEF1AFB9C8FE2AF133864AA9A126C12A9E4C20CE52030048486A804CC23B5 malicious-activity true ["[{\"Rule\":\"Historically Reported as a Defanged URL\",\"EvidenceString\":\"19 sightings on 6 sources including: cisa.gov, FBI | IC3 Industry Alerts, CISA Cybersecurity Advisories, rb.gy, EU Cert feed. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1689074563170,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Detected Malware Distribution\",\"EvidenceString\":\"3 sightings on 2 sources: External Sensor Data Analysis, Bitdefender. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1686096000000,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recently Reported as a Defanged URL\",\"EvidenceString\":\"2 sightings on 1 source: cisa.gov. Most recent link (Sep 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1694467954193,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Reported by DHS AIS\",\"EvidenceString\":\"1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: AA23-158A StopRansomware CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (Jun 9, 2023).\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1686306198000,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historical Suspected C&C URL\",\"EvidenceString\":\"1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified http://qweastradoc.com/gate.php as possible TA0011 (Command and Control) for Unknown malware on February 11, 2023. Most recent link (Feb 11, 2023): https://threatfox.abuse.ch/ioc/1079449\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1676103783000,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recently Detected Malware Distribution\",\"EvidenceString\":\"1 sighting on 1 source: External Sensor Data Analysis. http://qweastradoc.com/gate.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1694440866462,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Recently Reported by DHS AIS\",\"EvidenceString\":\"2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1689937516000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Recently Reported by Insikt Group\",\"EvidenceString\":\"1 sighting on 1 source: Insikt Group. 1 report: CISA’s Joint Cybersecurity Advisory About the New Truebot Variants’ Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1688947200000,\"MitigationString\":\"\",\"Criticality\":3}]"] unknown http://qweastradoc.com/gate.php ThreatIntelligenceIndicator f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/3/2023, 1:03:25.820 PM GET application/msword Squid_Proxy qweastradoc.com TCP_MISS/200 10.1.128.138 http://qweastradoc.com/gate.php Squid_Proxy_URL_CL 9/3/2023, 1:03:25.820 PM
6 f233a343-df06-4d9a-8a18-5b3eb8942c7f 9/17/2023, 9:12:40.441 PM Recorded Future alert ce7c0437-29b2-4139-8c26-0babf2d3738c 76 Recorded Future - URL - Recently Reported by Insikt Group indicator--4481d3fb-6a10-4be8-ac2b-42890a41b69a 9/17/2023, 11:08:22.480 PM ED8A7E4D00F2DC4EADA634BB814BD89A0DD591B708D3D6C08AAAF3E8AC802D5E malicious-activity true ["[{\"Rule\":\"Historically Reported as a Defanged URL\",\"EvidenceString\":\"7 sightings on 4 sources: cisa.gov, FBI | IC3 Industry Alerts, EU Cert feed, Security Alerts USCert. Most recent link (Jul 11, 2023): https://www.cisa.gov/sites/default/files/2023-07/aa23-187a-increased-truebot-activity-infects-us-and-canada-based-networks_0.pdf\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1689074563170,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historically Detected Malware Distribution\",\"EvidenceString\":\"3 sightings on 1 source: External Sensor Data Analysis. https://dremmfyttrred.com/dns.php is observed to be a malware site URL that navigates to malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, or code.\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1694110926208,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Historical Suspected C&C URL\",\"EvidenceString\":\"1 sighting on 1 source: ThreatFox Infrastructure Analysis. ThreatFox identified https://dremmfyttrred.com/dns.php as possible TA0011 (Command and Control) for Silence on May 06, 2023. Most recent link (May 6, 2023): https://threatfox.abuse.ch/ioc/1112788\",\"CriticalityLabel\":\"Unusual\",\"Timestamp\":1683351916000,\"MitigationString\":\"\",\"Criticality\":1},{\"Rule\":\"Recently Reported by DHS AIS\",\"EvidenceString\":\"2 sightings on 1 source: DHS Automated Indicator Sharing. 2 reports including AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks at Scale (Jul 21, 2023).\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1689937516000,\"MitigationString\":\"\",\"Criticality\":3},{\"Rule\":\"Recently Reported by Insikt Group\",\"EvidenceString\":\"1 sighting on 1 source: Insikt Group. 1 report: CISA’s Joint Cybersecurity Advisory About the New Truebot Variants’ Infection Chain and Tools. Most recent link (Jul 10, 2023): https://app.recordedfuture.com/portal/analyst-note/doc:r8OwJZ\",\"CriticalityLabel\":\"Malicious\",\"Timestamp\":1688947200000,\"MitigationString\":\"\",\"Criticality\":3}]"] unknown https://dremmfyttrred.com/dns.php ThreatIntelligenceIndicator f233a343-df06-4d9a-8a18-5b3eb8942c7f RestAPI 9/15/2023, 1:03:31.973 PM GET text/plain Squid_Proxy dremmfyttrred.com TCP_MISS/304 10.1.150.146 https://dremmfyttrred.com/dns.php Squid_Proxy_URL_CL 9/15/2023, 1:03:31.973 PM

1
Sample Data/ThreatIntelligence/GreyNoiseThreatIntelligence.json Normal file
Просмотреть файл

@ -0,0 +1 @@
[{"type": "indicator", "spec_version": "2.1", "id": "indicator--849a9eaf-1b0f-556d-ab18-7b6a1d1978f6", "created_by_ref": "identity--90a30b13-e3e2-45e1-be2b-48a8b977ecbc", "created": "2023-09-11T17:54:10.07195Z", "modified": "2023-09-11T17:54:10.07195Z", "name": "GreyNoise Internet Scanner IOC", "description": "GreyNoise Indicator", "indicator_types": ["unknown"], "pattern": "[ipv4-addr:value = '1.1.1.2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-09-11T00:00:00Z", "valid_until": "2023-09-12T17:54:03.846064Z", "confidence": 90}, {"type": "indicator", "spec_version": "2.1", "id": "indicator--20d96100-01cf-5753-8f5b-5ed2aa08f921", "created_by_ref": "identity--90a30b13-e3e2-45e1-be2b-48a8b977ecbc", "created": "2023-09-11T17:54:10.135856Z", "modified": "2023-09-11T17:54:10.135856Z", "name": "GreyNoise Internet Scanner IOC", "description": "GreyNoise Indicator", "indicator_types": ["unknown"], "pattern": "[ipv4-addr:value = '1.1.1.3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-02-24T00:00:00Z", "valid_until": "2023-09-12T17:54:03.846064Z", "confidence": 100}, {"type": "indicator", "spec_version": "2.1", "id": "indicator--3d63ab74-3949-57f7-bf40-0a7c4f149a77", "created_by_ref": "identity--90a30b13-e3e2-45e1-be2b-48a8b977ecbc", "created": "2023-09-11T17:54:10.144328Z", "modified": "2023-09-11T17:54:10.144328Z", "name": "GreyNoise Internet Scanner IOC", "description": "GreyNoise Indicator", "indicator_types": ["unknown"], "pattern": "[ipv4-addr:value = '1.1.1.4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-09-01T00:00:00Z", "valid_until": "2023-09-12T17:54:03.846064Z", "confidence": 100}, {"type": "indicator", "spec_version": "2.1", "id": "indicator--0c70e00d-e0a8-5144-8424-cd0fa3ecd5e3", "created_by_ref": "identity--90a30b13-e3e2-45e1-be2b-48a8b977ecbc", "created": "2023-09-11T17:54:10.150941Z", "modified": "2023-09-11T17:54:10.150941Z", "name": "GreyNoise Internet Scanner IOC", "description": "GreyNoise Indicator", "indicator_types": ["malicious"], "pattern": "[ipv4-addr:value = '1.1.1.5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-09-08T00:00:00Z", "valid_until": "2023-09-12T17:54:03.846064Z", "labels": ["Mirai"], "confidence": 100}, {"type": "indicator", "spec_version": "2.1", "id": "indicator--b8dfd523-5156-5319-9375-53add8183ea4", "created_by_ref": "identity--90a30b13-e3e2-45e1-be2b-48a8b977ecbc", "created": "2023-09-11T17:54:10.157199Z", "modified": "2023-09-11T17:54:10.157199Z", "name": "GreyNoise Internet Scanner IOC", "description": "GreyNoise Indicator", "indicator_types": ["unknown"], "pattern": "[ipv4-addr:value = '1.1.1.1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-12-23T00:00:00Z", "valid_until": "2023-09-12T17:54:03.846064Z", "labels": ["SMBv1 Crawler"], "confidence": 100}]

107
Solutions/Azure Active Directory/Analytic Rules/SigninBruteForce-AzurePortal.yaml
Просмотреть файл

@ -1,9 +1,8 @@
id: 28b42356-45af-40a6-a0b4-a554cdfd5d8a
name: Brute force attack against Azure Portal
description: |
'Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures and by a successful authentication within a given time window.
Default Failure count is 10 and default Time Window is 20 minutes.
References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.'
description: >
Detects Azure Portal brute force attacks by monitoring for multiple authentication failures and a successful login within a 20-minute window. Default settings: 10 failures, 25 deviations.
Ref: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
@ -13,7 +12,7 @@ requiredDataConnectors:
dataTypes:
- AADNonInteractiveUserSignInLogs
queryFrequency: 1d
queryPeriod: 1d
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
status: Available
@ -22,48 +21,64 @@ tactics:
relevantTechniques:
- T1110
query: |
let timeRange = 24h;
let failureCountThreshold = 10;
let authenticationWindow = 20m;
let aadFunc = (tableName:string){
table(tableName)
| where AppDisplayName has "Azure Portal"
| extend
DeviceDetail = todynamic(DeviceDetail),
//Status = todynamic(Status),
LocationDetails = todynamic(LocationDetails)
| extend
OS = tostring(DeviceDetail.operatingSystem),
Browser = tostring(DeviceDetail.browser),
//StatusCode = tostring(Status.errorCode),
//StatusDetails = tostring(Status.additionalDetails),
State = tostring(LocationDetails.state),
City = tostring(LocationDetails.city),
Region = tostring(LocationDetails.countryOrRegion)
// Split out failure versus non-failure types
| extend FailureOrSuccess = iff(ResultType in ("0", "50125", "50140", "70043", "70044"), "Success", "Failure")
// sort for sessionizing - by UserPrincipalName and time of the authentication outcome
| sort by UserPrincipalName asc, TimeGenerated asc
// sessionize into failure groupings until either the account changes or there is a success
| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == "Success")
// bin outcomes based on authenticationWindow
| summarize FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType, UserPrincipalName,SessionStartedUtc
// count the failures in each session
| summarize FailureCountBeforeSuccess=sumif(FailureOrSuccessCount, FailureOrSuccess == "Failure"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress,15), make_set(Browser,15), make_set(City,15), make_set(State,15), make_set(Region,15), make_set(ResultType,15) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type
// the session must not start with a success, and must end with one
| where array_index_of(list_FailureOrSuccess, "Success") != 0
| where array_index_of(list_FailureOrSuccess, "Success") == array_length(list_FailureOrSuccess) - 1
| project-away SessionStartedUtc, list_FailureOrSuccess
// where the number of failures before the success is above the threshold
| where FailureCountBeforeSuccess >= failureCountThreshold
// expand out ip for entity assignment
| mv-expand IPAddress
| extend IPAddress = tostring(IPAddress)
| extend timestamp = StartTime
};
// Set threshold value for deviation
let threshold = 25;
// Set the time range for the query
let timeRange = 24h;
// Set the authentication window duration
let authenticationWindow = 20m;
// Define a reusable function 'aadFunc' that takes a table name as input
let aadFunc = (tableName: string) {
// Query the specified table
table(tableName)
// Filter data within the last 24 hours
| where TimeGenerated > ago(1d)
// Filter records related to "Azure Portal" applications
| where AppDisplayName has "Azure Portal"
// Extract and transform some fields
| extend
DeviceDetail = todynamic(DeviceDetail),
LocationDetails = todynamic(LocationDetails)
| extend
OS = tostring(DeviceDetail.operatingSystem),
Browser = tostring(DeviceDetail.browser),
State = tostring(LocationDetails.state),
City = tostring(LocationDetails.city),
Region = tostring(LocationDetails.countryOrRegion)
// Categorize records as Success or Failure based on ResultType
| extend FailureOrSuccess = iff(ResultType in ("0", "50125", "50140", "70043", "70044"), "Success", "Failure")
// Sort and identify sessions
| sort by UserPrincipalName asc, TimeGenerated asc
| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, UserPrincipalName != prev(UserPrincipalName) or prev(FailureOrSuccess) == "Success")
// Summarize data
| summarize FailureOrSuccessCount = count() by FailureOrSuccess, UserId, UserDisplayName, AppDisplayName, IPAddress, Browser, OS, State, City, Region, Type, CorrelationId, bin(TimeGenerated, authenticationWindow), ResultType, UserPrincipalName, SessionStartedUtc
| summarize FailureCountBeforeSuccess = sumif(FailureOrSuccessCount, FailureOrSuccess == "Failure"), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), makelist(FailureOrSuccess), IPAddress = make_set(IPAddress, 15), make_set(Browser, 15), make_set(City, 15), make_set(State, 15), make_set(Region, 15), make_set(ResultType, 15) by SessionStartedUtc, UserPrincipalName, CorrelationId, AppDisplayName, UserId, Type
// Filter records where "Success" occurs in the middle of a session
| where array_index_of(list_FailureOrSuccess, "Success") != 0
| where array_index_of(list_FailureOrSuccess, "Success") == array_length(list_FailureOrSuccess) - 1
// Remove unnecessary columns from the output
| project-away SessionStartedUtc, list_FailureOrSuccess
// Join with another table and calculate deviation
| join kind=inner (
table(tableName)
| where TimeGenerated > ago(7d)
| where AppDisplayName has "Azure Portal"
| extend FailureOrSuccess = iff(ResultType in ("0", "50125", "50140", "70043", "70044"), "Success", "Failure")
| summarize avgFailures = avg(todouble(FailureOrSuccess == "Failure")) by UserPrincipalName
) on UserPrincipalName
| extend Deviation = abs(FailureCountBeforeSuccess - avgFailures) / avgFailures
// Filter records based on deviation and failure count criteria
| where Deviation > threshold and FailureCountBeforeSuccess >= 10
// Expand the IPAddress array
| mv-expand IPAddress
| extend IPAddress = tostring(IPAddress)
| extend timestamp = StartTime
};
// Call 'aadFunc' with different table names and union the results
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
// Additional transformation: Split UserPrincipalName
| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])
entityMappings:
- entityType: Account
@ -72,9 +87,11 @@ entityMappings:
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- identifier: AadUserId
columnName: UserId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
version: 2.1.1
version: 2.1.2
kind: Scheduled

61
Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_CustomSecurityLog.yaml Normal file
Просмотреть файл

@ -0,0 +1,61 @@
id: e50657d7-8bca-43ff-a647-d407fae440d6
name: GreyNoise TI Map IP Entity to CommonSecurityLog
description: |
This query maps GreyNoise IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.
severity: Medium
requiredDataConnectors:
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: CEF
dataTypes:
- CommonSecurityLog
- connectorId: GreyNoise2SentinelAPI
dataTypes:
- ThreatIntelligenceIndicator
queryFrequency: 4h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
query: |
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let dt_lookBack = 1h; // Look back 1 hour for CommonSecurityLog events
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
| where SourceSystem == 'GreyNoise'
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
// Perform a join between IP indicators and CommonSecurityLog events
IP_Indicators
// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
| join kind=innerunique (
CommonSecurityLog
| where TimeGenerated >= ago(dt_lookBack)
| extend MessageIP = extract(IPRegex, 0, Message)
| extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)
| extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)
| extend CommonSecurityLog_TimeGenerated = TimeGenerated
)
on $left.TI_ipEntity == $right.CS_ipEntity
// Filter out logs that occurred after the expiration of the corresponding indicator
| where CommonSecurityLog_TimeGenerated < ExpirationDateTime
// Group the results by IndicatorId and CS_ipEntity, and keep the log entry with the latest timestamp
| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity
// Select the desired output fields
| project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction, Type
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: CS_ipEntity
version: 1.0.0
kind: Scheduled

74
Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_DnsEvents.yaml Normal file
Просмотреть файл

