{ "type": "Domain", "indicator": "abbeytitle.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/abbeytitle.com", "alexa": "http://www.alexa.com/siteinfo/abbeytitle.com", "indicator": "abbeytitle.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2697247478, "indicator": "abbeytitle.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T01:02:14", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 11 }, "indicator_count": 18420, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "7 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694f0aa090aedc7e498b2e9a", "name": "Qakbot | *NEW Malware found and analyzed \u2022 IRS", "description": "IRS.GOV We have run several test on multiple machines/ devices PC , MacBook , iPhone , Android, Desktop hoping for better results. I believe proximity of most of the devices were well distanced , but have doubts. For this test IRS. GOV redirects payments to sawww4. or sa.www4. web addresses (example: 2fsa.www4.irs.gov) that now reads (connection error) during research. Pages still exist and will not process information. Still threatens levy no matter what (legal) information is entered. \n\nI\u2019m aware of Trump IRS proposals for 2026. The issue is taxpayers are being directed to alleged IRS employees or in person licensed CPA\u2019s. \n(sa. prefix Saudi Arabia?) SA. could be a prefix for anything including South Africa.", "modified": "2026-01-25T21:03:27.507000", "created": "2025-12-26T22:22:24.480000", "tags": [ "related tags", "none google", "win32", "united", "united states", "irs", "qakbot", "qbot", "inject", "keylogger", "botx", "active", "bot network", "et trojan", "hello ssl", "destination", "port", "unknown", "ciphersuite", "sessionid", "asnone", "write", "virustotal", "drweb", "vipre", "mcafee", "panda", "malware", "pandex!gen1", "et", "brazil as16625", "akamai", "united kingdom", "dynamicloader", "medium", "tls handshake", "failure", "yara rule", "high", "cape", "guard", "error", "delphi", "qakbot", "tlsv1", "entries", "iobit unikstall", "global", "read c", "rgba", "unicode", "memcommit", "delete", "msie", "windows nt", "next", "dock", "execution", "server header", "download", "suspicious", "specified", "logic", "web products", "present nov", "present dec", "present jun", "present oct", "present may", "aaaa", "next associated", "urls show", "scheme", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "ascii text", "pattern match", "href", "mitre att", "ck id", "show technique", "ck matrix", "beginstring", "show process", "null", "refresh", "span", "hybrid", "general", "local", "path", "iframe", "click", "strings", "tools", "title", "look", "verify", "restart", "learn", "command", "name tactics", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "adult content", "lol fun hackers" ], "references": [ "Start at https://www.irs.gov/ redirected to 2fsa.www4.irs.gov (connection error) irs.gov (active) Positive for all Malware", "IRS.GOV - Crypt3.BXVC ET Inject2.BIVE Win.Keylogger.Qbot-9987768-0 Win.Trojan.Qakbot-9988002-1 Win32:BotX-gen\\ [Trj]", "Pandex!gen1 Web Products", "Crypt3.BXVC IDS: Suspicious double Server Header", "Crypt3.BXVC IDS: Possible Kelihos.F EXE Download Common Structure", "Crypt3.BXVC IDS: Win32/Kelihos.F Checkin", "Crypt3.BXVC IDS: Fun Web Products Spyware User-Agent (FunWebProducts)", "Crypt3.BXVC IDS: Possible Kelihos Infection Executable Download With Malformed Header", "Crypt3.BXVC IDS: DNS Query for Suspicious .co.cc Domain", "Crypt3.BXVC IDS: Executable Download from dotted-quad Host", "Crypt3.BXVC IDS: Abuseat.org Block Message", "Crypt3.BXVC IDS: Executable Retrieved With Minimal HTTP", "Crypt3.BXVC IDS: PE EXE or DLL Windows file download HTTP", "Crypt3.BXVC IDS: Headers - Potential Second Stage Download", "Alerts: persistence_autorun sniffer_winpcap network_bind antivirus_virustotal network_http", "Alerts: network_icmp infostealer_browser recon_fingerprint infostealer_ftp network_smtp", "ET Trojan \u2022 https://otx.alienvault.com/indicator/file/43dbcee5aee3caab830ac840737bb591cfa99ae81f1280aeb38ad73ad9c317af" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Canada", "Brazil", "Ireland", "India", "Georgia", "Singapore", "Spain", "Japan" ], "malware_families": [ { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null }, { "id": "Win.Keylogger.Qbot-9987768-0", "display_name": "Win.Keylogger.Qbot-9987768-0", "target": null }, { "id": "Win.Trojan.Qakbot-9988002-1", "display_name": "Win.Trojan.Qakbot-9988002-1", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Web Products", "display_name": "Web Products", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Finance", "Government", "IRS" ], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 