{ "type": "SHA256", "indicator": "2436fe37d25712b68b2e1a9805825bcf5073efb91588c1b5193ba446d1edd319", "general": { "sections": [ "general", "analysis" ], "type": "sha256", "type_title": "FileHash-SHA256", "indicator": "2436fe37d25712b68b2e1a9805825bcf5073efb91588c1b5193ba446d1edd319", "validation": [], "base_indicator": { "id": 3981664067, "indicator": "2436fe37d25712b68b2e1a9805825bcf5073efb91588c1b5193ba446d1edd319", "type": "FileHash-SHA256", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "66f2fa7feb2432d8de2bdbee", "name": "Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware", "description": "A threat actor is targeting transportation and logistics companies in North America with malware campaigns. The actor uses compromised email accounts to inject malicious content into existing conversations, making messages appear legitimate. Campaigns primarily deliver Lumma Stealer, StealC, NetSupport, DanaBot, and Arechclient2 malware. The actor employs Google Drive URLs, .URL files, and SMB for malware delivery, and recently adopted the 'ClickFix' technique. Campaigns are small-scale and highly targeted, with lures impersonating industry-specific software. The activity is believed to be financially motivated and aligns with a trend of sophisticated social engineering combined with commodity malware use in the cybercriminal landscape.", "modified": "2024-10-24T17:01:10.410000", "created": "2024-09-24T17:44:31.726000", "tags": [ "lumma stealer", "transportation", "danabot" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineering" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Arechclient2", "display_name": "Arechclient2", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 17, "domain": 4 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 376707, "modified_text": "537 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "66f3dceab0e00ef21b26c0d2", "name": "Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware | Proofpoint US", "description": "", "modified": "2024-10-25T09:02:14.179000", "created": "2024-09-25T09:50:34.622000", "tags": [ "clickfix", "proofpoint", "urls", "north america", "august", "danabot", "google drive", "actor", "base64", "security brief", "lumma stealer", "stealc", "final" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineering" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 17, "URL": 13, "domain": 4 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 843, "modified_text": "536 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "66f36445e10d7882c143c9c1", "name": "Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware | Proofpoint US", "description": "", "modified": "2024-10-25T01:05:04.209000", "created": "2024-09-25T01:15:49.879000", "tags": [ "clickfix", "proofpoint", "urls", "north america", "august", "danabot", "google drive", "actor", "base64", "security brief", "lumma stealer", "stealc", "final" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineering" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 17, "URL": 13, "domain": 4 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "536 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "66fcd718cc64b41baafc4bee", "name": "Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware", "description": "", "modified": "2024-10-24T17:01:10.410000", "created": "2024-10-02T05:16:08.446000", "tags": [ "lumma stealer", "transportation", "danabot" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineering" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Arechclient2", "display_name": "Arechclient2", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Transportation" ], "TLP": "white", "cloned_from": "66f2fa7feb2432d8de2bdbee", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 17, "domain": 4 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 261, "modified_text": "537 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "", "https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineering", "https://threatfox.abuse.ch/export/csv/recent/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Lumma stealer", "Stealc", "Danabot", "Netsupport", "Arechclient2" ], "industries": [ "Transportation" ] }, "other": { "adversary": [], "malware_families": [ "Lumma stealer", "Stealc", "Danabot", "Netsupport", "Arechclient2" ], "industries": [ "Transportation" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "66f2fa7feb2432d8de2bdbee", "name": "Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware", "description": "A threat actor is targeting transportation and logistics companies in North America with malware campaigns. The actor uses compromised email accounts to inject malicious content into existing conversations, making messages appear legitimate. Campaigns primarily deliver Lumma Stealer, StealC, NetSupport, DanaBot, and Arechclient2 malware. The actor employs Google Drive URLs, .URL files, and SMB for malware delivery, and recently adopted the 'ClickFix' technique. Campaigns