@ -0,0 +1,74 @@
id: ddf47b6f-870c-5712-a296-1383acb13c82
name: GreyNoise TI Map IP Entity to DnsEvents
version: 1.0.0
kind: Scheduled
description: |
This query maps any IP indicators of compromise (IOCs) from GreyNoise Threat Intelligence (TI), by searching for matches in DnsEvents.
severity: Medium
requiredDataConnectors:
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: DNS
dataTypes:
- DnsEvents
- connectorId: GreyNoise2SentinelAPI
dataTypes:
- ThreatIntelligenceIndicator
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
query: |
let dt_lookBack = 1h; // Look back 1 hour for DNS events
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
| where SourceSystem == 'GreyNoise'
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
// Perform a join between IP indicators and DNS events
IP_Indicators
// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
| join kind=innerunique (
DnsEvents
| where TimeGenerated >= ago(dt_lookBack)
| where SubType =~ "LookupQuery" and isnotempty(IPAddresses)
| mv-expand SingleIP = split(IPAddresses, ", ") to typeof(string)
| extend DNS_TimeGenerated = TimeGenerated
)
on $left.TI_ipEntity == $right.SingleIP
// Filter out DNS events that occurred after the expiration of the corresponding indicator
| where DNS_TimeGenerated < ExpirationDateTime
// Group the results by IndicatorId and SingleIP, and keep the DNS event with the latest timestamp
| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, SingleIP
// Select the desired output fields
| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,
TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type
| extend timestamp = DNS_TimeGenerated, HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIP
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Url

78
Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_OfficeActivity.yaml Normal file
Просмотреть файл

@ -0,0 +1,78 @@
id: c51628fe-999c-5150-9fd7-660fc4f58ed2
name: GreyNoise TI map IP entity to OfficeActivity
version: 1.0.0
kind: Scheduled
description: |
This query maps any GreyNoise IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.
severity: Medium
requiredDataConnectors:
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: Office365
dataTypes:
- OfficeActivity
- connectorId: GreyNoise2SentinelAPI
dataTypes:
- ThreatIntelligenceIndicator
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
query: |
let dt_lookBack = 1h; // Look back 1 hour for OfficeActivity events
let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
// Fetch threat intelligence indicators related to IP addresses
let IP_Indicators = ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
| where SourceSystem == 'GreyNoise'
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
| where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
// Perform a join between IP indicators and OfficeActivity events
IP_Indicators
// Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
| join kind=innerunique (
OfficeActivity
| where TimeGenerated >= ago(dt_lookBack)
| where isnotempty(ClientIP)
| extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]%]+)(%\d+)?\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
| extend IPAddress = iff(array_length(ClientIPValues) > 0, tostring(ClientIPValues[0]), '')
| extend OfficeActivity_TimeGenerated = TimeGenerated
)
on $left.TI_ipEntity == $right.IPAddress
// Filter out OfficeActivity events that occurred after the expiration of the corresponding indicator
| where OfficeActivity_TimeGenerated < ExpirationDateTime
// Group the results by IndicatorId and keep the OfficeActivity event with the latest timestamp
| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId
// Select the desired output fields
| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,
TI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type
| extend timestamp = OfficeActivity_TimeGenerated, Name = tostring(split(UserId, '@', 0)[0]), UPNSuffix = tostring(split(UserId, '@', 1)[0])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: TI_ipEntity
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Url

82
Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_SigninLogs.yaml Normal file
Просмотреть файл

@ -0,0 +1,82 @@
id: f6c76cc9-218c-5b76-9b82-8607f09ea1b4
name: GreyNoise TI Map IP Entity to SigninLogs
version: 1.0.0
kind: Scheduled
description: |
'This query maps any GreyNoise IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs.'
severity: Medium
requiredDataConnectors:
- connectorId: ThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceTaxii
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: AzureActiveDirectory
dataTypes:
- AADNonInteractiveUserSignInLogs
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: GreyNoise2SentinelAPI
dataTypes:
- ThreatIntelligenceIndicator
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let aadFunc = (tableName:string){
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
| where SourceSystem == 'GreyNoise'
// Picking up only IOC's that contain the entities we want
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.
// Taking the first non-empty value based on potential IOC match availability
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique (
table(tableName) | where TimeGenerated >= ago(dt_lookBack)
| extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)
| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)
| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)
// renaming time column so it is clear the log this came from
| extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type
)
on $left.TI_ipEntity == $right.IPAddress
| where SigninLogs_TimeGenerated < ExpirationDateTime
| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress
| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,
TI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type
| extend timestamp = SigninLogs_TimeGenerated, Name = tostring(split(UserPrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(UserPrincipalName, '@', 1)[0])
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Url

126
Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_imNetworkSession.yaml Normal file
Просмотреть файл

@ -0,0 +1,126 @@
id: 536e8e5c-ce0e-575e-bcc9-aba8e7bf9316
name: GreyNoise TI map IP entity to Network Session Events (ASIM Network Session schema)
version: 1.0.0
kind: Scheduled
description: |
'This rule identifies a match Network Sessions for which the source or destination IP address is a known GreyNoise IoC. <br><br>
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: AWSS3
dataTypes:
- AWSVPCFlow
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftSysmonForLinux
dataTypes:
- Syslog
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog
- connectorId: AzureMonitor(VMInsights)
dataTypes:
- VMConnection
- connectorId: AzureFirewall
dataTypes:
- AzureDiagnostics
- connectorId: AzureNSG
dataTypes:
- AzureDiagnostics
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
- connectorId: Corelight
dataTypes:
- Corelight_CL
- connectorId: AIVectraStream
dataTypes:
- VectraStream
- connectorId: CheckPoint
dataTypes:
- CommonSecurityLog
- connectorId: Fortinet
dataTypes:
- CommonSecurityLog
- connectorId: MicrosoftDefenderThreatIntelligence
dataTypes:
- ThreatIntelligenceIndicator
- connectorId: CiscoMeraki
dataTypes:
- Syslog
- CiscoMerakiNativePoller
- connectorId: GreyNoise2SentinelAPI
dataTypes:
- ThreatIntelligenceIndicator
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
query: |
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let IP_TI = materialize (
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack)
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true and ExpirationDateTime > now()
| where SourceSystem == 'GreyNoise'
| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,"NO_IP")
| where TI_ipEntity != "NO_IP"
);
IP_TI
// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated
| join kind=innerunique
(
_Im_NetworkSession (starttime=ago(dt_lookBack))
| where isnotempty(SrcIpAddr)
| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated) by SrcIpAddr, DstIpAddr, Dvc, EventProduct, EventVendor
| lookup (IP_TI | project TI_ipEntity, Active) on $left.SrcIpAddr == $right.TI_ipEntity
| project-rename SrcMatch = Active
| lookup (IP_TI | project TI_ipEntity, Active) on $left.DstIpAddr == $right.TI_ipEntity
| project-rename DstMatch = Active
| where SrcMatch or DstMatch
| extend
IoCIP = iff(SrcMatch, SrcIpAddr, DstIpAddr),
IoCDirection = iff(SrcMatch, "Source", "Destination")
)on $left.TI_ipEntity == $right.IoCIP
| where imNWS_mintime < ExpirationDateTime
| project imNWS_mintime, imNWS_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SrcIpAddr, DstIpAddr, IoCDirection, IoCIP, Dvc, EventVendor, EventProduct
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IoCIP
customDetails:
EventStartTime: imNWS_mintime
EventEndTime: imNWS_maxtime
IoCDescription: Description
ActivityGroupNames: ActivityGroupNames
IndicatorId: IndicatorId
ThreatType: ThreatType
IoCExpirationTime: ExpirationDateTime
IoCConfidenceScore: ConfidenceScore
IoCIPDirection: IoCDirection
alertDetailsOverride:
alertDisplayNameFormat: A network session {{IoCDirection}} address {{IoCIP}} matched an IoC.
alertDescriptionFormat: The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.
tags:
- Schema: ASIMNetworkSession
SchemaVersion: 0.2.4

135
Solutions/GreyNoiseThreatIntelligence/Data Connectors/.gitignore поставляемый Normal file
Просмотреть файл

@ -0,0 +1,135 @@
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
pip-wheel-metadata/
share/python-wheels/
*.egg-info/
.installed.cfg
*.egg
MANIFEST
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.nox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
.hypothesis/
.pytest_cache/
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
db.sqlite3
# Flask stuff:
instance/
.webassets-cache
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# Jupyter Notebook
.ipynb_checkpoints
# IPython
profile_default/
ipython_config.py
# pyenv
.python-version
# pipenv
# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
# However, in case of collaboration, if having platform-specific dependencies or dependencies
# having no cross-platform support, pipenv may install dependencies that dont work, or not
# install all needed dependencies.
#Pipfile.lock
# celery beat schedule file
celerybeat-schedule
# SageMath parsed files
*.sage.py
# Environments
.env
.venv
env/
venv/
ENV/
env.bak/
venv.bak/
# Spyder project settings
.spyderproject
.spyproject
# Rope project settings
.ropeproject
# mkdocs documentation
/site
# mypy
.mypy_cache/
.dmypy.json
dmypy.json
# Pyre type checker
.pyre/
# Azure Functions artifacts
bin
obj
appsettings.json
local.settings.json
# Azurite artifacts
__blobstorage__
__queuestorage__
__azurite_db*__.json
.python_packages

Двоичные данные
Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConn.zip
Просмотреть файл

Двоичный файл не отображается.

11
Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConnector/function.json Normal file
Просмотреть файл

@ -0,0 +1,11 @@
{
"scriptFile": "main.py",
"bindings": [
{
"name": "mytimer",
"type": "timerTrigger",
"direction": "in",
"schedule": "0 0 0 */0 * *"
}
]
}

407
Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConnector/main.py Normal file
Просмотреть файл

@ -0,0 +1,407 @@
import datetime
import json
import logging
import os
import sys
import time
from collections import namedtuple
import azure.functions as func
import msal
import requests
from greynoise import GreyNoise
from requests.adapters import HTTPAdapter
from requests_ratelimiter import LimiterSession
from urllib3.util import Retry
from .stixGen import GreyNoiseStixGenerator
REQUIRED_ENVIRONMENT_VARIABLES = [
"GREYNOISE_KEY",
"GREYNOISE_LIMIT",
"CLIENT_ID",
"CLIENT_SECRET",
"TENANT_ID",
"WORKSPACE_ID",
]
GreyNoiseSetup = namedtuple("GreyNoiseSetup", ["api_key", "query", "tries", "size"])
MSALSetup = namedtuple("MSALSetup", ["tenant_id", "client_id", "client_secret", "workspace_id"])
class GreuNoiseSentinelUpdater(object):
"""Simple wrapper class to handle consuming IPs"""
def __init__(self, greynoise_setup: GreyNoiseSetup,
msal_setup: MSALSetup):
super(GreuNoiseSentinelUpdater, self).__init__()
self.greynoise_query = greynoise_setup.query
self.greynoise_size = greynoise_setup.size
self.greynoise_tries = greynoise_setup.tries
self.msal_tenant_id = msal_setup.tenant_id
self.msal_client_id = msal_setup.client_id
self.msal_client_secret = msal_setup.client_secret
self.msal_workspace_id = msal_setup.workspace_id
# Setup RateLimiter and Retry Adapter
self.limiter_session = LimiterSession(
per_minute=90,
limit_statuses=[429, 503],
)
retry_strategy = Retry(
total=3,
backoff_factor=1,
status_forcelist=[429, 503],
allowed_methods={'POST'},
)
self.limiter_session.mount("https://", HTTPAdapter(max_retries=retry_strategy))
# Setup GreyNoise Session
self.session = GreyNoise(
api_key=greynoise_setup.api_key,
integration_name="azuresentinel-consumer-v1.0",
)
self.gn_stix_generator = GreyNoiseStixGenerator()
def get_token(self):
"""Gets an access token to access office service.
Args:
tenant_id (str): the tenant id
client_id (str): the client id
client_secret (str): the secret id for the client
Returns:
A token access key.
"""
logging.info("Getting token for tenant: {0}".format(self.msal_tenant_id))
try:
context = msal.ConfidentialClientApplication(self.msal_client_id,
authority='https://login.microsofto'
'nline.com/' + self.msal_tenant_id,
client_credential=self.msal_client_secret)
token, token_ttl = self.acquire_token(context)
# Set expiry of MSAL token to 55 minutes to avoid token expiry during upload
msal_token_expiry = datetime.datetime.now() + datetime.timedelta(seconds=token_ttl - 300)
return token, msal_token_expiry
except requests.exceptions.RequestException as e:
logging.info("Error getting token for tenant: {0}".format(self.msal_tenant_id))
raise e
def acquire_token(self, context):
"""Gets an access token to access ms graph TI Upload service.
Args:
context: the authentication context
Returns:
A token access key.
"""
scope = "https://management.azure.com/.default"
try:
result = context.acquire_token_silent([scope],
account=None)
if not result:
result = context.acquire_token_for_client(scopes=[
scope])
if 'access_token' in result:
bearer_token = result['access_token']
token_expiry_seconds = result['expires_in']
return bearer_token, token_expiry_seconds
else:
error_code = result.get("error")
error_message = result.get("error_description")
logging.info("Error acquiring token for tenant with code: {0}".format(error_code))
logging.info(error_message)
raise ValueError(error_message)
except requests.exceptions.RequestException as e:
logging.info("Error acquiring token for tenant.")
raise e
def upload_indicators_to_sentinel(self, token: str, indicators: list):
"""Uploads a list of indicators to Azure Sentinel Threat Intelligence
Endpoint Docs: # https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api#request-body
API Limits are 100 indicators per request and 100 requests per minute.
Args:
token (str): the access token
indicators (list): the list of indicators to upload
Returns:
A response object."""
status_retry = 0
url = "https://sentinelus.azure-api.net/{0}/threatintelligence:upload-indicators".format(self.msal_workspace_id)
headers = {
'Content-Type': 'application/json',
'Authorization': 'Bearer {0}'.format(token)
}
params = {
'api-version': '2022-07-01'
}
payload = {
'SourceSystem': 'GreyNoise',
'Value': indicators
}
try:
response = self.limiter_session.request("POST", url,
headers=headers,
params=params,
json=payload,
timeout=5,
)
response.raise_for_status()
except requests.HTTPError as e:
status_retry += 1
if e.response.status_code == (429 or 503):
logging.error("HTTP: " + int(e.response.status_code))
if status_retry > 3:
logging.error("Too many upload indicators API retries, exiting.")
sys.exit(1)
sleep_for = int(e.response.message.split()[7]) + 5 if e.response.message else 60
logging.info("API Rate limit exceeded (HTTP 429) or Server Error (HTTP 503), waiting {0} seconds...".format(sleep_for))
time.sleep(sleep_for)
logging.info("Retrying upload...")
self.upload_indicators_to_sentinel(token, indicators)
elif e.response.status_code == 401:
logging.error("HTTP: " + int(e.response.status_code))
logging.error('Did you add the Azure Sentinel Contributor role to your service principal?')
logging.error('More info here: https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api#acquire-an-access-token')
logging.error(e.response.text)
elif e.response.status_code:
logging.error("HTTP: " + int(e.response.status_code))
logging.error(e.response.text)
logging.error('Cannot upload indicators to Azure Sentinel, exiting.')
sys.exit(1)
# Check for submission errors
if response.json().get('errors') != []:
logging.warning('Nonfatal error in submitting indicator. While a field failed, \n' \
'the rest of the indicator failed and we can continue.')
logging.warning('Error: ' + json.loads(response.json()).get('error'))
return response.json()
def chunks(self, l: list, chunk_size: int):
"""Yield successive n-sized chunks from list."""
for i in range(0, len(l), chunk_size):
yield l[i:i + chunk_size]
def consume_ips(self):
logging.info(
"Starting consumption of GreyNoise indicators with query %s"
% (self.greynoise_query)
)
total_addresses = 0 # counter for total IPs consumed
payload_size = None # total IPs available from query
tries = int(self.greynoise_tries)
scroll = "" # scroll token for pagination
complete = False
# MS Graph TI Upload API limits are 100 indicators per request and 100 requests per minute.
# Get MSAL token
token, msal_expiry_time = self.get_token()
if token:
logging.info("MSAL token obtained")
while not complete:
if datetime.datetime.now() > msal_expiry_time:
logging.info("MSAL token expiring soon, getting new token")
token, msal_expiry_time = self.get_token()
if token:
logging.info("MSAL token obtained")
try:
if self.greynoise_size != 0 and self.greynoise_size<= 2000:
payload = self.session.query(
query=self.greynoise_query,
size=self.greynoise_size,
scroll=scroll,
)
else:
payload = self.session.query(
query=self.greynoise_query,
scroll=scroll,
size=2000
)
# this protects from bad / invalid queries
# and exits out before proceeding
if payload["count"] == 0:
logging.info("GreyNoise Query return no results, exiting")
sys.exit(1)
# Capture the total number of indicators available
elif payload["count"] and payload_size is None:
payload_size = int(payload["count"])
logging.info("Total Indicators found: %s results" % payload_size)
# Loop to generate STIX objects and upload to Sentinel
stix_objects = []
counter = 0
chunk_size = 100 # MS Graph TI Upload API limits are 100 indicators per request and 100 requests per minute.
for batch in self.chunks(payload["data"], chunk_size):
for gn_object in batch:
stix_object = self.gn_stix_generator.generate_indicator(gn_object)
expected_chunk_size = len(batch)
stix_objects.append(stix_object)
counter += 1
if counter == expected_chunk_size:
# send batch to sentinel
self.upload_indicators_to_sentinel(token, stix_objects)
# reset counter and stix_objects
counter = 0
stix_objects = []
# logging.info("Sent 100 GreyNoise indicators to Sentinel" )
# the scroll is for pagination but does not always exist because
# we have consumed all the IPs
scroll = payload.get("scroll")
complete = payload["complete"]
addresses = len(payload["data"])
total_addresses += addresses
logging.info(
"Sent %s GreyNoise indicators to Sentinel for a total of %s addresses"
% (addresses, total_addresses)
)
# this is a hacky workaround to deal with an edge case on the API where if
# you limit the results on a query, the complete flag doesn't flip to
# true correctly
if (
self.greynoise_size == 0
# and self.greynoise_size < int(payload["count"]) # noqa: W503
and total_addresses >= payload_size # noqa: W503
):
break
elif (
self.greynoise_size != 0
and self.greynoise_size < int(payload["count"]) # noqa: W503
and self.greynoise_size <= total_addresses # noqa: W503
):
break
except Exception as reqErr:
logging.error("Uploading IPs failed: %s" % str(reqErr))
if tries != 0:
tries -= 1
logging.error("Trying again in 10 seconds using same scroll...")
time.sleep(10)
else:
logging.error(
"Exiting program. Max tries met. With time str%s and last scroll: %s"
% (str(time), scroll)
)
sys.exit(3)
logging.info(
"Ingest process completed. Inserted %s Indicators into Microsoft Sentinel Threat Intelligence."
% total_addresses
)
def checkEnvironmentVariables(env):
# the following checks will ensure required environment variables are set
# and any others will have some type of defaulting
unset_environment_variables = []
for env_var in REQUIRED_ENVIRONMENT_VARIABLES:
if not env.get(env_var, False):
unset_environment_variables.append(env_var)
if unset_environment_variables:
logging.error(
"The following required environment variables are unset: %s"
% str(unset_environment_variables)
)
sys.exit(2)
def build_query_string(env):
classifications = env.get("GREYNOISE_CLASSIFICATIONS", "malicious")
logging.info("Building query string for %s" % classifications)
# a user can accidentally set the environment to an empty string
if len(classifications) == 0:
return '(classification:malicious)'
classifications = classifications.split(",")
length_of_classifications = len(classifications)
classification_string = "("
for item in classifications:
length_of_classifications -= 1
classification_string += "classification:" + item
if length_of_classifications > 0:
classification_string += " OR "
classification_string += ")"
return classification_string
def main(mytimer: func.TimerRequest) -> None:
utc_timestamp = datetime.datetime.utcnow().replace(
tzinfo=datetime.timezone.utc).isoformat()
if mytimer.past_due:
logging.info('The timer is past due!')
env = os.environ.copy()
checkEnvironmentVariables(env)
# SET VARS
query_time = "1"
size = int(env.get("GREYNOISE_LIMIT", 0))
# our classifications are formatted for greynoise
classifications = build_query_string(env)
# obtain our query for greynoise
try:
query_time = int(query_time)
if query_time > 90 or query_time < 1:
logging.error("Time input is not a valid integer between 1 and 90")
sys.exit(1)
else:
if query_time == 1:
logging.info("Using default query time of 1 day")
else:
logging.info("Using custom query time of %s day(s)" % str(query_time))
query_time = "last_seen:%sd" % query_time
except ValueError:
logging.error("Input for time is not valid")
sys.exit(1)
# build our query
query = classifications + " " + query_time
if size != "":
logging.info("Querying GreyNoise API")
try:
size = int(size)
if size == 0:
logging.info("No size limit provided, returning all indicators available")
elif size <= 1:
logging.info("Limiting results to %s" % str(size))
except ValueError:
logging.error("Input for size is not valid")
sys.exit(1)
else:
size = 0
logging.info("No size limited provided, returning all indicators available")
# set up everything required to pass into the updater
greynoise_setup = GreyNoiseSetup(
env.get("GREYNOISE_KEY"), query, env.get("GREYNOISE_MAX_TRIES", 3), size
)
msal_setup = MSALSetup(
env.get("TENANT_ID"), env.get("CLIENT_ID"), env.get("CLIENT_SECRET"), env.get("WORKSPACE_ID")
)
g = GreuNoiseSentinelUpdater(greynoise_setup, msal_setup)
g.consume_ips()
logging.info('Python timer trigger function ran at %s', utc_timestamp)