158, "URL": 140, "hostname": 287, "FileHash-SHA256": 85, "FileHash-MD5": 110, "FileHash-SHA1": 77, "SSLCertFingerprint": 8 }, "indicator_count": 865, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e5f78f4505e0f1ed2b169a", "name": "Crypt3.BXVC", "description": "", "modified": "2024-10-14T20:01:07.396000", "created": "2024-09-14T20:52:31.163000", "tags": [ "asnone", "as15169", "as16417 cisco", "as26211", "as22843", "as36647 oath", "as3356 level", "as36646 oath", "telecom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Georgia", "Canada", "Brazil", "Ireland", "India", "Singapore", "Spain", "Japan", "Belgium", "South Africa", "China", "Italy", "Aruba", "Germany", "Ukraine" ], "malware_families": [ { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "WS.Reputation.1", "display_name": "WS.Reputation.1", "target": null }, { "id": "Backdoor.Win32.Hlux.csf", "display_name": "Backdoor.Win32.Hlux.csf", "target": null }, { "id": "Trojan.Downloader.JRJV", "display_name": "Trojan.Downloader.JRJV", "target": null }, { "id": "Trojan.DownLoader12.20457", "display_name": "Trojan.DownLoader12.20457", "target": null }, { "id": "TROJ_SPNV.01B615", "display_name": "TROJ_SPNV.01B615", "target": null }, { "id": "Troj/HkMain-CC", "display_name": "Troj/HkMain-CC", "target": null }, { "id": "Trojan/Win32.Ransom", "display_name": "Trojan/Win32.Ransom", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 100, "FileHash-SHA1": 100, "FileHash-SHA256": 175, "domain": 712, "hostname": 657, "URL": 1 }, "indicator_count": 1745, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IRS.GOV - Crypt3.BXVC ET Inject2.BIVE Win.Keylogger.Qbot-9987768-0 Win.Trojan.Qakbot-9988002-1 Win32:BotX-gen\\ [Trj]", "Start at https://www.irs.gov/ redirected to 2fsa.www4.irs.gov (connection error) irs.gov (active) Positive for all Malware", "Crypt3.BXVC IDS: Possible Kelihos Infection Executable Download With Malformed Header", "Crypt3.BXVC IDS: Abuseat.org Block Message", "ET Trojan \u2022 https://otx.alienvault.com/indicator/file/43dbcee5aee3caab830ac840737bb591cfa99ae81f1280aeb38ad73ad9c317af", "Crypt3.BXVC IDS: DNS Query for Suspicious .co.cc Domain", "Crypt3.BXVC IDS: Win32/Kelihos.F Checkin", "Pandex!gen1 Web Products", "Crypt3.BXVC IDS: Headers - Potential Second Stage Download", "Crypt3.BXVC IDS: PE EXE or DLL Windows file download HTTP", "Crypt3.BXVC IDS: Fun Web Products Spyware User-Agent (FunWebProducts)", "Crypt3.BXVC IDS: Executable Retrieved With Minimal HTTP", "Alerts: persistence_autorun sniffer_winpcap network_bind antivirus_virustotal network_http", "Crypt3.BXVC IDS: Possible Kelihos.F EXE Download Common Structure", "Crypt3.BXVC IDS: Suspicious double Server Header", "Alerts: network_icmp infostealer_browser recon_fingerprint infostealer_ftp network_smtp", "Crypt3.BXVC IDS: Executable Download from dotted-quad Host" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Inject2.bive", "Win.trojan.qakbot-9988002-1", "Backdoor.win32.hlux.csf", "Trojan/win32.ransom", "Trojan.downloader.jrjv", "Win32:botx-gen\\ [trj]", "Web products", "Trojan.downloader12.20457", "Crypt3.bxvc", "Pandex!gen1", "Ws.reputation.1", "Troj_spnv.01b615", "Troj/hkmain-cc", "Win.keylogger.qbot-9987768-0", "Et" ], "industries": [ "Irs", "Government", "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T01:02:14", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 11 }, "indicator_count": 18420, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "7 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694f0aa090aedc7e498b2e9a", "name": "Qakbot | *NEW Malware found and analyzed \u2022 IRS", "description": "IRS.GOV We have run several test on multiple machines/ devices PC , MacBook , iPhone , Android, Desktop hoping for better results. I believe proximity of most of the devices were well distanced , but have doubts. For this test IRS. GOV redirects payments to sawww4. or sa.www4. web addresses (example: 2fsa.www4.irs.gov) that now reads (connection error) during research. Pages still exist and will not process information. Still threatens levy no matter what (legal) information is entered. \n\nI\u2019m aware of Trump IRS proposals for 2026. The issue is taxpayers are being directed to alleged IRS employees or in person licensed CPA\u2019s. \n(sa. prefix Saudi Arabia?) SA. could be a prefix for anything including South Africa.", "modified": "2026-01-25T21:03:27.507000", "created": "2025-12-26T22:22:24.480000", "tags": [ "related tags", "none google", "win32", "united", "united states", "irs", "qakbot", "qbot", "inject", "keylogger", "botx", "active", "bot network", "et trojan", "hello