{ "type": "MD5", "indicator": "602e1f42d73cadcd73338ffbc553d5a2", "general": { "sections": [ "general", "analysis" ], "type": "md5", "type_title": "FileHash-MD5", "indicator": "602e1f42d73cadcd73338ffbc553d5a2", "validation": [], "base_indicator": { "id": 3996225877, "indicator": "602e1f42d73cadcd73338ffbc553d5a2", "type": "FileHash-MD5", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68518522589e9ae890de427e", "name": "PIT 2024/2025 Online | Rozliczenie PIT w Chmurze za 2024 rok - PIT Projekt", "description": "As part of a series of updates on social media, we take a look at some of the most well-known examples of \"pit projekt\" - or \"pitprojkt\".", "modified": "2025-07-17T15:02:49.497000", "created": "2025-06-17T15:09:22.940000", "tags": [ "regexp", "typeof e", "typeof t", "class", "attr", "pseudo", "child", "function", "typeof module", "error", "block", "click", "body", "present mar", "present apr", "present feb", "present jan", "present sep", "present aug", "present jul", "pit projekt", "chcesz", "pity online", "program", "interesuje ci", "pity zapisane", "jeli", "oddajemy w", "twoje rce", "dziki jego", "sha1", "sha256", "telfhash" ], "references": [ "https://www.pitprojekt.pl/wp-includes/js/jquery/jquery.min.js?ver=3.7.1", "nitro-min-f43b551b749a36845288913120943cc6.jquery.min.js", "https://www.pitprojekt.pl/wp-content/plugins/dp-portfolio-posts-pro-1/js/ajax-get-post.js?ver=1.0.2", "http://www.pitprojekt.pl/files/772/119/PitProjekt2012Setup.exe", "http://pitprojekt.pl", "http://pit projekt.pl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 13, "FileHash-MD5": 176, "FileHash-SHA1": 176, "FileHash-SHA256": 1557, "URL": 1228, "domain": 154, "hostname": 461, "email": 1 }, "indicator_count": 3766, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "317 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "672261a2b43e06073e4a15f0", "name": "ClickFix Campaign Threats to Organizations", "description": "Deepwatch Threat Intel team assesses that cybercriminals will likely continue using the ClickFix technique to target organizations and individuals. The ClickFix technique is a social engineering tactic employed by cybercriminals to deceive users into downloading malware through fake CAPTCHAs, error messages, and prompts that entice users to inadvertently run malicious PowerShell scripts and commands.", "modified": "2024-11-29T16:04:28.153000", "created": "2024-10-30T16:41:06.043000", "tags": [], "references": [ "https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/", "https://blog.sucuri.net/2024/08/wordpress-websites-used-to-distribute-clearfake-trojan-malware.html", "https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/#h-fake-google-meet-pages-and-technical-issues", "https://www.godaddy.com/resources/news/threat-actors-push-clickfix-fake-browser-updates-using-stolen-credentials" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "xmrig", "display_name": "xmrig", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1562.006", "name": "Indicator Blocking", "display_name": "T1562.006 - Indicator Blocking" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 28, "domain": 158, "hostname": 8 }, "indicator_count": 223, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "547 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6718fac8c19a7997aa7c4c6f", "name": "Fake WordPress Plug-ins Compromise Sites with Infostealers", "description": "", "modified": "2024-10-23T13:31:52.153000", "created": "2024-10-23T13:31:52.153000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 12 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "584 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "references": [ "https://www.pitprojekt.pl/wp-includes/js/jquery/jquery.min.js?ver=3.7.1", "nitro-min-f43b551b749a36845288913120943cc6.jquery.min.js", "https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/", "http://pitprojekt.pl", "https://www.godaddy.com/resources/news/threat-actors-push-clickfix-fake-browser-updates-using-stolen-credentials", "https://blog.sucuri.net/2024/08/wordpress-websites-used-to-distribute-clearfake-trojan-malware.html", "https://www.pitprojekt.pl/wp-content/plugins/dp-portfolio-posts-pro-1/js/ajax-get-post.js?ver=1.0.2", "http://pit projekt.pl", "http://www.pitprojekt.pl/files/772/119/PitProjekt2012Setup.exe", "https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/#h-fake-google-meet-pages-and-technical-issues" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Matanbuchus", "Amos", "Redline", "Lumma", "Stealc", "Rhadamanthys", "Xmrig", "Vidar", "Netsupport", "Amadey", "Darkgate" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68518522589e9ae890de427e", "name": "PIT 2024/2025 Online | Rozliczenie PIT w Chmurze za 2024 rok - PIT Projekt", "description": "As part of a series of updates on social media, we take a look at some of the most well-known examples of \"pit projekt\" - or \"pitprojkt\".", "modified": "2025-07-17T15:02:49.497000", "created": "2025-06-17T15:09:22.940000", "tags": [ "regexp", "typeof e", "typeof t", "class", "attr", "pseudo", "child", "function", "typeof module", "error", "block", "click", "body", "present mar", "present apr", "present feb", "present jan", "present sep", "present aug", "present jul", "pit projekt", "chcesz", "pity online", "program", "interesuje ci", "pity zapisane", "jeli", "oddajemy w", "twoje rce", "dziki jego", "sha1", "sha256", "telfhash" ], "references": [ "https://www.pitprojekt.pl/wp-includes/js/jquery/jquery.min.js?ver=3.7.1", "nitro-min-f43b551b749a36845288913120943cc6.jquery.min.js", "https://www.pitprojekt.pl/wp-content/plugins/dp-portfolio-posts-pro-1/js/ajax-get-post.js?ver=1.0.2", "http://www.pitprojekt.pl/files/772/119/PitProjekt2012Setup.exe", "http://pitprojekt.pl", "http://pit projekt.pl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 13, "FileHash-MD5": 176, "FileHash-SHA1": 176, "FileHash-SHA256": 1557, "URL": 1228, "domain": 154, "hostname": 461, "email": 1 }, "indicator_count": 3766, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "317 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "672261a2b43e06073e4a15f0", "name": "ClickFix Campaign Threats to Organizations", "description": "Deepwatch Threat Intel team assesses that cybercriminals will likely continue using the ClickFix technique to target organizations and individuals. The ClickFix technique is a social engineering tactic employed by cybercriminals to deceive users into downloading malware through fake CAPTCHAs, error messages, and prompts that entice users to inadvertently run malicious PowerShell scripts and commands.", "modified": "2024-11-29T16:04:28.153000", "created": "2024-10-30T16:41:06.043000", "tags": [], "references": [ "https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/", "https://blog.sucuri.net/2024/08/wordpress-websites-used-to-distribute-clearfake-trojan-malware.html", "https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/#h-fake-google-meet-pages-and-technical-issues", "https://www.godaddy.com/resources/news/threat-actors-push-clickfix-fake-browser-updates-using-stolen-credentials" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "xmrig", "display_name": "xmrig", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1562.006", "name": "Indicator Blocking", "display_name": "T1562.006 - Indicator Blocking" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 28, "domain": 158, "hostname": 8 }, "indicator_count": 223, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "547 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6718fac8c19a7997aa7c4c6f", "name": "Fake WordPress Plug-ins Compromise Sites with Infostealers", "description": "", "modified": "2024-10-23T13:31:52.153000", "created": "2024-10-23T13:31:52.153000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 12 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "584 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "602e1f42d73cadcd73338ffbc553d5a2", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "602e1f42d73cadcd73338ffbc553d5a2", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780170497.3104823 }