11
Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConnector/readme.md Normal file
Просмотреть файл

@ -0,0 +1,11 @@
# TimerTrigger - Python
The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. This sample demonstrates a simple use case of calling your function every 5 minutes.
## How it works
For a `TimerTrigger` to work, you provide a schedule in the form of a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression)(See the link for full details). A cron expression is a string with 6 separate expressions which represent a given schedule via patterns. The pattern we use to represent every 5 minutes is `0 */5 * * * *`. This, in plain text, means: "When seconds is equal to 0, minutes is divisible by 5, for any hour, day of the month, month, day of the week, or year".
## Learn more
<TODO> Documentation

49
Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConnector/stixGen.py Normal file
Просмотреть файл

@ -0,0 +1,49 @@
import datetime
import json
import uuid
from stix2 import Indicator
# https://stix2.readthedocs.io/en/latest/guide/custom.html#ID-Contributing-Properties-for-Custom-Cyber-Observables
# OASIS recommended Namespace for UUIDs
NAMESPACE_UUID = uuid.UUID('00abedb4-aa42-466c-9c01-fed23315a9b7')
class GreyNoiseStixGenerator:
def __init__(self):
self.stix_version = "2.1"
self.pattern_type = "stix"
self.name = "GreyNoise Internet Scanner IOC"
self.valid_until = (datetime.datetime.utcnow() + datetime.timedelta(hours=24)).isoformat() + "Z"
self.created_by_ref = "identity--90a30b13-e3e2-45e1-be2b-48a8b977ecbc"
self.namespace_uuid = NAMESPACE_UUID
@staticmethod
def generate_id_for_ioc_value(ioc_value: str) -> str:
"""Generate a stix 2.1 id for an IOC value."""
ioc_uuid = str(uuid.uuid5(namespace=NAMESPACE_UUID, name=ioc_value.lower()))
return f'indicator--{ioc_uuid}'
def generate_indicator(self, gnIndicator: dict):
# Set confidence to 90 if spoofable, 100 if not
if gnIndicator.get('spoofable') == True and gnIndicator.get('classification') != "benign":
confidence = 90
else:
confidence = 100
indicator = Indicator(
id=self.generate_id_for_ioc_value(gnIndicator.get('ip')),
type="indicator",
spec_version=self.stix_version,
name=self.name,
description="GreyNoise Indicator",
indicator_types=[gnIndicator.get('classification')],
pattern="[ipv4-addr:value = '{}']".format(gnIndicator.get('ip')),
pattern_type=self.pattern_type,
valid_from=datetime.datetime.strptime(gnIndicator.get('first_seen'), "%Y-%m-%d").isoformat()+'Z',
valid_until=self.valid_until,
created_by_ref=self.created_by_ref,
labels=gnIndicator.get('tags'),
confidence=confidence,
)
# Convert to dict from Stix Incident Object
return json.loads(indicator.serialize())

133
Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseConnector_UploadIndicatorsAPI.json Normal file
Просмотреть файл

@ -0,0 +1,133 @@
{
"id": "GreyNoise2SentinelAPI",
"title": "GreyNoise Threat Intelligence (Using Azure Functions)",
"publisher": "GreyNoise, Inc. and BlueCycle LLC",
"descriptionMarkdown": "This Data Connector installs an Azure Function app to download GreyNoise indicators once per day and inserts them into the ThreatIntelligenceIndicator table in Microsoft Sentinel.",
"graphQueries": [
{
"metricName": "Total indicators received",
"legend": "Connection Events",
"baseQuery": "ThreatIntelligenceIndicator | where SourceSystem == 'GreyNoise'"
}
],
"sampleQueries": [
{
"description": "All Threat Intelligence APIs Indicators",
"query": "ThreatIntelligenceIndicator | where SourceSystem == 'GreyNoise'| sort by TimeGenerated desc"
}
],
"dataTypes": [
{
"name": "ThreatIntelligenceIndicator",
"lastDataReceivedQuery": "ThreatIntelligenceIndicator| where isnotempty(TimeGenerated) and SourceSystem == 'GreyNoise' | summarize Time = max(TimeGenerated)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"ThreatIntelligenceIndicator| where SourceSystem == 'GreyNoise' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.SecurityInsights/threatintelligence/write",
"permissionsDisplayText": "write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
}
],"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "GreyNoise API Key",
"description": "Retreive your GreyNoise API Key [here](https://viz.greynoise.io/account/api-key)."
}
]
},
"instructionSteps": [
{
"title": "You can connect GreyNoise Threat Intelligence to Microsoft Sentinel by following the below steps: ",
"description": "\n> The following steps create an Azure AAD application, retrieves a GreyNoise API key, and saves the values in an Azure Function App Configuration."
},
{
"title": "1. Retrieve API Key from GreyNoise Portal.",
"description": "Generate an API key from GreyNoise Portal https://docs.greynoise.io/docs/using-the-greynoise-api"
},
{
"title": "2. In your Azure AD tenant, create an Azure Active Directory (AAD) application and acquire Tenant ID, Client ID and (note: hold off generating a Client Secret until Step 5).Also get the Log Analytics Workspace ID associated with your Microsoft Sentinel instance should be below.",
"description": "Follow the instructions here to create your Azure AAD app and save your Client ID and Tenant ID: https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-upload-api#instructions\n NOTE: Wait until step 5 to generate your client secret.",
"instructions":[
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
}
]
},
{
"title": "3. Assign the AAD application the Microsoft Sentinel Contributor Role.",
"description": "Follow the instructions here to add the Microsoft Sentinel Contributor Role: https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-upload-api#assign-a-role-to-the-application"
},
{
"title": "4. Specify the AAD permissions to enable MS Graph API access to the upload-indicators API.",
"description": "Follow this section here to add **'ThreatIndicators.ReadWrite.OwnedBy'** permission to the AAD App: https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-tip#specify-the-permissions-required-by-the-application. \n Back in your AAD App, ensure you grant admin consent for the permissions you just added. \n Finally, in the 'Tokens and APIs' section, generate a client secret and save it. You will need it in Step 6. "
},{
"title": "5. Deploy the Threat Intellegence (Preview) Solution which includes the Threat Intelligence Upload Indicators API (Preview)",
"description": "See Microsoft Sentinel Content Hub for this Solution, and install it this Microsoft Sentinel instance."
},
{
"title": "6. Deploy the Azure Function",
"description": "Click the Deploy to Azure button.\n\n [![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-GreyNoise-azuredeploy)\n\n Fill in the appropriate values for each parameter. **Be aware** that the only valid values for the **GREYNOISE_CLASSIFICATIONS** parameter are **malicious** and/or **unknown**, which must be comma separated. Do not bring in **<i>benign</i>**, as this will bring in millions of IPs which are known good and will likely cause many unwanted alerts."
},
{
"title": "7. Send indicators to Sentinel",
"description": "The function app installed in Step 6 queries the GreyNoise GNQL API once per day, and submits each indicator found in STIX 2.1 format to the [Microsoft Upload Threat Intelligence Indicators API](https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api). \n Each indicator expires in ~24 hours from creation unless it's found on the next day's query, in which case the TI Indicator's **Valid Until** time is extended for another 24 hours, which keeps it active in Microsoft Sentinel. \n\n For more information on the GreyNoise API and the GreyNoise Query Language (GNQL) [click here](https://developer.greynoise.io/docs/using-the-greynoise-api)."
}
],
"metadata": {
"id": "27dc60cc-758b-566e-93ce-932560a6ff81",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "solution",
"name": "GreyNoise Intelligence Solution for Microsoft Sentinel"
},
"author": {
"name": "Blue Cycle LLC | GreyNoise, Inc."
},
"support": {
"tier": "developer",
"name": "Support Team",
"email": "support@greynoise.io",
"link":"https://www.greynoise.io/contact/sales"
}
}
}

18
Solutions/GreyNoiseThreatIntelligence/Data Connectors/azuredeploy_Connector_GreyNoiseAPISentinel_AzureFunction.json
Просмотреть файл

@ -30,7 +30,7 @@
},
"GREYNOISE_CLASSIFICATIONS": {
"type": "string",
"defaultValue": "malicious,unknown"
"defaultValue": "malicious"
}
},
"variables": {
@ -91,16 +91,17 @@
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Y1",
"tier": "Dynamic"
"name": "EP2",
"tier": "ElasticPremium",
"family": "EP"
},
"kind": "functionapp,linux",
"kind": "elastic",
"properties": {
"name": "[variables('FunctionName')]",
"workerSize": "0",
"workerSizeId": "0",
"numberOfWorkers": "1",
"targetWorkerCount": 1,
"targetWorkerSizeId": 3,
"reserved": true,
"maximumElasticWorkerCount": 20,
"siteConfig": {
"linuxFxVersion": "Python|3.10"
}
@ -192,7 +193,8 @@
"CLIENT_ID": "[parameters('CLIENT_ID')]",
"CLIENT_SECRET": "[parameters('CLIENT_SECRET')]",
"GREYNOISE_CLASSIFICATIONS": "[parameters('GREYNOISE_CLASSIFICATIONS')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://github.com/Azure/Azure-Sentinel/raw/db458a54839b084eac0e70bbe6e2a41f34f37e2b/Solutions/GreyNoiseThreatIntelligence/Data%20Connectors/GreyNoiseAPISentinelConn.zip"
"GREYNOISE_LIMIT": "0",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-GreyNoise-functionapp"
}
}
]

16
Solutions/GreyNoiseThreatIntelligence/Data Connectors/host.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"version": "2.0",
"functionTimeout": "02:00:00",
"logging": {
"applicationInsights": {
"samplingSettings": {
"isEnabled": true,
"excludedTypes": "Request"
}
}
},
"extensionBundle": {
"id": "Microsoft.Azure.Functions.ExtensionBundle",
"version": "[3.*, 4.0.0)"
}
}

13
Solutions/GreyNoiseThreatIntelligence/Data Connectors/requirements.txt Normal file
Просмотреть файл

@ -0,0 +1,13 @@
# DO NOT include azure-functions-worker in this file
# The Python Worker is managed by Azure Functions platform
# Manually managing azure-functions-worker may cause unexpected issues
# from ./Data Connectors folder
# pip install -r requirements.txt --target .python_packages/lib/site-packages/
azure-functions
certifi>=2022.12.07
greynoise==2.0.1
msal==1.23.0
stix2>=3.0.1
requests-ratelimiter>=0.4.0

33
Solutions/GreyNoiseThreatIntelligence/Data/Solution_GreyNoise.json Normal file
Просмотреть файл

@ -0,0 +1,33 @@
{
"Name": "GreyNoiseThreatIntelligence",
"Author": "JP Bourget jp@bluecycle.net",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/greynoise_logomark_black.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [GreyNoise Threat Intelligence](https://www.greynoise.io/) solution for Microsoft Sentinel provides context to IP addresses seen in your environment by querying the GreyNoise API.<br><br>GreyNoise collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise. We provides near real time, actionable threat intelligence from our proprietary network of over 3,100 sensors running worldwide. This unique perspective helps analysts spend less time on irrelevant or harmless activity, and more time on targeted and emerging threats. \n Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GreyNoiseThreatIntelligence/ReleaseNotes.md)\r \n [Learn More about GreyNoise Threat Intelligence](https://www.greynoise.io/) | [GreyNoise Docs](https://docs.greynoise.io)",
"WorkbookDescription": [],
"Workbooks": ["Solutions/GreyNoiseThreatIntelligence/Workbooks/GreyNoiseOverview.json"],
"WorkbookBladeDescription": "",
"AnalyticalRuleBladeDescription": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view.",
"HuntingQueryBladeDescription": "",
"PlaybooksBladeDescription": "",
"Analytic Rules": [
"Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_DnsEvents.yaml",
"Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_CustomSecurityLog.yaml",
"Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_imNetworkSession.yaml",
"Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_OfficeActivity.yaml",
"Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_SigninLogs.yaml"
],
"Playbooks": [],
"PlaybookDescription": [],
"Parsers": [],
"SavedSearches": [],
"Hunting Queries": [],
"Data Connectors": ["Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseConnector_UploadIndicatorsAPI.json"],
"Watchlists": [],
"WatchlistDescription": [],
"BasePath": "/Users/punkrokk/repos/azureSentinelDev/Azure-Sentinel",
"Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
}

Двоичные данные
Solutions/GreyNoiseThreatIntelligence/Package/3.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

