ioc[.]one - OSINT Cyber Threat Intelligence Database

Phish, Phished, Phisher: A Quick Peek Inside a Telegram Harvester

Tags

country:	Canada
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Conditional Access Policies - T1556.009 Credentials - T1589.001 Javascript - T1059.007 Phishing - T1660 Phishing - T1566 Screen Capture - T1513 Server - T1583.004 Server - T1584.004 Spearphishing Attachment - T1566.001 Screen Capture - T1113 Screen Capture

Show in Graph

Common Information

Type	Value
UUID	65394603-f787-48a7-832a-bb9b156d6406
Fingerprint	3c23285b2b8315cf
Analysis status	DONE
Considered CTI value	2
Text language
Published	Oct. 4, 2021, 11:39 a.m.
Added to db	Sept. 26, 2022, 9:34 a.m.
Last updated	Nov. 19, 2024, 1:59 p.m.
Headline	Phish, Phished, Phisher: A Quick Peek Inside a Telegram Harvester
Title	Phish, Phished, Phisher: A Quick Peek Inside a Telegram Harvester
Detected Hints/Tags/Attributes	41/3/21

Source URLs

	Redirection	Url
Details	Source	https://blog.nviso.eu/2021/10/04/phish-phished-phisher-a-quick-peek-inside-a-telegram-harvester/

URL Provider

Details	Provider	Source level domain
Details	nviso.eu	blog.nviso.eu

Attributes

Details	Type	#Events	Value
Details	Domain	7	hotmail.co.uk
Details	Domain	145	api.telegram.org
Details	Domain	9	blog.nviso.eu
Details	File	1	filetype.html
Details	sha256	1	696f2cf8a36be64c281fd940c3f0081eb86a4a79f41375ba70ca70432c71ca29
Details	sha256	1	2cc9d3ad6a3c2ad5cced10a431f99215e467bfca39cf02732d739ff04e87be2d
Details	sha256	1	209b842abd1cfeab75c528595f0154ef74b5e92c9cc715d18c3f89473edfeff9
Details	sha256	1	acc4c5c40d11e412bb343357e493d22fae70316a5c5af4ebf693340bc7616eae
Details	sha256	1	b7c8bb9e149997630b53d80ab901be1ffb22e1578f389412a7fdf1bd4668a018
Details	sha256	1	e36dd51410f74fa6af3d80c2193450cf85b4ba109df0c44f381407ef89469650
Details	sha256	1	a7af7c8b83fc2019c4eb859859efcbe8740d61c7d98fc8fa6ca27aa9b3491809
Details	sha256	1	ba9dd2ae20952858cdd6cfbaff5d3dd22b4545670daf41b37a744ee666c8f1dc
Details	sha256	1	36368186cf67337e8ad69fd70b1bcb8f326e43c7ab83a88ad63de24d988750c2
Details	sha256	1	7772cf6ab12cecf5ff84b23830c12b03e9aa2fae5d5b7d1c8a8aaa57525cb34e
Details	IPv4	1	91.132.230.75
Details	IPv4	1	149.56.190.182
Details	MITRE ATT&CK Techniques	414	T1566
Details	MITRE ATT&CK Techniques	311	T1566.001
Details	Url	1	https://blog.nviso.eu/2021/10/04/phish-phished-phisher-a-quick-peek-inside-a-telegram-harvester
Details	Url	33	https://api.telegram.org/bot
Details	Yara rule	1	import "vt" rule phish_telegram_bot_api : testing TA0001 T1566 T1566_001 { meta: description = "Detects the presence of the Telegram Bot API endpoint often used as egress" author = "Maxime THIEBAUT (@0xThiebaut)" date = "2021-09-30" reference = "https://blog.nviso.eu/2021/10/04/phish-phished-phisher-a-quick-peek-inside-a-telegram-harvester/" tlp = "white" status = "testing" tactic = "TA0001" technique = "T1566.001" hash1 = "696f2cf8a36be64c281fd940c3f0081eb86a4a79f41375ba70ca70432c71ca29" strings: $endpoint = "https://api.telegram.org/bot" $command = "/sendMessage" $option1 = "chat_id" $option2 = "text" $option3 = "parse_mode" $script = "<script>" condition: all of them }