{ "type": "Domain", "indicator": "api.cc", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/api.cc", "alexa": "http://www.alexa.com/siteinfo/api.cc", "indicator": "api.cc", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 837785882, "indicator": "api.cc", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 20, "pulses": [ { "id": "69d4595cd9283fc7a5aa03ab", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T03:46:03.154000", "created": "2026-04-07T01:09:48.152000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 195, "domain": 120, "IPv4": 14, "hostname": 101, "CVE": 1 }, "indicator_count": 3497, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595b8c340900560463a8", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:25:12.329000", "created": "2026-04-07T01:09:47.893000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595beae76fc81c99cf63", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:25:10.274000", "created": "2026-04-07T01:09:47.895000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595bad55db9318902436", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:09:47.753000", "created": "2026-04-07T01:09:47.753000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595a99f229f5b99ce366", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:09:46.696000", "created": "2026-04-07T01:09:46.696000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4594ea685ae6b9912f97b", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:09:34.613000", "created": "2026-04-07T01:09:34.613000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d45947ce0025cf5afbb117", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:09:27.333000", "created": "2026-04-07T01:09:27.333000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d452df7c1ea9136ee627df", "name": "VirusTotal Box of Apples Sandbox report", "description": "", "modified": "2026-04-07T00:45:08.732000", "created": "2026-04-07T00:42:07.725000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1066, "IPv4": 17, "FileHash-MD5": 6, "FileHash-SHA1": 11, "domain": 111, "hostname": 67, "URL": 104 }, "indicator_count": 1382, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d452d748d0f072544a4564", "name": "VirusTotal Box of Apples Sandbox report", "description": "", "modified": "2026-04-07T00:41:59.068000", "created": "2026-04-07T00:41:59.068000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1066, "IPv4": 17, "FileHash-MD5": 6, "FileHash-SHA1": 11, "domain": 111, "hostname": 66, "URL": 104 }, "indicator_count": 1381, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d452d5b2ebb31d314f0325", "name": "VirusTotal Box of Apples Sandbox report", "description": "", "modified": "2026-04-07T00:41:57.173000", "created": "2026-04-07T00:41:57.173000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1066, "IPv4": 17, "FileHash-MD5": 6, "FileHash-SHA1": 11, "domain": 111, "hostname": 66, "URL": 104 }, "indicator_count": 1381, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d452d1096350bb560f7fee", "name": "VirusTotal Box of Apples Sandbox report", "description": "", "modified": "2026-04-07T00:41:53.433000", "created": "2026-04-07T00:41:53.433000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1066, "IPv4": 17, "FileHash-MD5": 6, "FileHash-SHA1": 11, "domain": 111, "hostname": 66, "URL": 104 }, "indicator_count": 1381, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6962f12c2578ca1d1f8e212f", "name": "Google_Chrome Attack related to Pahamify Pegasus Intrusive Monitoring of a Crime.Victim", "description": "Pahamify Pegasus: Google_Chrome_64bit_v136.0.7103.49.exe \nIsolated IOC\u2019s || Related to the targeting of a crime victim.\nDrive by compromise seen on old iPhone locked screen in past. Glitched Bible Gateway app access stuttered entire phone (new and updated at the time) | add pop\nups began, finally an early morning drive by compromise on locked screen \u2018Do you have a Starbucks App?) |[Issue: can only access phone if you answer. Easy mistake , powering off device may or may not have cleared screen] victim checks Bible gateway app believing it to be a malicious app DLL from Apple App Store.\n\nFirebase apps remotely installed, can access via email. other apps corrupted. Google Translate and Notepad linked directly to threat actors.