225
Solutions/GreyNoiseThreatIntelligence/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,225 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/greynoise_logomark_black.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/GreyNoiseThreatIntelligence/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [GreyNoise Threat Intelligence](https://www.greynoise.io/) solution for Microsoft Sentinel provides context to IP addresses seen in your environment by querying the GreyNoise API.<br><br>GreyNoise collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise. We provides near real time, actionable threat intelligence from our proprietary network of over 3,100 sensors running worldwide. This unique perspective helps analysts spend less time on irrelevant or harmless activity, and more time on targeted and emerging threats. \n Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GreyNoiseThreatIntelligence/ReleaseNotes.md)\r \n [Learn More about GreyNoise Threat Intelligence](https://www.greynoise.io/) | [GreyNoise Docs](https://docs.greynoise.io)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for GreyNoiseThreatIntelligence. You can get GreyNoiseThreatIntelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
}
},
{
"name": "workbooks-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "GreyNoise Intelligence Threat Indicators",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This workbook provides visualization of GreyNoise Intelligence threat indicators which are ingested in the Microsoft Sentinel Threat intelligence."
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
}
},
{
"name": "analytics-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "GreyNoise TI Map IP Entity to DnsEvents",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query maps any IP indicators of compromise (IOCs) from GreyNoise Threat Intelligence (TI), by searching for matches in DnsEvents."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "GreyNoise TI Map IP Entity to CommonSecurityLog",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query maps GreyNoise IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "GreyNoise TI map IP entity to Network Session Events (ASIM Network Session schema)",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This rule identifies a match Network Sessions for which the source or destination IP address is a known GreyNoise IoC. <br><br>\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema"
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "GreyNoise TI map IP entity to OfficeActivity",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query maps any GreyNoise IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity."
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "GreyNoise TI Map IP Entity to SigninLogs",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query maps any GreyNoise IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

1392
Solutions/GreyNoiseThreatIntelligence/Package/mainTemplate.json Executable file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

3
Solutions/GreyNoiseThreatIntelligence/ReleaseNotes.md Normal file
Просмотреть файл

@ -0,0 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
| 3.0.0 | 09-21-2023 | Initial Version Release |

17
Solutions/GreyNoiseThreatIntelligence/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,17 @@
{
"publisherId": "greynoiseintelligenceinc1681236078693",
"offerId": "microsoft-sentinel-byol-greynoise",
"firstPublishDate": "2023-09-05",
"lastPublishDate": "2023-09-05",
"providers": ["GreyNoise Intelligence, Inc."],
"categories": {
"domains" : ["Security - Threat Intelligence"],
"verticals": []
},
"support": {
"name": "GreyNoise",
"email": "support@greynoise.io",
"tier": "Partner",
"link": "https://www.greynoise.io/contact/general"
}
}

566
Solutions/GreyNoiseThreatIntelligence/Workbooks/GreyNoiseOverview.json Normal file
Просмотреть файл

@ -0,0 +1,566 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "a4b4e975-fa7c-46a3-b669-850aacc88134",
"version": "KqlParameterItem/1.0",
"name": "Help",
"label": "Guide",
"type": 10,
"isRequired": true,
"typeSettings": {
"showDefault": false
},
"jsonData": "[\r\n {\"value\": \"Yes\", \"label\": \"Yes\", \"selected\":true},\r\n {\"value\": \"No\", \"label\": \"No\"}\r\n]"
},
{
"version": "KqlParameterItem/1.0",
"name": "DefaultSubscription_Internal",
"type": 1,
"isRequired": true,
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId",
"crossComponentResources": [
"value::selected"
],
"isHiddenWhenLocked": true,
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"id": "314d02bf-4691-43fa-af59-d67073c8b8fa"
},
{
"id": "e6ded9a1-a83c-4762-938d-5bf8ff3d3d38",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)",
"crossComponentResources": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": [
"value::all"
]
},
{
"id": "e3225ed0-6210-40a1-b2d0-66e42ffa71d6",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| order by name asc\r\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\r\n| mvexpand All limit 100\r\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)",
"crossComponentResources": [
"{Subscription}"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
],
"showDefault": false
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": [
"value::all"
]
},
{
"id": "15b2c181-7397-43c1-900a-28e175ae8a6f",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 604800000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 604800000
}
],
"allowCustom": true
},
"timeContextFromParameter": "TimeRange"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "Parameter Selectors"
},
{
"type": 1,
"content": {
"json": "# [GreyNoise Threat Intelligence](https://www.greynoise.io/)\n---\nGreyNoise collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise. We provides near real time, actionable threat intelligence from our proprietary network of over 3,100 sensors running worldwide. This unique perspective helps analysts spend less time on irrelevant or harmless activity, and more time on targeted and emerging threats.<br>\n\nTired of dealing with brute force attempts, web crawlers, and other scanners filling up your logs and trying to break into your infrastructure? With GreyNoises Malicious, Benign and Unknown Indicators, you can prevent noisy scanners from hitting your perimeter, effectively shutting them out, and giving yourself time to patch when there is an emerging exploit. Find out more at https://www.greynoise.io/solutions/maximize-soc-efficiency\n"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"customWidth": "79",
"name": "Workbook Overview"
},
{
"type": 1,
"content": {
"json": "![Image Name](https://raw.githubusercontent.com/Azure/Azure-Sentinel/111713a2f762af4196d8ca4794b4f689bc95af73/Logos/greynoise_logomark_black.svg) "
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"customWidth": "20",
"name": "GreyNoise Logo"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "18c690d7-7cbd-46c1-b677-1f72692d40cd",
"cellValue": "TAB",
"linkTarget": "parameter",
"linkLabel": "Indicators Ingestion",
"subTarget": "Indicators",
"preText": "Alert rules",
"style": "link"
},
{
"id": "f88dcf47-af98-4684-9de3-1ee5f48f68fc",
"cellValue": "TAB",
"linkTarget": "parameter",
"linkLabel": "Indicators Search",
"subTarget": "Observed",
"style": "link"
}
]
},
"name": "Tabs link"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ThreatIntelligenceIndicator\r\n| where SourceSystem == 'GreyNoise'\r\n// Select all indicators from the table\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 24h)\r\n| order by CountOfIndicators desc \r\n| render barchart kind=stacked ",
"size": 0,
"showAnalytics": true,
"title": "Total GreyNoise Indicators Imported into Sentinel by Date",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "50",
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ThreatIntelligenceIndicator\r\n| where SourceSystem == 'GreyNoise'\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select all indicators from the table\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by translate(\"[]\\\"\", \"\", Tags) \r\n| render barchart kind=stacked",
"size": 0,
"showAnalytics": true,
"title": "Active GreyNoise Indicators Imported into Sentinel by Tag",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "50",
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked",
"size": 0,
"showAnalytics": true,
"title": "Active Indicators by Indicator Type",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "50",
"name": "query - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ThreatIntelligenceIndicator\r\n| where SourceSystem == 'GreyNoise'\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by ThreatType\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked",
"size": 0,
"showAnalytics": true,
"title": "Active GreyNoise Indicators by Classification",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "50",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\r\n| order by CountOfIndicators desc \r\n| render piechart",
"size": 0,
"showAnalytics": true,
"title": "Active Indicators by Confidence Score",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "50",
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let DomainQuery=view() { \r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(DomainName)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"DomainEntry\"\r\n};\r\nlet UrlQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(Url)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"UrlEntry\"\r\n};\r\nlet FileHashQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(FileHashValue)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"FileHashEntry\"\r\n};\r\nlet IPQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"IPEntry\"\r\n};\r\nlet EmailAddressQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSenderAddress)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailAddressEntry\"\r\n};\r\nlet EmailMessageQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSubject)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailMessageEntry\"\r\n};\r\nlet SingleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))==1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1 \r\n};\r\nlet MultipleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))!=1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1\r\n};\r\nlet CountOfActiveIndicatorsBySource=view(){\r\n ThreatIntelligenceIndicator\r\n\t| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n | where ExpirationDateTime > now() and Active == true\r\n | summarize count() by SourceSystem\r\n | project SourceSystem, count_\r\n};\r\nSingleSourceIndicators\r\n| join kind=fullouter MultipleSourceIndicators on counter \r\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \r\n| order by SourceSystemArray\r\n| extend solitary_count=sum_count_\r\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\r\n| extend total_count = shared_count + solitary_count\r\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\r\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\r\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\r\n| order by unique_percentage desc\r\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\r\n\r\n",
"size": 0,
"showAnalytics": true,
"title": "Uniqueness of Threat Intelligence Sources",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Source",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "Default",
"thresholdValue": "",
"representation": "View",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "ActiveIndicators",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
}
],
"filter": true
}
},
"customWidth": "50",
"name": "query - 12"
}
]
},
"conditionalVisibility": {
"parameterName": "TAB",
"comparison": "isEqualTo",
"value": "Indicators"
},
"name": "Indicators Ingestion"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "9aec751b-07bd-43ba-80b9-f711887dce45",
"version": "KqlParameterItem/1.0",
"name": "Indicator",
"label": "Search Indicator in Events",
"type": 1,
"value": "",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "Threat Research Parameters"
},
{
"type": 1,
"content": {
"json": ""
},
"customWidth": "50",
"name": "text - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Add additional lines for desired data columns\r\nunion withsource= Table_Name *\r\n| where SourceSystem == \"GreyNoise\"\r\n| where column_ifexists('CallerIpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationIP', '') has \"{Indicator}\"\r\nor column_ifexists('IpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddresses', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddress', '') has \"{Indicator}\"\r\nor column_ifexists('RemoteIP', '') has \"{Indicator}\"\r\nor column_ifexists('SourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('SrcIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('DstIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkSourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkIP', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkDestinationIP', '') has \"{Indicator}\"\r\nor column_ifexists('EmailSourceIpAddress', '') has \"{Indicator}\"\r\n| summarize count() by Table_Name \r\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\r\n| sort by ['Logs Count'] desc",
"size": 0,
"showAnalytics": true,
"title": "Indicators Observed",
"noDataMessage": "No indicators observed within these thresholds",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Type",
"exportParameterName": "Type",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Data Table",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "Default",
"thresholdValue": "",
"representation": "Log",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Logs Count",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
}
],
"filter": true
}
},
"customWidth": "50",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "//Add additional lines for desired data columns\r\nunion withsource= Table_Name *\r\n| where SourceSystem == \"GreyNoise\"\r\n| where column_ifexists('CallerIpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationIP', '') has \"{Indicator}\"\r\nor column_ifexists('IpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddresses', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddress', '') has \"{Indicator}\"\r\nor column_ifexists('RemoteIP', '') has \"{Indicator}\"\r\nor column_ifexists('SourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('SrcIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('DstIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkSourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkIP', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkDestinationIP', '') has \"{Indicator}\"\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\r\n| render areachart",
"size": 0,
"showAnalytics": true,
"title": "Indicators Observed over Time",
"noDataMessage": "No indicators observed within these thresholds",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Data Table",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "Default",
"thresholdValue": "",
"representation": "Log",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Logs Count",
"formatter": 4,
"formatOptions": {
"palette": "redBright"
}
}
],
"filter": true
}
},
"customWidth": "50",
"name": "query - 4 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let tiObservables = ThreatIntelligenceIndicator\r\n | where SourceSystem == \"GreyNoise\"\r\n | where TimeGenerated < now()\r\n | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\r\nlet alertEntity = SecurityAlert \r\n | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\r\n | mvexpand(Entities)\r\n | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\r\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \".\", Entities.DnsDomain),\r\n iif(isnotempty(Entities.Url), Entities.Url,\r\n iif(isnotempty(Entities.Value), Entities.Value,\r\n iif(Entities.Type == \"account\", strcat(Entities.Name,\"@\",Entities.UPNSuffix),\"\")))))\r\n | where isnotempty(entity) \r\n | project entity, SystemAlertId, AlertTime;\r\nlet IncidentAlerts = SecurityIncident\r\n | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\r\n | mv-expand AlertIds\r\n | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\r\nlet AlertsWithTiObservables = alertEntity\r\n | join kind=inner tiObservables on $left.entity == $right.Indicator;\r\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\r\n | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\r\nIncidentsWithAlertsWithTiObservables\r\n| where Indicator contains '{Indicator}' or Indicator == \"*\"\r\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\r\n| sort by Incidents, Alerts desc",
"size": 0,
"showAnalytics": true,
"title": "Threat Intelligence Alerts",
"noDataMessage": "No indicators observed within these thresholds",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "ThreatType",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "==",
"thresholdValue": "Botnet",
"representation": "Command and Control",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "MaliciousUrl",
"representation": "Initial_Access",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Malware",
"representation": "Execution",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Phishing",
"representation": "Exfiltration",
"text": "{0}{1}"
},
{
"operator": "Default",
"thresholdValue": "",
"representation": "Pre attack",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Source",
"formatter": 18,
"formatOptions": {
"thresholdsOptions": "icons",
"thresholdsGrid": [
{
"operator": "Default",
"thresholdValue": "",
"representation": "success",
"text": "{0}{1}"
}
]
}
},
{
"columnMatch": "Incidents",
"formatter": 4,
"formatOptions": {
"palette": "redBright"
}
},
{
"columnMatch": "Alerts",
"formatter": 4,
"formatOptions": {
"palette": "orange"
}
}
],
"filter": true
}
},
"name": "query - 5"
}
]
},
"conditionalVisibility": {
"parameterName": "TAB",
"comparison": "isEqualTo",
"value": "Observed"
},
"name": "Indicators Observed"
}
],
"styleSettings": {},
"fromTemplateId": "sentinel-GreyNoiseOverview",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

42
Solutions/GreyNoiseThreatIntelligence/Workbooks/Images/Logo/greynoise_logomark_black.svg Normal file
Просмотреть файл

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 26.5.0, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<svg version="1.1" id="3453cf71-5cae-4ed6-ab04-ab40fe4fd029" xmlns="http://www.w3.org/2000/svg" x="0px" y="0px"
viewBox="0 0 720 720" xml:space="preserve">
<style type="text/css">
.st0{fill:none;stroke:#000000;stroke-width:7;stroke-miterlimit:10;}
</style>
<g>
<path d="M390.3,602.9c-133.9,0-242.9-108.9-242.9-242.9c0-16.6,1.7-32.8,4.9-48.4l-11.8-2.4c-3.3,16.5-5,33.5-5,50.8
c0,68.1,26.5,132.1,74.6,180.2c48.1,48.1,112.1,74.6,180.2,74.6c9.3,0,18.5-0.5,27.6-1.5l-1.3-11.9
C408,602.4,399.2,602.9,390.3,602.9"/>
<path class="st0" d="M390.3,602.9c-133.9,0-242.9-108.9-242.9-242.9c0-16.6,1.7-32.8,4.9-48.4l-11.8-2.4c-3.3,16.5-5,33.5-5,50.8
c0,68.1,26.5,132.1,74.6,180.2c48.1,48.1,112.1,74.6,180.2,74.6c9.3,0,18.5-0.5,27.6-1.5l-1.3-11.9
C408,602.4,399.2,602.9,390.3,602.9z"/>
<path d="M390.3,117.1c31,0,60.6,5.8,87.9,16.5l4.4-11.3c-29-11.3-60.2-17.1-92.3-17.1c-67.2,0-130.5,25.9-178.4,72.9l8.5,8.6
C264.2,143.7,324.2,117.1,390.3,117.1"/>
<path class="st0" d="M390.3,117.1c31,0,60.6,5.8,87.9,16.5l4.4-11.3c-29-11.3-60.2-17.1-92.3-17.1c-67.2,0-130.5,25.9-178.4,72.9
l8.5,8.6C264.2,143.7,324.2,117.1,390.3,117.1z"/>
<path d="M390.3,158.1c37.6,0,72.8,10.4,103,28.3l6.1-10.3c-32-19.1-69.3-30-109.2-30c-111.5,0-203.3,85.8-213,194.8l12,1.1
C198.4,239.1,285,158.1,390.3,158.1"/>
<path class="st0" d="M390.3,158.1c37.6,0,72.8,10.4,103,28.3l6.1-10.3c-32-19.1-69.3-30-109.2-30c-111.5,0-203.3,85.8-213,194.8
l12,1.1C198.4,239.1,285,158.1,390.3,158.1z"/>
<path d="M390.3,561.9c-100.4,0-183.9-73.7-199.3-169.8l-11.8,1.9c16.3,101.8,104.8,179.9,211.1,179.9c33.2,0,64.7-7.6,92.8-21.2
l-5.2-10.8C451.4,554.7,421.7,561.9,390.3,561.9"/>
<path class="st0" d="M390.3,561.9c-100.4,0-183.9-73.7-199.3-169.8l-11.8,1.9c16.3,101.8,104.8,179.9,211.1,179.9
c33.2,0,64.7-7.6,92.8-21.2l-5.2-10.8C451.4,554.7,421.7,561.9,390.3,561.9z"/>
<path d="M551,366.8c-3.6,85.5-74.3,154-160.7,154c-22.7,0-44.3-4.7-63.8-13.2l-4.8,11c21,9.1,44.2,14.2,68.6,14.2
c93,0,169.1-73.9,172.7-166H551z"/>
<path class="st0" d="M551,366.8c-3.6,85.5-74.3,154-160.7,154c-22.7,0-44.3-4.7-63.8-13.2l-4.8,11c21,9.1,44.2,14.2,68.6,14.2
c93,0,169.1-73.9,172.7-166H551z"/>
<path d="M390.3,199.1v-12c-95.3,0-172.9,77.5-172.9,172.9c0,25.6,5.6,49.9,15.6,71.7l10.9-5c-9.3-20.3-14.5-42.9-14.5-66.7
C229.4,271.3,301.6,199.1,390.3,199.1"/>
<path class="st0" d="M390.3,199.1v-12c-95.3,0-172.9,77.5-172.9,172.9c0,25.6,5.6,49.9,15.6,71.7l10.9-5
c-9.3-20.3-14.5-42.9-14.5-66.7C229.4,271.3,301.6,199.1,390.3,199.1z"/>
<path d="M390.3,240.1c38.6,0,73,18.4,95,46.8H500c-23.7-35.4-64-58.8-109.7-58.8c-72.7,0-131.9,59.2-131.9,131.9
s59.2,131.9,131.9,131.9c70.4,0,128.1-55.5,131.7-125h-6.5h-5.5h-77.6v12h76.4c-9.1,57.2-58.7,101-118.4,101
c-66.1,0-119.9-53.8-119.9-119.9C270.4,293.9,324.2,240.1,390.3,240.1"/>
<path class="st0" d="M390.3,240.1c38.6,0,73,18.4,95,46.8H500c-23.7-35.4-64-58.8-109.7-58.8c-72.7,0-131.9,59.2-131.9,131.9
s59.2,131.9,131.9,131.9c70.4,0,128.1-55.5,131.7-125h-6.5h-5.5h-77.6v12h76.4c-9.1,57.2-58.7,101-118.4,101
c-66.1,0-119.9-53.8-119.9-119.9C270.4,293.9,324.2,240.1,390.3,240.1z"/>
</g>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 3.1 KiB