ssl", "destination", "port", "unknown", "ciphersuite", "sessionid", "asnone", "write", "virustotal", "drweb", "vipre", "mcafee", "panda", "malware", "pandex!gen1", "et", "brazil as16625", "akamai", "united kingdom", "dynamicloader", "medium", "tls handshake", "failure", "yara rule", "high", "cape", "guard", "error", "delphi", "qakbot", "tlsv1", "entries", "iobit unikstall", "global", "read c", "rgba", "unicode", "memcommit", "delete", "msie", "windows nt", "next", "dock", "execution", "server header", "download", "suspicious", "specified", "logic", "web products", "present nov", "present dec", "present jun", "present oct", "present may", "aaaa", "next associated", "urls show", "scheme", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "ascii text", "pattern match", "href", "mitre att", "ck id", "show technique", "ck matrix", "beginstring", "show process", "null", "refresh", "span", "hybrid", "general", "local", "path", "iframe", "click", "strings", "tools", "title", "look", "verify", "restart", "learn", "command", "name tactics", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "adult content", "lol fun hackers" ], "references": [ "Start at https://www.irs.gov/ redirected to 2fsa.www4.irs.gov (connection error) irs.gov (active) Positive for all Malware", "IRS.GOV - Crypt3.BXVC ET Inject2.BIVE Win.Keylogger.Qbot-9987768-0 Win.Trojan.Qakbot-9988002-1 Win32:BotX-gen\\ [Trj]", "Pandex!gen1 Web Products", "Crypt3.BXVC IDS: Suspicious double Server Header", "Crypt3.BXVC IDS: Possible Kelihos.F EXE Download Common Structure", "Crypt3.BXVC IDS: Win32/Kelihos.F Checkin", "Crypt3.BXVC IDS: Fun Web Products Spyware User-Agent (FunWebProducts)", "Crypt3.BXVC IDS: Possible Kelihos Infection Executable Download With Malformed Header", "Crypt3.BXVC IDS: DNS Query for Suspicious .co.cc Domain", "Crypt3.BXVC IDS: Executable Download from dotted-quad Host", "Crypt3.BXVC IDS: Abuseat.org Block Message", "Crypt3.BXVC IDS: Executable Retrieved With Minimal HTTP", "Crypt3.BXVC IDS: PE EXE or DLL Windows file download HTTP", "Crypt3.BXVC IDS: Headers - Potential Second Stage Download", "Alerts: persistence_autorun sniffer_winpcap network_bind antivirus_virustotal network_http", "Alerts: network_icmp infostealer_browser recon_fingerprint infostealer_ftp network_smtp", "ET Trojan \u2022 https://otx.alienvault.com/indicator/file/43dbcee5aee3caab830ac840737bb591cfa99ae81f1280aeb38ad73ad9c317af" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Canada", "Brazil", "Ireland", "India", "Georgia", "Singapore", "Spain", "Japan" ], "malware_families": [ { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null }, { "id": "Win.Keylogger.Qbot-9987768-0", "display_name": "Win.Keylogger.Qbot-9987768-0", "target": null }, { "id": "Win.Trojan.Qakbot-9988002-1", "display_name": "Win.Trojan.Qakbot-9988002-1", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Web Products", "display_name": "Web Products", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Finance", "Government", "IRS" ], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 158, "URL": 140, "hostname": 287, "FileHash-SHA256": 85, "FileHash-MD5": 110, "FileHash-SHA1": 77, "SSLCertFingerprint": 8 }, "indicator_count": 865, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e5f78f4505e0f1ed2b169a", "name": "Crypt3.BXVC", "description": "", "modified": "2024-10-14T20:01:07.396000", "created": "2024-09-14T20:52:31.163000", "tags": [ "asnone", "as15169", "as16417 cisco", "as26211", "as22843", "as36647 oath", "as3356 level", "as36646 oath", "telecom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Georgia", "Canada", "Brazil", "Ireland", "India", "Singapore", "Spain", "Japan", "Belgium", "South Africa", "China", "Italy", "Aruba", "Germany", "Ukraine" ], "malware_families": [ { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "WS.Reputation.1", "display_name": "WS.Reputation.1", "target": null }, { "id": "Backdoor.Win32.Hlux.csf", "display_name": "Backdoor.Win32.Hlux.csf", "target": null }, { "id": "Trojan.Downloader.JRJV", "display_name": "Trojan.Downloader.JRJV", "target": null }, { "id": "Trojan.DownLoader12.20457", "display_name": "Trojan.DownLoader12.20457", "target": null }, { "id": "TROJ_SPNV.01B615", "display_name": "TROJ_SPNV.01B615", "target": null }, { "id": "Troj/HkMain-CC", "display_name": "Troj/HkMain-CC", "target": null }, { "id": "Trojan/Win32.Ransom", "display_name": "Trojan/Win32.Ransom", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 100, "FileHash-SHA1": 100, "FileHash-SHA256": 175, "domain": 712, "hostname": 657, "URL": 1 }, "indicator_count": 1745, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "abbeytitle.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "abbeytitle.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780214754.6322918 }