\nNotepad linked to and FBI website in Loudon County, Va. Acted as fake content scraper constantly creating websites.", "modified": "2026-02-09T23:00:37.530000", "created": "2026-01-11T00:39:08.048000", "tags": [ "ipv4", "url https", "url http", "ipv6", "indicator role", "title added", "active related", "type indicator", "related pulses", "discovery", "gather victim", "information", "tool transfer", "capture", "hijacking", "t1055", "injection", "service", "manipulation", "impact", "execution", "timestomp", "tools", "usercitynewyork", "bannerid682713", "landingid702316", "countryid774749", "chrome", "google", "yahoo", "active", "indicator", "source", "ck id", "show technique", "mitre att", "ck matrix", "file", "pattern match", "internet", "error", "errore", "crypto", "compiler", "installer", "download", "hybrid", "shutdown", "strings", "erreur", "updater", "install", "yang", "downloader", "learn", "adversaries", "name tactics", "suspicious", "informative", "defense evasion", "found", "found registry", "able", "model", "united", "et trojan", "show", "search", "as15169", "get http", "intel", "ms windows", "write", "read c", "malware", "trojan", "possible", "sha1", "rgba", "size", "ascii text", "png image", "sha256", "span", "core", "date", "title", "meta", "format", "august", "general", "local", "encrypt", "root", "click", "form", "refresh", "jsme", "qsnw4im", "high", "artemis", "virustotal", "generic", "mcafee", "baidu", "drweb", "vipre", "panda", "malsinowaa", "less see", "all yara", "detections none", "mebroot", "contacted", "domains", "all related", "pulses otx", "pulses", "tags", "related tags", "file type", "pexe", "targeting", "monitored target", "pegasus" ], "references": [ "Gen:Trojan.Heur.wq5@QsnW4Im , Backdoor.Win32.Sinowal.fac , Mal/Sinowa-A ,", "Trojan.Mebroot , a variant of Win32/Mebroot.BM , Trojan:W32/Mebroot.gen!A , Trojan.Packed.2447", "Detections PSW.Sinowal.X , Win.Trojan.Sinowal-13971 , Artemis!0DF9D8682EFA ,", "Alerts: stealth_network antivirus_virustotal static_pe_anomaly", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_(64bit)_v136.0.7103.49.exe", "Google_Chrome_64bit_v136.0.7103.49.exe", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "IDS Detections: ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.google.com)", "ET TROJAN Possible VirLock Connectivity Check" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mebroot", "display_name": "Mebroot", "target": null }, { "id": "PSW.Sinowal.X", "display_name": "PSW.Sinowal.X", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2126, "domain": 492, "hostname": 913, "email": 3, "FileHash-SHA256": 953, "FileHash-MD5": 78, "FileHash-SHA1": 61, "SSLCertFingerprint": 14 }, "indicator_count": 4640, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "69 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6962b68da732abc66a0c2caf", "name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus", "description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else", "modified": "2026-02-09T19:00:09.890000", "created": "2026-01-10T20:29:01.675000", "tags": [ "ip address", "status code", "kb body", "iocs", "deny age", "cloudfront", "utc google", "tag manager", "g8t6ln06z40", "utc na", "google tag", "injection", "t1055 malware", "tree", "help v", "defense evasion", "injection t1055", "resolved ips", "get http", "dns resolutions", "v memory", "pattern domains", "full reports", "v help", "memory pattern", "urls https", "hashes", "tiktok", "microsoft", "dashboard falcon", "request", "windows nt", "win64", "khtml", "gecko", "response", "appleid", "united", "name servers", "aaaa", "servers", "moved", "script urls", "passive dns", "urls", "data upload", "extraction", "failed", "jsvendor", "jsapp", "script script", "cssapp", "jsfirebase", "pegasus", "encrypt", "title error", "ipv4", "files", "reverse dns", "united states", "malware", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "t1204 user", "script", "beginstring", "bad traffic", "et info", "null", "title", "refresh", "span", "strings", "error", "tools", "meta", "look", "verify", "restart", "mitre att", "ascii text", "pattern match", "ck matrix", "tls handshake", "hybrid", "general", "local", "path", "click", "ck techniques", "access att", "div div", "a li", "ul div", "record value", "emails", "accept", "referen https", "microsoft-falcon.net", "proxy", "status", "certificate", "updated date", "whois server", "zipcode", "entries http", "scans show", "search", "matches x", "type", "gmt cache", "all ipv4", "america flag", "america asn", "sameorigin", "urls show", "date checked", "url hostname", "server response", "google safe", "results jan", "ipv4 add", "win32mydoom jan", "trojan", "worm", "expiration date", "files show", "date hash", "avast avg", "win32mydoom", "backdoor", "found", "gmt