Двоичные данные
Solutions/GreyNoiseThreatIntelligence/Workbooks/Images/Preview/GreyNoiseOverviewBlack.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 398 KiB

Двоичные данные
Solutions/GreyNoiseThreatIntelligence/Workbooks/Images/Preview/GreyNoiseOverviewWhite.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 357 KiB

119
Solutions/HYAS Protect/Data Connectors/HYASProtect_FunctionApp.json Normal file
Просмотреть файл

@ -0,0 +1,119 @@
{
"id": "HYASProtect",
"title": "HYAS Protect",
"publisher": "HYAS",
"descriptionMarkdown": "HYAS Protect provide logs based on reputation values - Blocked, Malicious, Permitted, Suspicious.",
"graphQueries": [
{
"metricName": "Total logs received",
"legend": "HYASProtectDnsSecurityLogs",
"baseQuery": "HYASProtectDnsSecurityLogs_CL"
}
],
"sampleQueries": [
{
"description": "All Logs",
"query": "HYASProtectDnsSecurityLogs_CL"
}
],
"dataTypes": [
{
"name": "HYASProtectDnsSecurityLogs_CL",
"lastDataReceivedQuery": "HYASProtectDnsSecurityLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"HYASProtectDnsSecurityLogs_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "REST API Credentials/permissions",
"description": "**HYAS API Key** is required for making API calls."
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This connector uses Azure Functions to connect to the HYAS API to pull Logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details."
},
{
"title": "",
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"title": "Option 1 - Azure Resource Manager (ARM) Template",
"description": "Use this method for automated deployment of the HYAS Protect data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-HYAS Protect-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Function Name**, **Table Name**, **Workspace ID**, **Workspace Key**, **API Key**, **TimeInterval**, **FetchBlockedDomains**, **FetchMaliciousDomains**, **FetchSuspiciousDomains**, **FetchPermittedDomains** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
},
{
"title": "Option 2 - Manual Deployment of Azure Functions",
"description": "Use the following step-by-step instructions to deploy the HYAS Protect Logs data connector manually with Azure Functions (Deployment via Visual Studio Code)."
},
{
"title": "",
"description": "**1. Deploy a Function App**\n\n> NOTE:You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-HYAS Protect-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. HyasProtectLogsXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"title": "",
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAPIKey\n\t\tPolling\n\t\tWorkspaceID\n\t\tWorkspaceKey\n. Once all application settings have been entered, click **Save**."
}
]
}

Двоичные данные
Solutions/HYAS Protect/Data Connectors/HyasProtect.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

236
Solutions/HYAS Protect/Data Connectors/HyasProtect/__init__.py Normal file
Просмотреть файл

@ -0,0 +1,236 @@
import logging
import requests
from datetime import datetime, timedelta, timezone
from json import dumps
from os import environ
import azure.functions as func
from .state_manager import StateManager
from .utils import save_to_sentinel
customer_id = environ.get("WorkspaceID")
shared_key = environ.get("WorkspaceKey")
connection_string = environ.get("AzureWebJobsStorage")
fetch_blocked_domains = environ.get("FetchBlockedDomains")
fetch_suspicious_domains = environ.get("FetchSuspiciousDomains")
fetch_malicious_domains = environ.get("FetchMaliciousDomains")
fetch_permitted_domains = environ.get("FetchPermittedDomains")
hyas_api_key = environ.get("ApiKey")
table_name = environ.get("TableName")
log_analytics_uri = (
f"https://{customer_id}.ods.opinsights.azure.com/api/logs?api-version=2016-04-01"
)
state = StateManager(connection_string)
LAST_X_DAYS = 0
PAGE_SIZE = 1000
OUTPUT_DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ"
INPUT_DATE_FORMAT = "%Y-%m-%d %H:%M:%S"
HYAS_URL = "https://api.hyas.com/dns-log-report/v2/logs"
def get_from_and_to_date(date_format=INPUT_DATE_FORMAT):
"""
Returns the 'from' and 'to' dates as formatted strings based on the given date_format.
Args:
date_format (str): Optional. The format string for the output dates. Default is INPUT_DATE_FORMAT.
Returns:
tuple: A tuple containing the 'from' and 'to' dates as formatted strings.
"""
current_date_time = datetime.utcnow().replace(second=0, microsecond=0)
last_run_date_time = state.get()
logging.debug(last_run_date_time)
if last_run_date_time is not None:
from_date_time = datetime.strptime(last_run_date_time, date_format)
else:
from_date_time = current_date_time - timedelta(days=LAST_X_DAYS)
return format(from_date_time, date_format), format(current_date_time, date_format)
def call_hyas_protect_api():
"""
Calls the HYAS Protect API to fetch logs based on specified filters and saves them to Sentinel.
Returns:
None
"""
if (
fetch_blocked_domains == "No"
and fetch_suspicious_domains == "No"
and fetch_malicious_domains == "No"
and fetch_permitted_domains == "No"
):
logging.info("All fetch domains variables are set to 'No'. Returning None.")
return
(
from_datetime,
to_datetime,
) = get_from_and_to_date() # "2023-03-22 10:50:00", "2023-06-20 10:50:00"
from_date = datetime.strptime(from_datetime, INPUT_DATE_FORMAT).strftime(
OUTPUT_DATE_FORMAT
)
to_date = datetime.strptime(to_datetime, INPUT_DATE_FORMAT).strftime(
OUTPUT_DATE_FORMAT
)
applied_filters = [
{
"id": "datetime",
"isRange": True,
"rangeValue": {
"start": from_date,
"end": to_date,
"timeType": "range",
},
}
]
if fetch_blocked_domains == "Yes":
applied_filters.append({"id": "reputation", "value": "blocked"})
if fetch_suspicious_domains == "Yes":
applied_filters.append({"id": "reputation", "value": "suspicious"})
if fetch_malicious_domains == "Yes":
applied_filters.append({"id": "reputation", "value": "malicious"})
if fetch_permitted_domains == "Yes":
applied_filters.append({"id": "reputation", "value": "permitted"})
data = {"applied_filters": applied_filters}
total_count, page_size, page_number, records_fetched = 1, PAGE_SIZE, 0, 0
while records_fetched < total_count:
# Prepare the paging parameters
data["paging"] = {
"order": "desc",
"page_number": page_number,
"page_size": page_size,
"page_type": "standard",
"sort": "datetime",
}
# Make the API call
response = requests.post(
HYAS_URL,
headers={"Content-Type": "application/json", "X-API-Key": hyas_api_key},
data=dumps(data),
)
if response.status_code in range(200, 299):
result = response.json()
logs = result["logs"]
records_fetched += len(logs)
page_number += 1
total_count = result["total_count"]
sentinel_logs = [hyas_dict(log) for log in logs]
sentinel_resp = save_to_sentinel(
log_analytics_uri,
customer_id,
shared_key,
dumps(sentinel_logs),
table_name,
)
if sentinel_resp in range(200, 299):
logging.info(
f"HYAS Protect logs from {from_date} to {to_date} with filter {str(data)} saved in sentinel successfully."
)
state.post(to_datetime)
else:
if response.status_code in [401, 403]:
logging.error("Invalid HYAS API KEY.")
logging.info(response.content)
logging.info(
f"Unable to fetch logs from Hyas Protect API. Response code: {response.status_code}"
)
break
if records_fetched >= total_count:
break
def hyas_dict(log: dict):
"""
Converts a dictionary representing HYAS Protect log data into a standardized format.
Args:
log (dict): The dictionary containing the HYAS Protect log data.
Returns:
dict: The converted log data in a standardized format.
"""
return {
"Reputation": log.get("reputation"),
"DateTime": log.get("datetime"),
"Domain": log.get("domain"),
"DeviceName": log.get("devicename"),
"ProcessName": log.get("processname"),
"Nameserver": log.get("nameserver"),
"Verdict": log.get("verdict"),
"VerdictSource": log.get("verdictSource"),
"VerdictStatus": log.get("verdictStatus"),
"Registrar": log.get("registrar"),
"PolicyName": log.get("policy", {}).get("policy_name"),
"PolicyID": log.get("policy", {}).get("policy_id"),
"RegistrarVerdict": log.get("markup", {}).get("registrar", {}).get("verdict"),
"FQDNVerdict": log.get("markup", {}).get("fqdn", {}).get("verdict"),
"DomainVerdict": log.get("markup", {}).get("domain", {}).get("verdict"),
"IPVerdict": log.get("markup", {}).get("ip", {}).get("verdict"),
"CNameVerdict": log.get("markup", {}).get("cname", {}).get("verdict"),
"NameserverIPVerdict": log.get("markup", {})
.get("nameserver_ip", {})
.get("verdict"),
"NameserverVerdict": log.get("markup", {}).get("nameserver", {}).get("verdict"),
"TLDVerdict": log.get("markup", {}).get("tld", {}).get("verdict"),
"TTL": log.get("ttl"),
"Tags": ",".join(str(x) for x in log.get("tags", [])),
"LogID": log.get("log_id"),
"ClientID": log.get("client_id"),
"ClientName": log.get("client_name"),
"ClientIP": log.get("client_ip"),
"Domain2TLD": log.get("domain_2tld"),
"DomainTLD": log.get("domain_tld"),
"Nameserver2TLD": log.get("nameserver_2tld"),
"NameserverTLD": log.get("nameserver_tld"),
"NameserverIP": log.get("nameserver_ip", {}).get("ip"),
"NameserverCountryISOCode": log.get("nameserver_ip", {}).get(
"country_iso_code"
),
"NameserverCountryName": log.get("nameserver_ip", {}).get("country_name"),
"ARecord": ",".join(str(x) for x in log.get("a_record", [])),
"CName": ",".join(x for x in log.get("c_name", [])),
"CName2TLD": ",".join(x for x in log.get("c_name_2tld", [])),
"CNameTLD": ",".join(x for x in log.get("c_name_tld", [])),
"ThreatLevel": log.get("threat_level"),
"QueryType": log.get("query_type"),
"ResponseCode": log.get("response_code"),
"ResponseName": log.get("response_name"),
"ResponseDescription": log.get("response_description"),
"ResolverMode": log.get("resolver_mode"),
"ReasonLists": ",".join(str(x) for x in log.get("reason", {}).get("lists", [])),
"ReasonType": log.get("reason", {}).get("type"),
"DomainAge": log.get("domain_age"),
"DomainCategory": ",".join(x for x in log.get("domain_category", [])),
"DomainCreationDate": log.get("domain_creation_date"),
"DomainExpiresDate": log.get("domain_expires_date"),
"DomainUpdatedDate": log.get("domain_updated_date"),
}
def main(mytimer: func.TimerRequest) -> None:
"""
The main function for the timer trigger.
Args:
mytimer (func.TimerRequest): The TimerRequest object containing information about the timer trigger.
Returns:
None
"""
if mytimer.past_due:
logging.info("The timer is past due!")
return
utc_timestamp = datetime.utcnow().replace(tzinfo=timezone.utc).isoformat()
call_hyas_protect_api()
logging.info("Python timer trigger function ran at %s", utc_timestamp)

11
Solutions/HYAS Protect/Data Connectors/HyasProtect/function.json Normal file
Просмотреть файл

@ -0,0 +1,11 @@
{
"scriptFile": "__init__.py",
"bindings": [
{
"name": "mytimer",
"type": "timerTrigger",
"direction": "in",
"schedule": "%Polling%"
}
]
}

34
Solutions/HYAS Protect/Data Connectors/HyasProtect/state_manager.py Normal file
Просмотреть файл

@ -0,0 +1,34 @@
from azure.storage.fileshare import ShareClient
from azure.storage.fileshare import ShareFileClient
from azure.core.exceptions import ResourceNotFoundError
class StateManager:
def __init__(
self,
connection_string,
share_name="funcstatemarkershare",
file_path="funcstatemarkerfile",
):
self.share_cli = ShareClient.from_connection_string(
conn_str=connection_string, share_name=share_name, is_emulated=True
)
self.file_cli = ShareFileClient.from_connection_string(
conn_str=connection_string,
share_name=share_name,
file_path=file_path,
is_emulated=True,
)
def post(self, marker_text: str):
try:
self.file_cli.upload_file(marker_text)
except ResourceNotFoundError:
self.share_cli.create_share()
self.file_cli.upload_file(marker_text)
def get(self):
try:
return self.file_cli.download_file().readall().decode()
except ResourceNotFoundError:
return None

105
Solutions/HYAS Protect/Data Connectors/HyasProtect/utils.py Normal file
Просмотреть файл

@ -0,0 +1,105 @@
import hmac
import hashlib
import requests
import logging
from base64 import b64decode, b64encode
def build_signature(
customer_id: str,
shared_key: str,
date: str,
content_length: str,
method: str,
content_type: str,
resource: str,
):
"""
Builds the signature for authenticating requests to Azure Sentinel.
Args:
customer_id (str): The customer ID or workspace ID for Azure Sentinel.
shared_key (str): The shared key for authentication with Azure Sentinel.
date (str): The date and time of the request in RFC1123 format.
content_length (int): The length of the request body in bytes.
method (str): The HTTP method of the request.
content_type (str): The content type of the request.
resource (str): The resource being accessed.
Returns:
str: The authorization header value for the request.
"""
x_headers = "x-ms-date:" + date
string_to_hash = (
method
+ "\n"
+ content_length
+ "\n"
+ content_type
+ "\n"
+ x_headers
+ "\n"
+ resource
)
bytes_to_hash = bytes(string_to_hash, encoding="utf-8")
decoded_key = b64decode(shared_key)
encoded_hash = b64encode(
hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()
).decode()
authorization = "SharedKey {}:{}".format(customer_id, encoded_hash)
return authorization
def save_to_sentinel(
log_analytics_uri: str, customer_id: str, shared_key: str, logs_obj: str, table_name: str
):
"""
Saves logs to Azure Sentinel using the specified log_analytics_uri, customer_id, shared_key, and logs_obj.
Args:
log_analytics_uri (str): The URI for the Azure Log Analytics workspace.
customer_id (str): The customer ID or workspace ID for Azure Sentinel.
shared_key (str): The shared key for authentication with Azure Sentinel.
logs_obj (str): The logs to be sent to Azure Sentinel in JSON format.
table_name (str): The table which will be created in sentinel.
Returns:
int: The HTTP response status code if successful, or if there was an error.
"""
from email.utils import formatdate
rfc1123date = formatdate(timeval=None, localtime=False, usegmt=True)
signature = build_signature(
customer_id,
shared_key,
rfc1123date,
str(len(logs_obj)),
"POST",
"application/json",
"/api/logs",
)
headers = {
"content-type": "application/json",
"Authorization": signature,
"Log-Type": table_name,
"x-ms-date": rfc1123date,
"time-generated-field": "date",
}
try:
response = requests.post(log_analytics_uri, data=logs_obj, headers=headers)
except Exception as ex:
logging.error(str(ex))
logging.error("Invalid Workspace ID")
return 500
if response.status_code in range(200, 299):
return response.status_code
else:
logging.info(response.content)
logging.info(
"Events are not processed into Azure. Response code: {}".format(
response.status_code
)
)
return 500