are small-scale and highly targeted, with lures impersonating industry-specific software. The activity is believed to be financially motivated and aligns with a trend of sophisticated social engineering combined with commodity malware use in the cybercriminal landscape.", "modified": "2024-10-24T17:01:10.410000", "created": "2024-09-24T17:44:31.726000", "tags": [ "lumma stealer", "transportation", "danabot" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineering" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Arechclient2", "display_name": "Arechclient2", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 17, "domain": 4 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 376707, "modified_text": "537 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "305 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "66f3dceab0e00ef21b26c0d2", "name": "Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware | Proofpoint US", "description": "", "modified": "2024-10-25T09:02:14.179000", "created": "2024-09-25T09:50:34.622000", "tags": [ "clickfix", "proofpoint", "urls", "north america", "august", "danabot", "google drive", "actor", "base64", "security brief", "lumma stealer", "stealc", "final" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineering" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 17, "URL": 13, "domain": 4 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 843, "modified_text": "536 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "66f36445e10d7882c143c9c1", "name": "Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware | Proofpoint US", "description": "", "modified": "2024-10-25T01:05:04.209000", "created": "2024-09-25T01:15:49.879000", "tags": [ "clickfix", "proofpoint", "urls", "north america", "august", "danabot", "google drive", "actor", "base64", "security brief", "lumma stealer", "stealc", "final" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineering" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 17, "URL": 13, "domain": 4 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "536 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "66fcd718cc64b41baafc4bee", "name": "Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware", "description": "", "modified": "2024-10-24T17:01:10.410000", "created": "2024-10-02T05:16:08.446000", "tags": [ "lumma stealer", "transportation", "danabot" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-actor-uses-compromised-accounts-customized-social-engineering" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "StealC", "display_name": "StealC", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "DanaBot", "display_name": "DanaBot", "target": null }, { "id": "Arechclient2", "display_name": "Arechclient2", "target": null } ], "attack_ids": [ { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Transportation" ], "TLP": "white", "cloned_from": "66f2fa7feb2432d8de2bdbee", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 17, "domain": 4 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 261, "modified_text": "537 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "type": "Hash", "indicator": "2436fe37d25712b68b2e1a9805825bcf5073efb91588c1b5193ba446d1edd319", "stats": { "malicious": 35, "suspicious": 0, "harmless": 0, "undetected": 27, "total": 76, "verdict": "malicious", "ratio": "35/76" }, "verdict": "malicious", "ratio": "35/76", "file_name": "rate_confirmation.vbs", "file_type": "VBA", "file_size": 22434, "md5": "dcdcea989b87f5e81a389d28628f851c", "sha1": "d97d5c2e17bcf98075e7c9d615697727c35179fe", "sha256": "2436fe37d25712b68b2e1a9805825bcf5073efb91588c1b5193ba446d1edd319", "magic": "ASCII text, with CRLF line terminators", "reputation": -9, "tags": [ "obfuscated", "detect-debug-environment", "run-file", "enum-windows", "calls-wmi", "vba", "long-sleeps", "macro-powershell" ], "top_detections": [ { "vendor": "ALYac", "result": "GT:VB.MltCllSpReFf.1.495DC54C", "category": "malicious" }, { "vendor": "AVG", "result": "Script:SNH-gen [Trj]", "category": "malicious" }, { "vendor": "AhnLab-V3", "result": "Downloader/VBS.Generic.SC205575", "category": "malicious" }, { "vendor": "Arcabit", "result": "GT:VB.MltCllSpReFf.1.495DC54C", "category": "malicious" }, { "vendor": "Avast", "result": "Script:SNH-gen [Trj]", "category": "malicious" }, { "vendor": "BitDefender", "result": "GT:VB.MltCllSpReFf.1.495DC54C", "category": "malicious" }, { "vendor": "CTX", "result": "vba.trojan.guloader", "category": "malicious" }, { "vendor": "ClamAV", "result": "Win.Dropper.XWorm-10036812-0", "category": "malicious" }, { "vendor": "Cynet", "result": "Malicious (score: 99)", "category": "malicious" }, { "vendor": "DrWeb", "result": "VBS.DownLoader.3392", "category": "malicious" } ], "last_analysis": 1772551471, "error": null }, "abuseipdb": null, "urlhaus": { "indicator": "2436fe37d25712b68b2e1a9805825bcf5073efb91588c1b5193ba446d1edd319", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776214251.6989605 }