connection", "control", "content type", "twitter", "dynamicloader", "medium", "high", "msie", "wow64", "slcc2", "media center", "write", "global", "domain name", "hostname", "apple", "racebook", "mouse movement", "remote mouse", "domain", "hostname add", "url analysis", "crlf line", "ff d5", "unicode text", "utf8", "ee fc", "yara rule", "f0 ff", "ff bb", "music", "push", "autorun", "unknown", "present sep", "present may", "present jan", "present aug", "cname", "present nov", "present jun", "apache", "body", "pragma", "found registry", "able", "model", "indicator", "source", "show technique", "file", "internet", "errore", "erreur", "download", "service", "crypto", "compiler", "installer", "yang", "updater", "shutdown", "thunk", "este", "install", "reboot", "code", "downloader", "sigur", "kanna", "der zugriff", "google", "chrome", "Pahamify Pegasus", "christoper p. ahmann", "law enforcement", "retaliation", "phone", "espionage", "united states", "m brian sabey", "quasi government", "target", "monitored targeting", "aig", "therahand (old name)", "target: tsara brashears", "douglas county, co", "sheriff", "industry and commerce", "worker\u2019s compensation", "crime", "financial crime", "danger", "nem tih", "amazon", "aws", "amazon aws", "deal", "deal with it lawfully", "pay victim", "protecting reimer" ], "references": [ "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur", "Pahamify Pegasus", "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)", "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android", "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4", "tv.apple.com", "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net", "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A", "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)", "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)", "IDS: TLS Handshake Failure", "Yara Detections BackdoorWin32Simda", "Google_Chrome_64bit_v136.0.7103.49.exe", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022", "https://wallpapers-nature.com/tsara-brashears/urlscan-io" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "AutoRunIt", "display_name": "AutoRunIt", "target": null }, { "id": "Sigur", "display_name": "Sigur", "target": null }, { "id": "Kanna", "display_name": "Kanna", "target": null }, { "id": "Der Zugriff", "display_name": "Der Zugriff", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1134.002", "name": "Create Process with Token", "display_name": "T1134.002 - Create Process with Token" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1560.002", "name": "Archive via Library", "display_name": "T1560.002 - Archive via Library" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" } ], "industries": [ "Civil Society", "Legal", "Government", "Technology", "Telecommunications", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6094, "domain": 1195, "hostname": 2001, "FileHash-SHA256": 2598, "FileHash-MD5": 546, "FileHash-SHA1": 403, "email": 16, "CVE": 2, "SSLCertFingerprint": 3 }, "indicator_count": 12858, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "69 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b3fb6752ac464268b971b1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA.\nContact made. Physical records. Client: Brashears.\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/\n1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376\nhttps://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/\nhttps://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html\nTEL:Trojan:Win32/BazaarLoader\n987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7", "modified": "2024-09-05T07:02:20.491000", "created": "2024-01-26T18:35:19.690000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2401, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5377, "domain": 3794, "hostname": 2763, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 18927, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b85df45cc3d3fd07139ea9", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-09-05T06:38:09.443000", "created": "2024-01-30T02:24:52.774000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47501fcbc39983f098723", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2390, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4357, "domain": 3534, "hostname": 2670, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 17111, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "592 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65be8dde8544d0b022b4c464", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | Emotet ", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-02-03T19:02:54.507000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b85df45cc3d3fd07139ea9", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b80982381b53c66f0dd1e1", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-29T20:24:34.644000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b47524b1ec6b5c783a832e", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b47524b1ec6b5c783a832e", "name": "BazaarLoader | REDCAP | https://jbplegal com/ | Cyber espionage", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-27T03:14:44.070000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as3356 level", "as15133 verizon", "as22822", "as20446", "cname", "honeypot", "read c", "regsetvalueexa", "regdword", "as29789", "moved", "morphex", "cryp", "susp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b3fb6752ac464268b971b1", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1530, "FileHash-MD5": 2428, "FileHash-SHA1": 2136, "FileHash-SHA256": 5239, "domain": 3740, "hostname": 2560, "CVE": 5, "email": 19, "SSLCertFingerprint": 4 }, "indicator_count": 17661, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b47501fcbc39983f098723", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader", "description": "", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-27T03:14:09.392000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": "65b3fe6c4cd0f5158eb18692", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b3fe6c4cd0f5158eb18692", "name": "Honeypot | https://jbplegal com/ | Cyber espionage | DynamicLoader,", "description": "Found periphery.m (moderate sized dump) Targets Tsara Brashears Several staffed law offices based on Colorado, USA. Contact made. Physical records. Client: Brashears. https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.Win32.REDCAP.MCRK/ 1c597b7c7934ef03eb0def0b64655dd79abe08567ff3053761e5516064a43376 https://otx.alienvault.com/malware/TEL:Trojan:Win32%2FBazaarLoader!MTB/ https://www.trendmicro.com/en_ph/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html TEL:Trojan:Win32/BazaarLoader 987204ca82337f0a3f28097a5d66d5f3ecb11d43d82f67cd753d0bf2ce40b7a7https://www.joesandbox.com/analysis/1311477\nTarget: Critical Risk. In person contact made. Fraud services offered. \nThis is crazy.", "modified": "2024-02-25T17:03:29.232000", "created": "2024-01-26T18:48:12.433000", "tags": [ "no expiration", "filehashsha1", "filehashmd5", "filehashsha256", "url http", "ipv4", "iocs", "url https", "next", "scan endpoints", "expiration", "domain", "pdf report", "pcap", "all scoreblue", "hostname", "tagwearable", "email", "united", "as46562", "unknown", "as213120", "search", "creation date", "dnssec", "showing", "entries", "as32400 hostway", "encrypt", "status", "date", "passive dns", "urls", "record value", "apache", "pragma", "body", "as9009 m247", "pulse pulses", "files", "hosting", "location new", "as58955 bangmod", "pulse submit", "url analysis", "reverse dns", "all search", "otx scoreblue", "http", "ip address", "related nids", "filehash", "sha256", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "june", "copy", "aaaa", "a domains", "address", "div div", "span span", "span h2", "a li", "lucky guy", "span", "customer", "location united", "cookie", "as54113", "xamzexpires300", "hstr", "github pages", "request id", "accept", "win64", "found", "show", "win32", "related pulses", "sea x", "cache", "dynamicloader", "targetname", "pe32", "intel", "ms windows", "yara rule", "high", "write", "bruteforce", "location china", "asn as45090", "cobalt strike", "internet", "iana", "whois lookups", "city", "los angeles", "orgabusephone", "orgid", "iana ref", "net192", "net1920000", "ssl cert", "ssl certificate", "tlsv1 apr", "cobaltstrike", "default", "read", "trojan", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "malware", "no entries", "entries found", "delete", "found pe", "stus", "cnus", "tlsv1", "as20940", "as16625 akamai", "asnone united", "emails", "microsoft way", "as8075", "united kingdom", "aaaa nxdomain", "a nxdomain", "nxdomain", "as8068", "as14061", "whitelisted", "as16276", "script urls", "name servers", "meta", "as43317 fishnet" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "Netherlands", "Romania", "Russian Federation", "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1509, "FileHash-MD5": 2213, "FileHash-SHA1": 1921, "FileHash-SHA256": 4239, "domain": 3480, "hostname": 2466, "CVE": 5, "email": 17, "SSLCertFingerprint": 4 }, "indicator_count": 15854, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "784 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Pahamify Pegasus", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "Detections PSW.Sinowal.X , Win.Trojan.Sinowal-13971 , Artemis!0DF9D8682EFA ,", "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com", "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)", "tv.apple.com", "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "Gen:Trojan.Heur.wq5@QsnW4Im , Backdoor.Win32.Sinowal.fac , Mal/Sinowa-A ,", "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com", "Alerts: stealth_network antivirus_virustotal static_pe_anomaly", "ET TROJAN Possible VirLock Connectivity Check", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_(64bit)_v136.0.7103.49.exe", "IDS: TLS Handshake Failure", "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)", "Trojan.Mebroot , a variant of Win32/Mebroot.BM , Trojan:W32/Mebroot.gen!A , Trojan.Packed.2447", "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4", "Google_Chrome_64bit_v136.0.7103.49.exe", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "IDS Detections: ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.google.com)", "Yara Detections BackdoorWin32Simda", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Autorunit", "Trojan:win32/pariham.a", "Mebroot", "Kanna", "Psw.sinowal.x", "Sigur", "Der zugriff", "Mydoom", "Virus:win95/cerebrus" ], "industries": [ "Financial", "Civil society", "Government", "Telecommunications", "Technology", "Legal" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 20, "pulses": [ { "id": "69d4595cd9283fc7a5aa03ab", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T03:46:03.154000", "created": "2026-04-07T01:09:48.152000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 195, "domain": 120, "IPv4": 14, "hostname": 101, "CVE": 1 }, "indicator_count": 3497, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595b8c340900560463a8", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:25:12.329000", "created": "2026-04-07T01:09:47.893000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595beae76fc81c99cf63", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:25:10.274000", "created": "2026-04-07T01:09:47.895000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595bad55db9318902436", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:09:47.753000", "created": "2026-04-07T01:09:47.753000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595a99f229f5b99ce366", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:09:46.696000", "created": "2026-04-07T01:09:46.696000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4594ea685ae6b9912f97b", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:09:34.613000", "created": "2026-04-07T01:09:34.613000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d45947ce0025cf5afbb117", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-04-07T01:09:27.333000", "created": "2026-04-07T01:09:27.333000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "IPv4": 14, "hostname": 101 }, "indicator_count": 3495, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d452df7c1ea9136ee627df", "name": "VirusTotal Box of Apples Sandbox report", "description": "", "modified": "2026-04-07T00:45:08.732000", "created": "2026-04-07T00:42:07.725000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1066, "IPv4": 17, "FileHash-MD5": 6, "FileHash-SHA1": 11, "domain": 111, "hostname": 67, "URL": 104 }, "indicator_count": 1382, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d452d748d0f072544a4564", "name": "VirusTotal Box of Apples Sandbox report", "description": "", "modified": "2026-04-07T00:41:59.068000", "created": "2026-04-07T00:41:59.068000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1066, "IPv4": 17, "FileHash-MD5": 6, "FileHash-SHA1": 11, "domain": 111, "hostname": 66, "URL": 104 }, "indicator_count": 1381, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d452d5b2ebb31d314f0325", "name": "VirusTotal Box of Apples Sandbox report", "description": "", "modified": "2026-04-07T00:41:57.173000", "created": "2026-04-07T00:41:57.173000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1066, "IPv4": 17, "FileHash-MD5": 6, "FileHash-SHA1": 11, "domain": 111, "hostname": 66, "URL": 104 }, "indicator_count": 1381, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "api.cc", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "api.cc", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776684349.8963253 }