284
Solutions/HYAS Protect/Data Connectors/azuredeploy_Connector_Hyas_AzureFunction.json Normal file
Просмотреть файл

@ -0,0 +1,284 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"FunctionName": {
"defaultValue": "HYASProtect",
"minLength": 1,
"maxLength": 20,
"type": "string"
},
"TableName": {
"defaultValue": "HYASProtectDnsSecurityLogs",
"minLength": 1,
"type": "string",
"metadata": {
"description": "The Table which will save HYAS Protect logs in your Azure Sentinel workspace."
}
},
"WorkspaceID": {
"type": "string",
"defaultValue": "<WorkspaceID>",
"minLength": 1,
"metadata": {
"description": "The Workspace ID can be found in the 'Overview' section of your Azure Sentinel workspace."
}
},
"WorkspaceKey": {
"type": "securestring",
"defaultValue": "<WorkspaceKey>",
"minLength": 1,
"metadata": {
"description": "The Workspace Key can be found in the Azure portal within the configuration settings of the Azure resource that corresponds to the workspace."
}
},
"APIKey": {
"type": "securestring",
"defaultValue": "<APIkey>",
"minLength": 1,
"metadata": {
"description": "The HYAS API Key."
}
},
"TimeInterval": {
"type": "string",
"allowedValues": [
"Every 5 min",
"Every 10 min",
"Every 60 min",
"Every 6 hours",
"Every 12 hours",
"Every 24 hours"
],
"defaultValue": "Every 5 min",
"metadata": {
"description": "Select the Interval."
}
},
"FetchBlockedDomains": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"minLength": 1,
"type": "string"
},
"FetchMaliciousDomains": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"minLength": 1,
"type": "string"
},
"FetchSuspiciousDomains": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"minLength": 1,
"type": "string"
},
"FetchPermittedDomains": {
"defaultValue": "Yes",
"allowedValues": [
"Yes",
"No"
],
"minLength": 1,
"type": "string"
}
},
"variables": {
"PollingMap": {
"Every 5 min": "*/5 * * * *",
"Every 10 min": "*/10 * * * *",
"Every 60 min": "0 * * * *",
"Every 6 hours": "0 */6 * * *",
"Every 12 hours": "0 */12 * * *",
"Every 24 hours" : "0 0 * * *"
},
"FunctionName": "[concat(toLower(parameters('FunctionName')), take(uniqueString(resourceGroup().id), 3))]",
"StorageSuffix": "[environment().suffixes.storage]",
"LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('WorkspaceID')), '.ods.opinsights'))]",
"Polling": "[variables('PollingMap')[parameters('TimeInterval')]]"
},
"resources": [
{
"type": "Microsoft.Insights/components",
"apiVersion": "2015-05-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"kind": "web",
"properties": {
"Application_Type": "web",
"ApplicationId": "[variables('FunctionName')]"
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[tolower(variables('FunctionName'))]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"kind": "StorageV2",
"properties": {
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": true,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
},
"deleteRetentionPolicy": {
"enabled": false
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]"
],
"sku": {
"name": "Standard_LRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
}
}
},
{
"type": "Microsoft.Web/sites",
"apiVersion": "2018-11-01",
"name": "[variables('FunctionName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]",
"[resourceId('Microsoft.Insights/components', variables('FunctionName'))]"
],
"kind": "functionapp,linux",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"name": "[variables('FunctionName')]",
"httpsOnly": true,
"clientAffinityEnabled": true,
"alwaysOn": true,
"reserved": true,
"siteConfig": {
"linuxFxVersion": "python|3.8"
}
},
"resources": [
{
"apiVersion": "2018-11-01",
"type": "config",
"name": "appsettings",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('FunctionName'))]"
],
"properties": {
"FUNCTIONS_EXTENSION_VERSION": "~3",
"FUNCTIONS_WORKER_RUNTIME": "python",
"APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]",
"APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]",
"WorkspaceID": "[parameters('WorkspaceID')]",
"TableName": "[parameters('TableName')]",
"WorkspaceKey": "[parameters('WorkspaceKey')]",
"ApiKey": "[parameters('ApiKey')]",
"FetchBlockedDomains": "[parameters('FetchBlockedDomains')]",
"FetchSuspiciousDomains": "[parameters('FetchSuspiciousDomains')]",
"FetchMaliciousDomains": "[parameters('FetchMaliciousDomains')]",
"FetchPermittedDomains": "[parameters('FetchPermittedDomains')]",
"logAnalyticsUri": "[variables('LogAnaltyicsUri')]",
"timeInterval": "[parameters('TimeInterval')]",
"Polling": "[variables('Polling')]",
"WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-HYAS Protect-functionapp"
}
}
]
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-hosts')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/azure-webjobs-secrets')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices/shares",
"apiVersion": "2019-06-01",
"name": "[concat(variables('FunctionName'), '/default/', tolower(variables('FunctionName')))]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionName'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]"
],
"properties": {
"shareQuota": 5120
}
}
]
}

16
Solutions/HYAS Protect/Data Connectors/host.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"version": "2.0",
"logging": {
"applicationInsights": {
"samplingSettings": {
"isEnabled": true,
"excludedTypes": "Request"
}
}
},
"extensionBundle": {
"id": "Microsoft.Azure.Functions.ExtensionBundle",
"version": "[2.*, 3.0.0)"
},
"functionTimeout": "00:10:00"
}

4
Solutions/HYAS Protect/Data Connectors/proxies.json Normal file
Просмотреть файл

@ -0,0 +1,4 @@
{
"$schema": "http://json.schemastore.org/proxies",
"proxies": {}
}

4
Solutions/HYAS Protect/Data Connectors/requirements.txt Normal file
Просмотреть файл

@ -0,0 +1,4 @@
azure-functions
azure-storage-file-share==12.3.0
requests==2.31.0
requests-oauthlib==1.3.1

17
Solutions/HYAS Protect/Data/Solution_HyasProtectLogs.json Normal file
Просмотреть файл

@ -0,0 +1,17 @@
{
"Name": "HYAS Protect",
"Author": "Hyas",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Hyas.svg\" width=\"75px\" height=\"75px\">",
"Description": "Built on the underpinning technology of HYAS Insight threat intelligence, HYAS Protect is a protective DNS solution that combines authoritative knowledge of attacker infrastructure and unrivaled domain-based intelligence to proactively enforce security and block the command and control (C2) communication used by malware, ransomware, phishing, and other forms of cyber attacks.",
"Workbooks": [],
"Playbooks": [],
"Data Connectors": [
"Data Connectors/HYASProtect_FunctionApp.json"
],
"Hunting Queries": [],
"BasePath": "D:/GitHub/Azure-Sentinel/Solutions/HYAS Protect",
"Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
}

Двоичные данные
Solutions/HYAS Protect/Package/3.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

85
Solutions/HYAS Protect/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,85 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Hyas.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nBuilt on the underpinning technology of HYAS Insight threat intelligence, HYAS Protect is a protective DNS solution that combines authoritative knowledge of attacker infrastructure and unrivaled domain-based intelligence to proactively enforce security and block the command and control (C2) communication used by malware, ransomware, phishing, and other forms of cyber attacks.\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for HYAS Protect. You can get HYAS Protect custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

435
Solutions/HYAS Protect/Package/mainTemplate.json Normal file
Просмотреть файл

@ -0,0 +1,435 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Hyas",
"comments": "Solution template for HYAS Protect"
},
"parameters": {
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
},
"variables": {
"_solutionName": "HYAS Protect",
"_solutionVersion": "3.0.0",
"solutionId": "hyas.microsoft-sentinel-solution-hyas-protect",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "HYAS Protect",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "HYAS Protect",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))),variables('dataConnectorVersion1')))]",
"dataConnectorVersion1": "1.0.0",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "HYAS Protect data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"id": "[variables('_uiConfigId1')]",
"title": "HYAS Protect (using Azure Functions)",
"publisher": "HYAS",
"descriptionMarkdown": "HYAS Protect provide logs based on reputation values - Blocked, Malicious, Permitted, Suspicious.",
"graphQueries": [
{
"metricName": "Total logs received",
"legend": "HYASProtectDnsSecurityLogs",
"baseQuery": "HYASProtectDnsSecurityLogs_CL"
}
],
"sampleQueries": [
{
"description": "All Logs",
"query": "HYASProtectDnsSecurityLogs_CL"
}
],
"dataTypes": [
{
"name": "HYASProtectDnsSecurityLogs_CL",
"lastDataReceivedQuery": "HYASProtectDnsSecurityLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"HYASProtectDnsSecurityLogs_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "REST API Credentials/permissions",
"description": "**HYAS API Key** is required for making API calls."
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This connector uses Azure Functions to connect to the HYAS API to pull Logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details."
},
{
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"description": "Use this method for automated deployment of the HYAS Protect data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-HYAS Protect-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Function Name**, **Table Name**, **Workspace ID**, **Workspace Key**, **API Key**, **TimeInterval**, **FetchBlockedDomains**, **FetchMaliciousDomains**, **FetchSuspiciousDomains**, **FetchPermittedDomains** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
"title": "Option 1 - Azure Resource Manager (ARM) Template"
},
{
"description": "Use the following step-by-step instructions to deploy the HYAS Protect Logs data connector manually with Azure Functions (Deployment via Visual Studio Code).",
"title": "Option 2 - Manual Deployment of Azure Functions"
},
{
"description": "**1. Deploy a Function App**\n\n> NOTE:You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-HYAS Protect-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. HyasProtectLogsXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAPIKey\n\t\tPolling\n\t\tWorkspaceID\n\t\tWorkspaceKey\n. Once all application settings have been entered, click **Save**."
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "HYAS Protect",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Hyas"
},
"support": {
"name": "HYAS",
"tier": "Partner",
"link": "https://www.hyas.com/contact"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId1')]",
"contentKind": "DataConnector",
"displayName": "HYAS Protect (using Azure Functions)",
"contentProductId": "[variables('_dataConnectorcontentProductId1')]",
"id": "[variables('_dataConnectorcontentProductId1')]",
"version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
],
"location": "[parameters('workspace-location')]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"contentId": "[variables('_dataConnectorContentId1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "HYAS Protect",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Hyas"
},
"support": {
"name": "HYAS",
"tier": "Partner",
"link": "https://www.hyas.com/contact"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
"apiVersion": "2021-03-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "HYAS Protect (using Azure Functions)",
"publisher": "HYAS",
"descriptionMarkdown": "HYAS Protect provide logs based on reputation values - Blocked, Malicious, Permitted, Suspicious.",
"graphQueries": [
{
"metricName": "Total logs received",
"legend": "HYASProtectDnsSecurityLogs",
"baseQuery": "HYASProtectDnsSecurityLogs_CL"
}
],
"dataTypes": [
{
"name": "HYASProtectDnsSecurityLogs_CL",
"lastDataReceivedQuery": "HYASProtectDnsSecurityLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"HYASProtectDnsSecurityLogs_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"sampleQueries": [
{
"description": "All Logs",
"query": "HYASProtectDnsSecurityLogs_CL"
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "REST API Credentials/permissions",
"description": "**HYAS API Key** is required for making API calls."
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This connector uses Azure Functions to connect to the HYAS API to pull Logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details."
},
{
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"description": "Use this method for automated deployment of the HYAS Protect data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-HYAS Protect-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Function Name**, **Table Name**, **Workspace ID**, **Workspace Key**, **API Key**, **TimeInterval**, **FetchBlockedDomains**, **FetchMaliciousDomains**, **FetchSuspiciousDomains**, **FetchPermittedDomains** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
"title": "Option 1 - Azure Resource Manager (ARM) Template"
},
{
"description": "Use the following step-by-step instructions to deploy the HYAS Protect Logs data connector manually with Azure Functions (Deployment via Visual Studio Code).",
"title": "Option 2 - Manual Deployment of Azure Functions"
},
{
"description": "**1. Deploy a Function App**\n\n> NOTE:You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-HYAS Protect-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. HyasProtectLogsXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration."
},
{
"description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAPIKey\n\t\tPolling\n\t\tWorkspaceID\n\t\tWorkspaceKey\n. Once all application settings have been entered, click **Save**."
}
],
"id": "[variables('_uiConfigId1')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.0.0",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "HYAS Protect",
"publisherDisplayName": "HYAS",
"descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>Built on the underpinning technology of HYAS Insight threat intelligence, HYAS Protect is a protective DNS solution that combines authoritative knowledge of attacker infrastructure and unrivaled domain-based intelligence to proactively enforce security and block the command and control (C2) communication used by malware, ransomware, phishing, and other forms of cyber attacks.</p>\n<p><strong>Data Connectors:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
"icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Hyas.svg\" width=\"75px\" height=\"75px\">",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "HYAS Protect",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Hyas"
},
"support": {
"name": "HYAS",
"tier": "Partner",
"link": "https://www.hyas.com/contact"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentId1')]",
"version": "[variables('dataConnectorVersion1')]"
}
]
},
"firstPublishDate": "2023-09-26",
"providers": [
"HYAS"
],
"categories": {
"domains": [
"Security - Automation (SOAR)",
"Security - Threat Intelligence"
]
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
}
],
"outputs": {}
}

45
Solutions/HYAS Protect/Parsers/HYASProtectDNS.yaml Normal file
Просмотреть файл

@ -0,0 +1,45 @@
id: 6e70b2c1-202d-4805-bddc-f0e08ef0fc4d
Function:
Title: Parser for all Hyas Protect DNS events
Version: '1.0.0'
LastUpdated: '2023-09-26'
Category: HYASProtectParser
FunctionName: HYASProtectDNSActivity
FunctionAlias: HYASProtectDNSActivity
FunctionParams:
- Name: starttime
Type: datetime
Default: datetime(null)
- Name: endtime
Type: datetime
Default: datetime(null)
- Name: tablesRequired
Type: dynamic
Default: dynamic([])
- Name: eventTypesRequired
Type: dynamic
Default: dynamic([])
FunctionQuery: |
let parser = (
starttime:datetime=datetime(null),
endtime:datetime=datetime(null),
tablesRequired:dynamic=dynamic([]),
eventTypesRequired:dynamic=dynamic([])
)
{
union isfuzzy=true
(
ASimDnsActivityLogs
| where EventVendor == "HYASProtect" and EventProduct == "HYAS Protect"
| where array_length(tablesRequired) == 0 or "DNS" in~ (tablesRequired)
| where (isnull(starttime) or TimeGenerated>=starttime)
and (isnull(endtime) or TimeGenerated<=endtime)
| where array_length(eventTypesRequired) == 0 or EventOriginalType in~ (eventTypesRequired)
)
};
parser(
starttime=starttime,
endtime=endtime,
tablesRequired=tablesRequired,
eventTypesRequired=eventTypesRequired
)

3
Solutions/HYAS Protect/ReleaseNotes.md Normal file
Просмотреть файл

@ -0,0 +1,3 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
| 3.0.0 | 22-09-2023 | Initial solution release |

16
Solutions/HYAS Protect/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "hyas",
"offerId": "microsoft-sentinel-solution-hyas-protect",
"firstPublishDate": "2023-09-26",
"providers": ["HYAS"],
"categories": {
"domains": [
"Security - Automation (SOAR)", "Security - Threat Intelligence"
]
},
"support": {
"name": "HYAS",
"tier": "Partner",
"link": "https://www.hyas.com/contact"
}
}

2
Solutions/ISC Bind/Data Connectors/Connector_Syslog_ISCBind.json
Просмотреть файл

@ -62,7 +62,7 @@
"instructionSteps": [
{
"title": "",
"description":"**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ISCBind and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ISC%20Bind/Parsers/ISCBind.txt).The function usually takes 10-15 minutes to activate after solution installation/update." ,
"description":"**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ISCBind and load the function code or click [here](https://aka.ms/sentinel-iscbind-parser).The function usually takes 10-15 minutes to activate after solution installation/update." ,
"instructions": [
]
},

4
Solutions/ISC Bind/Data/Solution_ISC Bind.json
Просмотреть файл

@ -2,12 +2,12 @@
"Name": "ISC Bind",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [ISC Bind](https://www.isc.org/bind/) solution for Microsoft sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n a. [Agent-based log collection (Syslog)](https://learn.microsoft.com/azure/sentinel/connect-syslog)",
"Description": "The [ISC Bind](https://www.isc.org/bind/) solution for Microsoft Sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n a. [Agent-based log collection (Syslog)](https://learn.microsoft.com/azure/sentinel/connect-syslog)",
"Data Connectors": [
"Solutions/ISC Bind/Data Connectors/Connector_Syslog_ISCBind.json"
],
"Parsers": [
"Solutions/ISC Bind/Parsers/ISCBind.txt"
"Solutions/ISC Bind/Parsers/ISCBind.yaml"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel",
"Version": "2.0.1",

31
Solutions/ISC Bind/Data/system_generated_metadata.json Normal file
Просмотреть файл

@ -0,0 +1,31 @@
{
"Name": "ISC Bind",
"Author": "Microsoft - support@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [ISC Bind](https://www.isc.org/bind/) solution for Microsoft Sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n a. [Agent-based log collection (Syslog)](https://learn.microsoft.com/azure/sentinel/connect-syslog)",
"BasePath": "C:\\GitHub\\Azure-Sentinel",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false,
"Version": "3.0.0",
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-iscbind",
"providers": [
"ISC"
],
"categories": {
"domains": [
"Networking"
],
"verticals": []
},
"firstPublishDate": "2022-09-20",
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
},
"Data Connectors": "[\n \"Connector_Syslog_ISCBind.json\"\n]",
"Parsers": "[\n \"ISCBind.yaml\"\n]"
}

Двоичные данные
Solutions/ISC Bind/Package/3.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/ISC Bind/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [ISC Bind](https://www.isc.org/bind/) solution for Microsoft sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n a. [Agent-based log collection (Syslog)](https://learn.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ISCBind/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [ISC Bind](https://www.isc.org/bind/) solution for Microsoft Sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n a. [Agent-based log collection (Syslog)](https://learn.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",

149
Solutions/ISC Bind/Package/mainTemplate.json
Просмотреть файл

@ -34,53 +34,39 @@
"_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_solutionName": "ISC Bind",
"_solutionVersion": "3.0.0",
"uiConfigId1": "ISCBind",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "ISCBind",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0",
"parserVersion1": "1.0.0",
"parserContentId1": "ISCBind-Parser",
"_parserContentId1": "[variables('parserContentId1')]",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"parserName1": "ISCBind",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
"parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]"
"parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
"parserVersion1": "1.0.0",
"parserContentId1": "ISCBind-Parser",
"_parserContentId1": "[variables('parserContentId1')]",
"_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"properties": {
"description": "ISC Bind data connector with template",
"displayName": "ISC Bind template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "DataConnector"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "ISC Bind data connector with template version 2.0.1",
"description": "ISC Bind data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -157,7 +143,7 @@
},
"instructionSteps": [
{
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ISCBind and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ISC%20Bind/Parsers/ISCBind.txt).The function usually takes 10-15 minutes to activate after solution installation/update."
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ISCBind and load the function code or click [here](https://aka.ms/sentinel-iscbind-parser).The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
@ -226,8 +212,8 @@
"name": "Microsoft"
},
"support": {
"tier": "microsoft",
"name": "Microsoft",
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com"
}
}
@ -236,7 +222,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@ -261,12 +247,23 @@
}
}
]
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_dataConnectorContentId1')]",
"contentKind": "DataConnector",
"displayName": "ISC Bind",
"contentProductId": "[variables('_dataConnectorcontentProductId1')]",
"id": "[variables('_dataConnectorcontentProductId1')]",
"version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
@ -362,7 +359,7 @@
},
"instructionSteps": [
{
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ISCBind and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ISC%20Bind/Parsers/ISCBind.txt).The function usually takes 10-15 minutes to activate after solution installation/update."
"description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ISCBind and load the function code or click [here](https://aka.ms/sentinel-iscbind-parser).The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
@ -425,33 +422,15 @@
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2021-05-01",
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[variables('parserTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Parser"
},
"properties": {
"description": "ISCBind Data Parser with template",
"displayName": "ISCBind Data Parser template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2021-05-01",
"name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "Parser"
},
"dependsOn": [
"[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "ISCBind Data Parser with template version 2.0.1",
"description": "ISCBind Data Parser with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
@ -460,20 +439,21 @@
"resources": [
{
"name": "[variables('_parserName1')]",
"apiVersion": "2020-08-01",
"apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "ISCBind",
"category": "Samples",
"category": "Microsoft Sentinel Parser",
"functionAlias": "ISCBind",
"query": "\n\r\nlet request = Syslog \r\n| where SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\r\n| parse SyslogMessage with\r\n * \"client \" * \" \"\r\n SrcIpAddr:string \"#\" \r\n SrcPortNumber:string \" \" *\r\n \"query: \"\r\n DnsQuery:string \" \"\r\n DnsQueryClassName:string \" \"\r\n DnsQueryTypeName:string \" \"\r\n DnsFlags:string\r\n| extend ServerIPAddressIndex= indexof(DnsFlags, \" \")\r\n| extend ServerIPAddress = iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, ServerIPAddressIndex),\"\")\r\n| extend ServerIPAddress = replace_regex(ServerIPAddress,@\"[()]\",\"\")\r\n| extend DnsFlags =iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, 0, ServerIPAddressIndex), DnsFlags)\r\n| extend SrcPortNumber = replace_regex(SrcPortNumber,@\"[^\\d]\",\"\")\r\n| extend EventSubType = \"request\",DnsResponseCodeName = \"NA\"\r\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,ServerIPAddressIndex;\r\nlet requestcache = Syslog \r\n| where SyslogMessage has_all (\"client\", \"query (cache)\") and SyslogMessage !has \"response:\"\r\n| parse SyslogMessage with\r\n * \"client \" * \" \"\r\n SrcIpAddr:string \"#\" \r\n SrcPortNumber:string \" \" *\r\n \"query (cache) '\"\r\n DnsQuery:string \"/\"\r\n DnsQueryTypeName:string \"/\"\r\n DnsQueryClassName:string \"' \"\r\n Action\r\n| extend EventSubType = \"requestcache\",DnsResponseCodeName = \"NA\"\r\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName;\r\nlet response =Syslog \r\n| where SyslogMessage has_all (\"client\", \"query:\", \"response:\")\r\n| parse SyslogMessage with\r\n * \"client \" * \" \"\r\n SrcIpAddr:string \"#\" \r\n SrcPortNumber:string \" \" * \"view \" * \": \"\r\n NetworkProtocol:string \": query: \"\r\n DnsQuery:string \" \"\r\n DnsQueryClassName:string \" \"\r\n DnsQueryTypeName:string \" \"\r\n \"response: \" DnsResponseCodeName: string\r\n \" \" DnsFlags: string\r\n| extend DNSResourceRecordIndex= indexof(DnsFlags, \" \")\r\n| extend DnsResponseName =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, DNSResourceRecordIndex), \"\")\r\n| extend DnsFlags =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, 0, DNSResourceRecordIndex), DnsFlags)\r\n| extend EventSubType = \"response\"\r\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,DNSResourceRecordIndex;\r\nunion request,requestcache,response",
"version": 1,
"query": "//request events\nlet request = Syslog \n| where SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\n| parse SyslogMessage with\n * \"client \" * \" \"\n SrcIpAddr:string \"#\" \n SrcPortNumber:string \" \" *\n \"query: \"\n DnsQuery:string \" \"\n DnsQueryClassName:string \" \"\n DnsQueryTypeName:string \" \"\n DnsFlags:string\n| extend ServerIPAddressIndex= indexof(DnsFlags, \" \")\n| extend ServerIPAddress = iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, ServerIPAddressIndex),\"\")\n| extend ServerIPAddress = replace_regex(ServerIPAddress,@\"[()]\",\"\")\n| extend DnsFlags =iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, 0, ServerIPAddressIndex), DnsFlags)\n| extend SrcPortNumber = replace_regex(SrcPortNumber,@\"[^\\d]\",\"\")\n| extend EventSubType = \"request\",DnsResponseCodeName = \"NA\"\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,ServerIPAddressIndex;\n//request (cache) events\nlet requestcache = Syslog \n| where SyslogMessage has_all (\"client\", \"query (cache)\") and SyslogMessage !has \"response:\"\n| parse SyslogMessage with\n * \"client \" * \" \"\n SrcIpAddr:string \"#\" \n SrcPortNumber:string \" \" *\n \"query (cache) '\"\n DnsQuery:string \"/\"\n DnsQueryTypeName:string \"/\"\n DnsQueryClassName:string \"' \"\n Action\n| extend EventSubType = \"requestcache\",DnsResponseCodeName = \"NA\"\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName;\n// response events\nlet response =Syslog \n| where SyslogMessage has_all (\"client\", \"query:\", \"response:\")\n| parse SyslogMessage with\n * \"client \" * \" \"\n SrcIpAddr:string \"#\" \n SrcPortNumber:string \" \" * \"view \" * \": \"\n NetworkProtocol:string \": query: \"\n DnsQuery:string \" \"\n DnsQueryClassName:string \" \"\n DnsQueryTypeName:string \" \"\n \"response: \" DnsResponseCodeName: string\n \" \" DnsFlags: string\n| extend DNSResourceRecordIndex= indexof(DnsFlags, \" \")\n| extend DnsResponseName =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, DNSResourceRecordIndex), \"\")\n| extend DnsFlags =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, 0, DNSResourceRecordIndex), DnsFlags)\n| extend EventSubType = \"response\"\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,DNSResourceRecordIndex;\nunion request,requestcache,response\n",
"functionParameters": "",
"version": 2,
"tags": [
{
"name": "description",
"value": "ISCBind"
"value": ""
}
]
}
@ -483,7 +463,7 @@
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
"[variables('_parserName1')]"
"[variables('_parserId1')]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
@ -508,21 +488,39 @@
}
}
]
}
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('_parserContentId1')]",
"contentKind": "Parser",
"displayName": "ISCBind",
"contentProductId": "[variables('_parsercontentProductId1')]",
"id": "[variables('_parsercontentProductId1')]",
"version": "[variables('parserVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2021-06-01",
"apiVersion": "2022-10-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "ISCBind",
"category": "Samples",
"category": "Microsoft Sentinel Parser",
"functionAlias": "ISCBind",
"query": "\n\r\nlet request = Syslog \r\n| where SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\r\n| parse SyslogMessage with\r\n * \"client \" * \" \"\r\n SrcIpAddr:string \"#\" \r\n SrcPortNumber:string \" \" *\r\n \"query: \"\r\n DnsQuery:string \" \"\r\n DnsQueryClassName:string \" \"\r\n DnsQueryTypeName:string \" \"\r\n DnsFlags:string\r\n| extend ServerIPAddressIndex= indexof(DnsFlags, \" \")\r\n| extend ServerIPAddress = iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, ServerIPAddressIndex),\"\")\r\n| extend ServerIPAddress = replace_regex(ServerIPAddress,@\"[()]\",\"\")\r\n| extend DnsFlags =iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, 0, ServerIPAddressIndex), DnsFlags)\r\n| extend SrcPortNumber = replace_regex(SrcPortNumber,@\"[^\\d]\",\"\")\r\n| extend EventSubType = \"request\",DnsResponseCodeName = \"NA\"\r\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,ServerIPAddressIndex;\r\nlet requestcache = Syslog \r\n| where SyslogMessage has_all (\"client\", \"query (cache)\") and SyslogMessage !has \"response:\"\r\n| parse SyslogMessage with\r\n * \"client \" * \" \"\r\n SrcIpAddr:string \"#\" \r\n SrcPortNumber:string \" \" *\r\n \"query (cache) '\"\r\n DnsQuery:string \"/\"\r\n DnsQueryTypeName:string \"/\"\r\n DnsQueryClassName:string \"' \"\r\n Action\r\n| extend EventSubType = \"requestcache\",DnsResponseCodeName = \"NA\"\r\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName;\r\nlet response =Syslog \r\n| where SyslogMessage has_all (\"client\", \"query:\", \"response:\")\r\n| parse SyslogMessage with\r\n * \"client \" * \" \"\r\n SrcIpAddr:string \"#\" \r\n SrcPortNumber:string \" \" * \"view \" * \": \"\r\n NetworkProtocol:string \": query: \"\r\n DnsQuery:string \" \"\r\n DnsQueryClassName:string \" \"\r\n DnsQueryTypeName:string \" \"\r\n \"response: \" DnsResponseCodeName: string\r\n \" \" DnsFlags: string\r\n| extend DNSResourceRecordIndex= indexof(DnsFlags, \" \")\r\n| extend DnsResponseName =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, DNSResourceRecordIndex), \"\")\r\n| extend DnsFlags =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, 0, DNSResourceRecordIndex), DnsFlags)\r\n| extend EventSubType = \"response\"\r\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,DNSResourceRecordIndex;\r\nunion request,requestcache,response",
"version": 1
"query": "//request events\nlet request = Syslog \n| where SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\n| parse SyslogMessage with\n * \"client \" * \" \"\n SrcIpAddr:string \"#\" \n SrcPortNumber:string \" \" *\n \"query: \"\n DnsQuery:string \" \"\n DnsQueryClassName:string \" \"\n DnsQueryTypeName:string \" \"\n DnsFlags:string\n| extend ServerIPAddressIndex= indexof(DnsFlags, \" \")\n| extend ServerIPAddress = iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, ServerIPAddressIndex),\"\")\n| extend ServerIPAddress = replace_regex(ServerIPAddress,@\"[()]\",\"\")\n| extend DnsFlags =iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, 0, ServerIPAddressIndex), DnsFlags)\n| extend SrcPortNumber = replace_regex(SrcPortNumber,@\"[^\\d]\",\"\")\n| extend EventSubType = \"request\",DnsResponseCodeName = \"NA\"\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,ServerIPAddressIndex;\n//request (cache) events\nlet requestcache = Syslog \n| where SyslogMessage has_all (\"client\", \"query (cache)\") and SyslogMessage !has \"response:\"\n| parse SyslogMessage with\n * \"client \" * \" \"\n SrcIpAddr:string \"#\" \n SrcPortNumber:string \" \" *\n \"query (cache) '\"\n DnsQuery:string \"/\"\n DnsQueryTypeName:string \"/\"\n DnsQueryClassName:string \"' \"\n Action\n| extend EventSubType = \"requestcache\",DnsResponseCodeName = \"NA\"\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName;\n// response events\nlet response =Syslog \n| where SyslogMessage has_all (\"client\", \"query:\", \"response:\")\n| parse SyslogMessage with\n * \"client \" * \" \"\n SrcIpAddr:string \"#\" \n SrcPortNumber:string \" \" * \"view \" * \": \"\n NetworkProtocol:string \": query: \"\n DnsQuery:string \" \"\n DnsQueryClassName:string \" \"\n DnsQueryTypeName:string \" \"\n \"response: \" DnsResponseCodeName: string\n \" \" DnsFlags: string\n| extend DNSResourceRecordIndex= indexof(DnsFlags, \" \")\n| extend DnsResponseName =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, DNSResourceRecordIndex), \"\")\n| extend DnsFlags =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, 0, DNSResourceRecordIndex), DnsFlags)\n| extend EventSubType = \"response\"\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,DNSResourceRecordIndex;\nunion request,requestcache,response\n",
"functionParameters": "",
"version": 2,
"tags": [
{
"name": "description",
"value": ""
}
]
}
},
{
@ -556,13 +554,20 @@
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "2.0.1",
"version": "3.0.0",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentSchemaVersion": "3.0.0",
"displayName": "ISC Bind",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
"descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>The <a href=\"https://www.isc.org/bind/\">ISC Bind</a> solution for Microsoft Sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs</p>\n<ol type=\"a\">\n<li><a href=\"https://learn.microsoft.com/azure/sentinel/connect-syslog\">Agent-based log collection (Syslog)</a></li>\n</ol>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
"icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {

65
Solutions/ISC Bind/Parsers/ISCBind.txt
Просмотреть файл

@ -1,65 +0,0 @@
// Title: ISC Bind
// Author: Microsoft
// Version: 1.0
// Last Updated: 09/16/2022
// Comment: Inital Release
//
// DESCRIPTION:
// This parser takes raw ISC Bind logs from a Syslog stream and parses the logs into a normalized schema.
//
//
// REFERENCES:
// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions
//request events
let request = Syslog
| where SyslogMessage has_all ("client", "query:") and SyslogMessage !has "response:"
| parse SyslogMessage with
* "client " * " "
SrcIpAddr:string "#"
SrcPortNumber:string " " *
"query: "
DnsQuery:string " "
DnsQueryClassName:string " "
DnsQueryTypeName:string " "
DnsFlags:string
| extend ServerIPAddressIndex= indexof(DnsFlags, " ")
| extend ServerIPAddress = iif(ServerIPAddressIndex != "-1", substring(DnsFlags, ServerIPAddressIndex),"")
| extend ServerIPAddress = replace_regex(ServerIPAddress,@"[()]","")
| extend DnsFlags =iif(ServerIPAddressIndex != "-1", substring(DnsFlags, 0, ServerIPAddressIndex), DnsFlags)
| extend SrcPortNumber = replace_regex(SrcPortNumber,@"[^\d]","")
| extend EventSubType = "request",DnsResponseCodeName = "NA"
| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,ServerIPAddressIndex;
//request (cache) events
let requestcache = Syslog
| where SyslogMessage has_all ("client", "query (cache)") and SyslogMessage !has "response:"
| parse SyslogMessage with
* "client " * " "
SrcIpAddr:string "#"
SrcPortNumber:string " " *
"query (cache) '"
DnsQuery:string "/"
DnsQueryTypeName:string "/"
DnsQueryClassName:string "' "
Action
| extend EventSubType = "requestcache",DnsResponseCodeName = "NA"
| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName;
// response events
let response =Syslog
| where SyslogMessage has_all ("client", "query:", "response:")
| parse SyslogMessage with
* "client " * " "
SrcIpAddr:string "#"
SrcPortNumber:string " " * "view " * ": "
NetworkProtocol:string ": query: "
DnsQuery:string " "
DnsQueryClassName:string " "
DnsQueryTypeName:string " "
"response: " DnsResponseCodeName: string
" " DnsFlags: string
| extend DNSResourceRecordIndex= indexof(DnsFlags, " ")
| extend DnsResponseName =iif(DNSResourceRecordIndex != "-1", substring(DnsFlags, DNSResourceRecordIndex), "")
| extend DnsFlags =iif(DNSResourceRecordIndex != "-1", substring(DnsFlags, 0, DNSResourceRecordIndex), DnsFlags)
| extend EventSubType = "response"
| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,DNSResourceRecordIndex;
union request,requestcache,response

5
Solutions/ISC Bind/ReleaseNotes.md Normal file
Просмотреть файл

@ -0,0 +1,5 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------|
| 3.0.0 | 09-10-2023 | Corrected the links in the solution |

72
Solutions/Microsoft 365 Defender/Analytic Rules/PossibleWebpBufferOverflow.yaml Normal file
Просмотреть файл

@ -0,0 +1,72 @@
id: 26e81021-2de6-4442-a74a-a77885e96911
name: Execution of software vulnerable to webp buffer overflow of CVE-2023-4863
description: |
'This query looks at device, process, and network events from Defender for Endpoint that may be vulnerable to buffer overflow defined in CVE-2023-4863. Results are not an indicator of malicious activity.'
severity: Informational
status: Available
kind: Scheduled
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
relevantTechniques:
- T1203
tags:
- CVE-2023-4863
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
- DeviceNetworkEvents
- DeviceEvents
- DeviceTvmSoftwareVulnerabilities
query: |-
//CVE-2023-4863 Process activity with .webp files on devices where CVE-2023-4863 is unpatched
//This query shows all process activity with .webp files on vulnerable machines and is not an indicator of malicious activity
let VulnDevices = DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2023-4863"
| distinct DeviceId;
union DeviceProcessEvents, DeviceNetworkEvents, DeviceEvents
| where DeviceId in (VulnDevices) and InitiatingProcessCommandLine has(".webp") or ProcessCommandLine has(".webp")
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DeviceName
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountName
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: ProcessId
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: InitiatingProcessId
- entityType: Process
fieldMappings:
- identifier: CommandLine
columnName: ProcessCommandLine
suppressionEnabled: false
incidentConfiguration:
createIncident: false
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: Selected
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
suppressionDuration: 5h
alertDetailsOverride:
alertDisplayNameFormat: Possible exploitation of CVE-2023-4863
alertDynamicProperties: []
eventGroupingSettings:
aggregationKind: SingleAlert
version: 1.0.0

Двоичные данные
Solutions/MicrosoftPurviewInsiderRiskManagement/Package/3.0.3.zip
Просмотреть файл

Двоичный файл не отображается.

28
Solutions/MicrosoftPurviewInsiderRiskManagement/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThis solution enables insider risk management teams to investigate risk-based behavior across 25+ Microsoft products. This solution is a better-together story between Microsoft Sentinel and Microsoft Purview Insider Risk Management. The solution includes the Insider Risk Management Workbook, (5) Hunting Queries, (1) Data Connector, (5) Analytics Rules, (1) Playbook automation and the Microsoft Purview Insider Risk Management connector. While only Microsoft Sentinel is required to get started, the solution is enhanced with numerous Microsoft offerings, including, but not limited to:\n\n- [Microsoft Purview Insider Risk Management](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-solution-overview?view=o365-worldwide)\n- [Microsoft Purview Communications Compliance](https://docs.microsoft.com/microsoft-365/compliance/communication-compliance-solution-overview?view=o365-worldwide)\n- [Microsoft Purview Advanced eDiscovery](https://docs.microsoft.com/microsoft-365/compliance/ediscovery?view=o365-worldwide)\n- [Microsoft Purview Defender](https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender?rtc=1)\n- [Microsoft Information Protection](https://docs.microsoft.com/microsoft-365/compliance/information-protection?view=o365-worldwide)\n- [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)\n- [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)\n- [Microsoft Sentinel Notebooks](https://docs.microsoft.com/azure/sentinel/notebooks) [(Bring Your Own Machine Learning)](https://docs.microsoft.com/azure/sentinel/bring-your-own-ml)\n- [Microsoft Defender for Endpoint](https://www.microsoft.com/security/business/threat-protection/endpoint-defender?rtc=1)\n- [Microsoft Defender for Identity](https://www.microsoft.com/security/business/threat-protection/identity-defender?rtc=1)\n- [Microsoft Defender for Cloud Apps](https://www.microsoft.com/security/business/cloud-apps-defender?rtc=1)\n- [Microsoft Defender for Office 365](https://www.microsoft.com/security/business/threat-protection/office-365-defender?rtc=1)\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)\n\n**Workbooks:** 1, **Analytic Rules:** 5, **Hunting Queries:** 5, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MicrosoftPurviewInsiderRiskManagement/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution.\n\nThis solution enables insider risk management teams to investigate risk-based behavior across 25+ Microsoft products. This solution is a better-together story between Microsoft Sentinel and Microsoft Purview Insider Risk Management. The solution includes the Insider Risk Management Workbook, (5) Hunting Queries, (1) Data Connector, (5) Analytics Rules, (1) Playbook automation and the Microsoft Purview Insider Risk Management connector. While only Microsoft Sentinel is required to get started, the solution is enhanced with numerous Microsoft offerings, including, but not limited to:\n\n- [Microsoft Purview Insider Risk Management](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-solution-overview?view=o365-worldwide)\n- [Microsoft Purview Communications Compliance](https://docs.microsoft.com/microsoft-365/compliance/communication-compliance-solution-overview?view=o365-worldwide)\n- [Microsoft Purview Advanced eDiscovery](https://docs.microsoft.com/microsoft-365/compliance/ediscovery?view=o365-worldwide)\n- [Microsoft Purview Defender](https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender?rtc=1)\n- [Microsoft Information Protection](https://docs.microsoft.com/microsoft-365/compliance/information-protection?view=o365-worldwide)\n- [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)\n- [Microsoft Defender for Cloud](https://azure.microsoft.com/services/security-center/)\n- [Microsoft Sentinel Notebooks](https://docs.microsoft.com/azure/sentinel/notebooks) [(Bring Your Own Machine Learning)](https://docs.microsoft.com/azure/sentinel/bring-your-own-ml)\n- [Microsoft Defender for Endpoint](https://www.microsoft.com/security/business/threat-protection/endpoint-defender?rtc=1)\n- [Microsoft Defender for Identity](https://www.microsoft.com/security/business/threat-protection/identity-defender?rtc=1)\n- [Microsoft Defender for Cloud Apps](https://www.microsoft.com/security/business/cloud-apps-defender?rtc=1)\n- [Microsoft Defender for Office 365](https://www.microsoft.com/security/business/threat-protection/office-365-defender?rtc=1)\n\nMicrosoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 5, **Hunting Queries:** 5, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -51,6 +51,30 @@
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for MicrosoftPurviewInsiderRiskManagement. You can get MicrosoftPurviewInsiderRiskManagement custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
@ -320,4 +344,4 @@
"workspace": "[basics('workspace')]"
}
}
}
}

1731
Solutions/MicrosoftPurviewInsiderRiskManagement/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

2
Solutions/MicrosoftPurviewInsiderRiskManagement/ReleaseNotes.md
Просмотреть файл

@ -1,5 +1,7 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|--------------------------------------------------------------------------|
| 3.0.3 | 10-10-2023 | Updated **Workbook** template to replace the datatype InformationProtectionLogs_CL to MicrosoftPurviewInformationProtection |
| 3.0.2 | 04-10-2023 | Updated **Workbook** template to fix Signinlogs datatype |
| 3.0.1 | 20-09-2023 | Updated **Workbook** template to fix the invaild json issue |
| 3.0.0 | 17-07-2023 | Updating **Analytic Rules** with grouping configuration(Single Alert) |
| | | |

2
Solutions/MicrosoftPurviewInsiderRiskManagement/data/Solution_InsiderRiskManagement.json
Просмотреть файл

@ -28,7 +28,7 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\MicrosoftPurviewInsiderRiskManagement",
"Version": "3.0.1",
"Version": "3.0.3",
"TemplateSpec": true,
"Is1Pconnector": true
}

6
Solutions/Recorded Future/Analytic Rules/RecordedFutureDomainMalwareC2inDNSEvents.yaml
Просмотреть файл

@ -23,7 +23,7 @@ query: |
let list_tlds = ThreatIntelligenceIndicator
| where TimeGenerated > ago(ioc_lookBack)
// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)
| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'
| where Description == 'Recorded Future - Domains - Command and Control Activity'
| where isnotempty(DomainName)
| extend parts = split(DomainName, '.')
| extend tld = parts[(array_length(parts)-1)]
@ -33,7 +33,7 @@ query: |
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| where Active == true
// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)
| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'
| where Description == 'Recorded Future - Domains - Command and Control Activity'
// Picking up only IOC's that contain the entities we want
| where isnotempty(DomainName)
| join (
@ -66,5 +66,5 @@ entityMappings:
fieldMappings:
- identifier: DomainName
columnName: DomainCustomEntity
version: 1.0.0
version: 1.0.1
kind: Scheduled

6
Solutions/Recorded Future/Analytic Rules/RecordedFutureDomainMalwareC2inSyslogEvents.yaml
Просмотреть файл

@ -23,7 +23,7 @@ query: |
let list_tlds = ThreatIntelligenceIndicator
| where TimeGenerated > ago(ioc_lookBack)
// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)
| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'
| where Description == 'Recorded Future - Domains - Command and Control Activity'
| where isnotempty(DomainName)
| extend parts = split(DomainName, '.')
| extend tld = parts[(array_length(parts)-1)]
@ -33,7 +33,7 @@ query: |
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| where Active == true
// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)
| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'
| where Description == 'Recorded Future - Domains - Command and Control Activity'
// Picking up only IOC's that contain the entities we want
| where isnotempty(DomainName)
| join (
@ -71,5 +71,5 @@ entityMappings:
fieldMappings:
- identifier: DomainName
columnName: domain
version: 1.0.0
version: 1.0.1
kind: Scheduled

23
Solutions/Recorded Future/Data/Solution_RecordedFuture.json
Просмотреть файл

@ -12,21 +12,32 @@
"Analytic Rules/RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents.yaml"
],
"Playbooks": [
"Playbooks/RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash/azuredeploy.json",
"Playbooks/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json",
"Playbooks/RecordedFuture-Playbook-Alert-Importer/azuredeploy.json",
"Playbooks/RecordedFuture-Alert-Importer/azuredeploy.json",
"Playbooks/RecordedFuture-ThreatIntelligenceImport/azuredeploy.json",
"Playbooks/RecordedFuture-Domain-IndicatorImport/azuredeploy.json",
"Playbooks/RecordedFuture-Hash-IndicatorImport/azuredeploy.json",
"Playbooks/RecordedFuture-IP-IndicatorImport/azuredeploy.json",
"Playbooks/RecordedFuture-URL-IndicatorImport/azuredeploy.json",
"Playbooks/RecordedFuture-ImportToSentinel/azuredeploy.json",
"Playbooks/RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor/azuredeploy.json",
"Playbooks/RecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor/azuredeploy.json",
"Playbooks/RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash/azuredeploy.json",
"Playbooks/RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor/azuredeploy.json",
"Playbooks/RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor/azuredeploy.json",
"Playbooks/RecordedFuture-Ukraine-IndicatorProcessor/azuredeploy.json",
"Playbooks/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json"
"Playbooks/RecordedFuture-Ukraine-IndicatorProcessor/azuredeploy.json"
],
"Workbooks": [
"Workbooks/Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting.json",
"Workbooks/Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting.json"
"Workbooks/RecordedFuturePlaybookAlertOverview.json",
"Workbooks/RecordedFutureAlertOverview.json",
"Workbooks/RecordedFutureDomainCorrelation.json",
"Workbooks/RecordedFutureHashCorrelation.json",
"Workbooks/RecordedFutureIPCorrelation.json",
"Workbooks/RecordedFutureURLCorrelation.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Recorded Future",
"Version": "2.4.0",
"Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false

Двоичные данные
Solutions/Recorded Future/Package/3.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

66
Solutions/Recorded Future/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/RecordedFuture.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[Recorded Future](https://www.recordedfuture.com/) is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.\n\nPlaybooks have internal dependencies to RecordedFuture-ImportToSentinel so install the RecordedFuture-ImportToSentinel playbook before any of the others. \n \n \nThis solution takes a dependency on functionality like Azure Logic Apps, Azure Monitor Logs. Some of these dependencies might result in additional ingestion or operational costs.\n\n* https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design \n* https://learn.microsoft.com/en-us/azure/logic-apps/ \n* https://learn.microsoft.com/en-us/azure/sentinel/work-with-threat-indicators \n\n\n**Workbooks:** 2, **Analytic Rules:** 6, **Playbooks:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/RecordedFuture.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[Recorded Future](https://www.recordedfuture.com/) is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.\n\nPlaybooks have internal dependencies to RecordedFuture-ImportToSentinel so install the RecordedFuture-ImportToSentinel playbook before any of the others. \n \n \nThis solution takes a dependency on functionality like Azure Logic Apps, Azure Monitor Logs. Some of these dependencies might result in additional ingestion or operational costs.\n\n* https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design \n* https://learn.microsoft.com/en-us/azure/logic-apps/ \n* https://learn.microsoft.com/en-us/azure/sentinel/work-with-threat-indicators \n\n\n**Workbooks:** 6, **Analytic Rules:** 6, **Playbooks:** 15\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -80,13 +80,13 @@
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting",
"label": "Recorded Future - Playbook Alerts Overview",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Sets the time name for DNS Events and Threat Intelligence Time Range"
"text": "Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer."
}
}
]
@ -94,13 +94,69 @@
{
"name": "workbook2",
"type": "Microsoft.Common.Section",
"label": "Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting",
"label": "Recorded Future - Alerts Overview",
"elements": [
{
"name": "workbook2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Sets the time name for DNS Events and Threat Intelligence Time Range"
"text": "Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer."
}
}
]
},
{
"name": "workbook3",
"type": "Microsoft.Common.Section",
"label": "Recorded Future - Domain Correlation",
"elements": [
{
"name": "workbook3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel."
}
}
]
},
{
"name": "workbook4",
"type": "Microsoft.Common.Section",
"label": "Recorded Future - Hash Correlation",
"elements": [
{
"name": "workbook4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel."
}
}
]
},
{
"name": "workbook5",
"type": "Microsoft.Common.Section",
"label": "Recorded Future - IP Correlation",
"elements": [
{
"name": "workbook5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel."
}
}
]
},
{
"name": "workbook6",
"type": "Microsoft.Common.Section",
"label": "Recorded Future - URL Correlation",
"elements": [
{
"name": "workbook6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel."
}
}
]

6250
Solutions/Recorded Future/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Двоичные данные
Solutions/Recorded Future/Playbooks/Images/2023-06-26-10-04-42.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 60 KiB

Двоичные данные
Solutions/Recorded Future/Playbooks/Images/2023-06-26-10-59-49.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 78 KiB

Двоичные данные
Solutions/Recorded Future/Playbooks/Images/2023-08-09-18-05-46.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 22 KiB

Двоичные данные
Solutions/Recorded Future/Playbooks/Images/2023-09-07-11-11-09.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 30 KiB

Двоичные данные
Solutions/Recorded Future/Playbooks/Images/2023-09-08-12-01-37.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 45 KiB

Двоичные данные
Solutions/Recorded Future/Playbooks/Images/2023-09-08-12-13-06.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 72 KiB

Двоичные данные
Solutions/Recorded Future/Playbooks/Images/2023-09-08-12-13-54.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 12 KiB

Двоичные данные
Solutions/Recorded Future/Playbooks/Images/2023-09-13-15-51-44.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 128 KiB

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше