{ "type": "Domain", "indicator": "client.cc", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/client.cc", "alexa": "http://www.alexa.com/siteinfo/client.cc", "indicator": "client.cc", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 837785893, "indicator": "client.cc", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 23, "pulses": [ { "id": "69dbeabf8e4208f8af8b744d", "name": "CAPE Sandbox", "description": "A full report on Google Tag Manager for GA4, available to download on the web at any time, here is the full set of key points and key details for the report: .", "modified": "2026-05-12T18:44:07.582000", "created": "2026-04-12T18:55:59.161000", "tags": [ "default", "typelib", "parent pid", "full path", "command line", "inprocserver32", "accept", "shell folders", "host", "cname", "install", "agent", "shutdown", "win64", "back", "info", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "estonia", "body", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "urls", "has permission", "united", "sim provider", "may check", "tls version", "persistence", "pe file", "pe32", "intel", "ms windows", "sample", "spawns", "found", "drops pe", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 302, "FileHash-SHA1": 71, "FileHash-SHA256": 78, "URL": 181, "domain": 34, "hostname": 237 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69dbeabe5c5690d468b08e7a", "name": "CAPE Sandbox", "description": "A full report on Google Tag Manager for GA4, available to download on the web at any time, here is the full set of key points and key details for the report: .", "modified": "2026-05-12T18:44:07.582000", "created": "2026-04-12T18:55:58.319000", "tags": [ "default", "typelib", "parent pid", "full path", "command line", "inprocserver32", "accept", "shell folders", "host", "cname", "install", "agent", "shutdown", "win64", "back", "info", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "estonia", "body", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "urls", "has permission", "united", "sim provider", "may check", "tls version", "persistence", "pe file", "pe32", "intel", "ms windows", "sample", "spawns", "found", "drops pe", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 302, "FileHash-SHA1": 71, "FileHash-SHA256": 78, "URL": 181, "domain": 34, "hostname": 237 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69dbeabd47b6e788ecf7fc32", "name": "CAPE Sandbox", "description": "A full report on Google Tag Manager for GA4, available to download on the web at any time, here is the full set of key points and key details for the report: .", "modified": "2026-05-12T18:44:07.582000", "created": "2026-04-12T18:55:57.872000", "tags": [ "default", "typelib", "parent pid", "full path", "command line", "inprocserver32", "accept", "shell folders", "host", "cname", "install", "agent", "shutdown", "win64", "back", "info", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "estonia", "body", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "urls", "has permission", "united", "sim provider", "may check", "tls version", "persistence", "pe file", "pe32", "intel", "ms windows", "sample", "spawns", "found", "drops pe", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 302, "FileHash-SHA1": 71, "FileHash-SHA256": 78, "URL": 181, "domain": 34, "hostname": 237 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595cd9283fc7a5aa03ab", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:48.152000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 195, "domain": 120, "hostname": 101, "CVE": 1 }, "indicator_count": 3483, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595beae76fc81c99cf63", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:47.895000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595bad55db9318902436", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:47.753000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595b8c340900560463a8", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:47.893000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595a99f229f5b99ce366", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:46.696000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4594ea685ae6b9912f97b", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:34.613000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d45947ce0025cf5afbb117", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:27.333000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d452d748d0f072544a4564", "name": "VirusTotal Box of Apples Sandbox report", "description": "", "modified": "2026-05-07T00:00:42.275000", "created": "2026-04-07T00:41:59.068000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1066, "FileHash-MD5": 6, "FileHash-SHA1": 11, "domain": 111, "hostname": 66, "URL": 104 }, "indicator_count": 1364, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d452df7c1ea9136ee627df", "name": "VirusTotal Box of Apples Sandbox report", "description": "", "modified": "2026-05-07T00:00:42.275000", "created": "2026-04-07T00:42:07.725000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1066, "FileHash-MD5": 6, "FileHash-SHA1": 11, "domain": 111, "hostname": 67, "URL": 104 }, "indicator_count": 1365, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d452d5b2ebb31d314f0325", "name": "VirusTotal Box of Apples Sandbox report", "description": "", "modified": "2026-05-07T00:00:42.275000", "created": "2026-04-07T00:41:57.173000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1066, "FileHash-MD5": 6, "FileHash-SHA1": 11, "domain": 111, "hostname": 66, "URL": 104 }, "indicator_count": 1364, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d452d1096350bb560f7fee", "name": "VirusTotal Box of Apples Sandbox report", "description": "", "modified": "2026-05-07T00:00:42.275000", "created": "2026-04-07T00:41:53.433000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1066, "FileHash-MD5": 6, "FileHash-SHA1": 11, "domain": 111, "hostname": 66, "URL": 104 }, "indicator_count": 1364, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ca9a493238bd9eade7dda7", "name": "CAPE Sandbox", "description": "Checks available memory\nQueries computer hostname\nQueries the username\nConnects to crypto currency mining pool\nAttempts to connect to a dead IP:Port (1 unique times)\nQueries the keyboard layout\nQueries the computer locale (possible geofencing)\nSetUnhandledExceptionFilter detected (possible anti-debug)\nPossible date expiration check, exits too soon after checking local time disk cont in comments", "modified": "2026-04-29T15:36:07.593000", "created": "2026-03-30T15:44:09.515000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 66, "FileHash-SHA1": 68, "FileHash-SHA256": 69, "domain": 13, "hostname": 47, "URL": 18 }, "indicator_count": 281, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ca9a4803d223469fbdc580", "name": "CAPE Sandbox", "description": "Checks available memory\nQueries computer hostname\nQueries the username\nConnects to crypto currency mining pool\nAttempts to connect to a dead IP:Port (1 unique times)\nQueries the keyboard layout\nQueries the computer locale (possible geofencing)\nSetUnhandledExceptionFilter detected (possible anti-debug)\nPossible date expiration check, exits too soon after checking local time disk cont in comments", "modified": "2026-04-29T15:36:07.593000", "created": "2026-03-30T15:44:08.789000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 66, "FileHash-SHA1": 68, "FileHash-SHA256": 69, "domain": 13, "hostname": 47, "URL": 18 }, "indicator_count": 281, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69af9f6a99794e0058f126ae", "name": "CAPE Sandbox", "description": "", "modified": "2026-04-09T04:21:15.538000", "created": "2026-03-10T04:34:50.626000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 108, "FileHash-SHA1": 101, "FileHash-SHA256": 91, "URL": 24, "domain": 10, "hostname": 57 }, "indicator_count": 391, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69af9f64753d939e4909ccfe", "name": "CAPE Sandbox", "description": "", "modified": "2026-04-09T04:21:15.538000", "created": "2026-03-10T04:34:44.303000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 108, "FileHash-SHA1": 101, "FileHash-SHA256": 91, "URL": 25, "domain": 10, "hostname": 57 }, "indicator_count": 392, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69af9f638181eb6543d596e7", "name": "CAPE Sandbox", "description": "", "modified": "2026-04-09T04:21:15.538000", "created": "2026-03-10T04:34:43.144000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 108, "FileHash-SHA1": 101, "FileHash-SHA256": 91, "URL": 24, "domain": 10, "hostname": 57 }, "indicator_count": 391, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6962f12c2578ca1d1f8e212f", "name": "Google_Chrome Attack related to Pahamify Pegasus Intrusive Monitoring of a Crime.Victim", "description": "Pahamify Pegasus: Google_Chrome_64bit_v136.0.7103.49.exe \nIsolated IOC\u2019s || Related to the targeting of a crime victim.\nDrive by compromise seen on old iPhone locked screen in past. Glitched Bible Gateway app access stuttered entire phone (new and updated at the time) | add pop\nups began, finally an early morning drive by compromise on locked screen \u2018Do you have a Starbucks App?) |[Issue: can only access phone if you answer. Easy mistake , powering off device may or may not have cleared screen] victim checks Bible gateway app believing it to be a malicious app DLL from Apple App Store.\n\nFirebase apps remotely installed, can access via email. other apps corrupted. Google Translate and Notepad linked directly to threat actors.\nNotepad linked to and FBI website in Loudon County, Va. Acted as fake content scraper constantly creating websites.", "modified": "2026-02-09T23:00:37.530000", "created": "2026-01-11T00:39:08.048000", "tags": [ "ipv4", "url https", "url http", "ipv6", "indicator role", "title added", "active related", "type indicator", "related pulses", "discovery", "gather victim", "information", "tool transfer", "capture", "hijacking", "t1055", "injection", "service", "manipulation", "impact", "execution", "timestomp", "tools", "usercitynewyork", "bannerid682713", "landingid702316", "countryid774749", "chrome", "google", "yahoo", "active", "indicator", "source", "ck id", "show technique", "mitre att", "ck matrix", "file", "pattern match", "internet", "error", "errore", "crypto", "compiler", "installer", "download", "hybrid", "shutdown", "strings", "erreur", "updater", "install", "yang", "downloader", "learn", "adversaries", "name tactics", "suspicious", "informative", "defense evasion", "found", "found registry", "able", "model", "united", "et trojan", "show", "search", "as15169", "get http", "intel", "ms windows", "write", "read c", "malware", "trojan", "possible", "sha1", "rgba", "size", "ascii text", "png image", "sha256", "span", "core", "date", "title", "meta", "format", "august", "general", "local", "encrypt", "root", "click", "form", "refresh", "jsme", "qsnw4im", "high", "artemis", "virustotal", "generic", "mcafee", "baidu", "drweb", "vipre", "panda", "malsinowaa", "less see", "all yara", "detections none", "mebroot", "contacted", "domains", "all related", "pulses otx", "pulses", "tags", "related tags", "file type", "pexe", "targeting", "monitored target", "pegasus" ], "references": [ "Gen:Trojan.Heur.wq5@QsnW4Im , Backdoor.Win32.Sinowal.fac , Mal/Sinowa-A ,", "Trojan.Mebroot , a variant of Win32/Mebroot.BM , Trojan:W32/Mebroot.gen!A , Trojan.Packed.2447", "Detections PSW.Sinowal.X , Win.Trojan.Sinowal-13971 , Artemis!0DF9D8682EFA ,", "Alerts: stealth_network antivirus_virustotal static_pe_anomaly", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_(64bit)_v136.0.7103.49.exe", "Google_Chrome_64bit_v136.0.7103.49.exe", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "IDS Detections: ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.google.com)", "ET TROJAN Possible VirLock Connectivity Check" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Mebroot", "display_name": "Mebroot", "target": null }, { "id": "PSW.Sinowal.X", "display_name": "PSW.Sinowal.X", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2126, "domain": 492, "hostname": 913, "email": 3, "FileHash-SHA256": 953, "FileHash-MD5": 78, "FileHash-SHA1": 61, "SSLCertFingerprint": 14 }, "indicator_count": 4640, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "110 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6962b68da732abc66a0c2caf", "name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus", "description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else", "modified": "2026-02-09T19:00:09.890000", "created": "2026-01-10T20:29:01.675000", "tags": [ "ip address", "status code", "kb body", "iocs", "deny age", "cloudfront", "utc google", "tag manager", "g8t6ln06z40", "utc na", "google tag", "injection", "t1055 malware", "tree", "help v", "defense evasion", "injection t1055", "resolved ips", "get http", "dns resolutions", "v memory", "pattern domains", "full reports", "v help", "memory pattern", "urls https", "hashes", "tiktok", "microsoft", "dashboard falcon", "request", "windows nt", "win64", "khtml", "gecko", "response", "appleid", "united", "name servers", "aaaa", "servers", "moved", "script urls", "passive dns", "urls", "data upload", "extraction", "failed", "jsvendor", "jsapp", "script script", "cssapp", "jsfirebase", "pegasus", "encrypt", "title error", "ipv4", "files", "reverse dns", "united states", "malware", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "t1204 user", "script", "beginstring", "bad traffic", "et info", "null", "title", "refresh", "span", "strings", "error", "tools", "meta", "look", "verify", "restart", "mitre att", "ascii text", "pattern match", "ck matrix", "tls handshake", "hybrid", "general", "local", "path", "click", "ck techniques", "access att", "div div", "a li", "ul div", "record value", "emails", "accept", "referen https", "microsoft-falcon.net", "proxy", "status", "certificate", "updated date", "whois server", "zipcode", "entries http", "scans show", "search", "matches x", "type", "gmt cache", "all ipv4", "america flag", "america asn", "sameorigin", "urls show", "date checked", "url hostname", "server response", "google safe", "results jan", "ipv4 add", "win32mydoom jan", "trojan", "worm", "expiration date", "files show", "date hash", "avast avg", "win32mydoom", "backdoor", "found", "gmt connection", "control", "content type", "twitter", "dynamicloader", "medium", "high", "msie", "wow64", "slcc2", "media center", "write", "global", "domain name", "hostname", "apple", "racebook", "mouse movement", "remote mouse", "domain", "hostname add", "url analysis", "crlf line", "ff d5", "unicode text", "utf8", "ee fc", "yara rule", "f0 ff", "ff bb", "music", "push", "autorun", "unknown", "present sep", "present may", "present jan", "present aug", "cname", "present nov", "present jun", "apache", "body", "pragma", "found registry", "able", "model", "indicator", "source", "show technique", "file", "internet", "errore", "erreur", "download", "service", "crypto", "compiler", "installer", "yang", "updater", "shutdown", "thunk", "este", "install", "reboot", "code", "downloader", "sigur", "kanna", "der zugriff", "google", "chrome", "Pahamify Pegasus", "christoper p. ahmann", "law enforcement", "retaliation", "phone", "espionage", "united states", "m brian sabey", "quasi government", "target", "monitored targeting", "aig", "therahand (old name)", "target: tsara brashears", "douglas county, co", "sheriff", "industry and commerce", "worker\u2019s compensation", "crime", "financial crime", "danger", "nem tih", "amazon", "aws", "amazon aws", "deal", "deal with it lawfully", "pay victim", "protecting reimer" ], "references": [ "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur", "Pahamify Pegasus", "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)", "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android", "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4", "tv.apple.com", "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net", "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A", "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)", "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)", "IDS: TLS Handshake Failure", "Yara Detections BackdoorWin32Simda", "Google_Chrome_64bit_v136.0.7103.49.exe", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022", "https://wallpapers-nature.com/tsara-brashears/urlscan-io" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Pariham.A", "display_name": "Trojan:Win32/Pariham.A", "target": "/malware/Trojan:Win32/Pariham.A" }, { "id": "MyDoom", "display_name": "MyDoom", "target": null }, { "id": "Virus:Win95/Cerebrus", "display_name": "Virus:Win95/Cerebrus", "target": "/malware/Virus:Win95/Cerebrus" }, { "id": "AutoRunIt", "display_name": "AutoRunIt", "target": null }, { "id": "Sigur", "display_name": "Sigur", "target": null }, { "id": "Kanna", "display_name": "Kanna", "target": null }, { "id": "Der Zugriff", "display_name": "Der Zugriff", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1134.002", "name": "Create Process with Token", "display_name": "T1134.002 - Create Process with Token" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1497.002", "name": "User Activity Based Checks", "display_name": "T1497.002 - User Activity Based Checks" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1074.001", "name": "Local Data Staging", "display_name": "T1074.001 - Local Data Staging" }, { "id": "T1560.002", "name": "Archive via Library", "display_name": "T1560.002 - Archive via Library" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" } ], "industries": [ "Civil Society", "Legal", "Government", "Technology", "Telecommunications", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6094, "domain": 1195, "hostname": 2001, "FileHash-SHA256": 2598, "FileHash-MD5": 546, "FileHash-SHA1": 403, "email": 16, "CVE": 2, "SSLCertFingerprint": 3 }, "indicator_count": 12858, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "110 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "384 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c6fba43fa78087e3bffd50", "name": "Some fun ones from the last week or two - Spanning Windows, Linux x86_64 and Android.", "description": "The EmbeddedWebView I think is the one to look at. Almost all of these are not detected on VT or here on OTX. \n\nFor whatever reason the page is not populated the 'Submit' Page so bare with me.", "modified": "2024-02-14T21:43:38.858000", "created": "2024-02-10T04:29:24.461000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 56, "FileHash-SHA1": 14, "FileHash-SHA256": 15, "SSLCertFingerprint": 2, "URL": 1, "domain": 64, "hostname": 5, "email": 2 }, "indicator_count": 161, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h", "relocated", "MultipeerConnectivity.tbd", "sharingPreferences.csv", "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022", "ntp.conf", "sudo_lecture", "xtab", "rpc", "csh.cshrc", "module.modulemap", "systemControls.csv", "LICENSE", "MCSession.h", "rc.netboot", "sudoers", "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net", "autofs.conf", "master.cf.proto", "MCBrowserViewController.h", "launchdaemons.txt", "mail.rc", "disk_structure.txt", "launchagents.txt", "ldap.h", "CodeResources", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "ftpusers", "custom-error.html", "user_launchagents.txt", "Driver_xst.h", "networks", "LocalAuthentication.tbd", "mounts.csv", "custom_header_checks", "bounce.cf.default", "csh.logout", "lber.h", "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android", "configuring.html", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "man.conf", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "shells", "postfix-files", "AOSKit.tbd", "Trojan.Mebroot , a variant of Win32/Mebroot.BM , Trojan:W32/Mebroot.gen!A , Trojan.Packed.2447", "crashes.csv", "Detections PSW.Sinowal.X , Win.Trojan.Sinowal-13971 , Artemis!0DF9D8682EFA ,", "csh.login", "caching.html", "Google_Chrome_64bit_v136.0.7103.49.exe", "convenience.map", "makedefs.out", "master.cf", "header_checks", "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c", "afpovertcp.cfg", "group", "virtual", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_", "tv.apple.com", "Gen:Trojan.Heur.wq5@QsnW4Im , Backdoor.Win32.Sinowal.fac , Mal/Sinowa-A ,", "interfaceDetails.csv", "systemInfo.csv", "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)", "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "resolv.conf", "etcHosts.csv", "Yara Detections BackdoorWin32Simda", "arm64e-apple-ios-macabi.swiftinterface", "rc.common", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "sharedFolders.csv", "BUILDING", "dbivport.h", "locate.rc", "kexts.txt", "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_(64bit)_v136.0.7103.49.exe", "Alerts: stealth_network antivirus_virustotal static_pe_anomaly", "MultipeerConnectivity.apinotes", "pf.os", "MCNearbyServiceBrowser.h", "AirPlayReceiver.tbd", "bashrc", "TLS_LICENSE", "kern_loader.conf", "canonical", "master.cf.default", "main.cf", "syslog.conf", "gettytab", "auto_home", "chromeExtensions.csv", "ET TROJAN Possible VirLock Connectivity Check", "launchD.csv", "transport", "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)", "preboot_archive_errors.log", "arm64e-apple-macos.swiftinterface", "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "IDS: TLS Handshake Failure", "battery.csv", "nfs.conf", "MultipeerConnectivity.h", "MCError.h", "generic", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "auto_master", "content-negotiation.html", "find.codes", "IDS Detections: ET WEB_CLIENT SUSPICIOUS Possible automated connectivity check (www.google.com)", "Pahamify Pegasus", "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4", "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7", "AppleFirmwareUpdate.tbd", "process_list.txt", "hook_op_check.h", "bashrc_Apple_Terminal", "passwd", "x86_64-apple-ios-macabi.swiftinterface", "security_status.txt", "mounts.txt", "pf.conf", "main.cf.default", "manpaths", "ttys", "APConfigurationSystem.tbd", "zshrc_Apple_Terminal", "dbd_xsh.h", "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 , Trojan:Win32/Pariham.A", "command_args.json", "interfaceAddrs.csv", "MCPeerID.h", "paths", "index.html.en", "bind.html", "notify.conf", "profile", "x86_64-apple-macos.swiftinterface", "MCAdvertiserAssistant.h", "version.plist", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "dbixs_rev.h", "certificates.csv", "rmtab", "newsyslog.conf", "rtadvd.conf", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "usbDevices.csv", "zprofile", "com.apple.screensharing.agent.launchd", "Admin.tbd", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "asl.conf", "LDAP.tbd", "aliases", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "Info.plist", "apfs_boot_mount.tbd", "zshrc", "smb.conf", "ntp_opendirectory.conf", "irbrc", "MCNearbyServiceAdvertiser.h", "protocols", "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com", "managedPolicies.csv", "sipConfig.csv", "main.cf.proto", "diskEncryption.csv", "applications.csv", "dbi_sql.h", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "users.csv", "access", "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur", "DBIXS.h", "kernel.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "DragonForce Malaysia Hacker Group" ], "malware_families": [ "Lastname", "Firstname", "Mebroot", "Virus:win95/cerebrus", "Der zugriff", "Autorunit", "Psw.sinowal.x", "Mydoom", "Kanna", "Sigur", "Trojan:win32/pariham.a" ], "industries": [ "Government", "Financial", "Legal", "Technology", "Civil society", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 23, "pulses": [ { "id": "69dbeabf8e4208f8af8b744d", "name": "CAPE Sandbox", "description": "A full report on Google Tag Manager for GA4, available to download on the web at any time, here is the full set of key points and key details for the report: .", "modified": "2026-05-12T18:44:07.582000", "created": "2026-04-12T18:55:59.161000", "tags": [ "default", "typelib", "parent pid", "full path", "command line", "inprocserver32", "accept", "shell folders", "host", "cname", "install", "agent", "shutdown", "win64", "back", "info", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "estonia", "body", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "urls", "has permission", "united", "sim provider", "may check", "tls version", "persistence", "pe file", "pe32", "intel", "ms windows", "sample", "spawns", "found", "drops pe", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 302, "FileHash-SHA1": 71, "FileHash-SHA256": 78, "URL": 181, "domain": 34, "hostname": 237 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69dbeabe5c5690d468b08e7a", "name": "CAPE Sandbox", "description": "A full report on Google Tag Manager for GA4, available to download on the web at any time, here is the full set of key points and key details for the report: .", "modified": "2026-05-12T18:44:07.582000", "created": "2026-04-12T18:55:58.319000", "tags": [ "default", "typelib", "parent pid", "full path", "command line", "inprocserver32", "accept", "shell folders", "host", "cname", "install", "agent", "shutdown", "win64", "back", "info", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "estonia", "body", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "urls", "has permission", "united", "sim provider", "may check", "tls version", "persistence", "pe file", "pe32", "intel", "ms windows", "sample", "spawns", "found", "drops pe", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 302, "FileHash-SHA1": 71, "FileHash-SHA256": 78, "URL": 181, "domain": 34, "hostname": 237 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69dbeabd47b6e788ecf7fc32", "name": "CAPE Sandbox", "description": "A full report on Google Tag Manager for GA4, available to download on the web at any time, here is the full set of key points and key details for the report: .", "modified": "2026-05-12T18:44:07.582000", "created": "2026-04-12T18:55:57.872000", "tags": [ "default", "typelib", "parent pid", "full path", "command line", "inprocserver32", "accept", "shell folders", "host", "cname", "install", "agent", "shutdown", "win64", "back", "info", "file type", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "text", "json", "in a", "estonia", "body", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "xffxf0 xffxf0", "xffxee xffxee", "xffxef xffxef", "xffxeb xffxeb", "px9d", "xe4x84", "fxf8", "x94 x94", "xc1 xc1", "xffxf1 xffxf1", "urls", "has permission", "united", "sim provider", "may check", "tls version", "persistence", "pe file", "pe32", "intel", "ms windows", "sample", "spawns", "found", "drops pe", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/007b0aa19218de7fe7b47dc785b345e4e09f8c8a133c689dafc778cf793e3ce0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019916&Signature=xU%2B28g7ql0wStAL7V97bG%2Bu0WHtev4OIGz8U3iqDKd%2FVNVlrDQ3vuAEteGPtDDR7qOlLSsItJmNBqGgWLySJ6U0nGICmzJVo0byP8H6%2Fd3HprkIH74LXAL%2FamR8rSKAlS1VWW%2FnGofIVc0zLtQeJdz%2BAMpNC0WX4pzvsIv2uagnjpUxUyVUykArW18%2FIapRYlTQZ0g4MdrwH%2FZ7h%2F0u9jGUM6rAiCBz33EYObn4aNb", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776019946&Signature=JcVZlsCApsz0O52G3FOi%2BaimamYfGaduCcu4UnDC9VmXvZgqZ7fDxGeCnZM9NPUhmq0561rZ8PRIqA52RiBX3KnC7vhJa9PFjro5MHPo48Ypu9wL0RVB7C0RmZ3osycpkpyxEhtxKbIBAhFSEeMaEF%2F1BQw5%2BiCzEgPRP4X89bIAzw2EDpi3ulfCz8hms3FgCvWD6JMXBGKQJt1aE58BlUPY7ZhwLtbK4kOd4wzZjtfRjMqcTIEH7E0l", "https://vtbehaviour.commondatastorage.googleapis.com/3aebd918df444e5261a70a7b9957a04b62899583cca94cb90078ee348988691e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020086&Signature=vMuNzon2yUMc%2F5PXmshAS3lf0MVaReBDP3dcoOo82NLL71xjFa%2F0VIEFo55JjUmKlOHvhj6b0rJp8aIUUpsBDR%2FLZqmeDT44n0TYUkzfcIlLutGzkvs51q5mrJeeemJL6QT8bKwOFyLEXXO4SZPPduUilqL%2B1j79%2BDUni60qslB23F%2FgjYjG0edIuIfW6yq1yjBgsR34RyCGI5Lc8I%2FVLrF4ZjzIswsIHyhorBolKc7rKhoDz6masxaT", "https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020136&Signature=H%2FVhg6NRizidJvYP4bRaC%2B%2Fuh8%2F0Z5Rd0CKbYgwrqTxA%2B2BloALbxPU70bhu3eDWE1sqvRizm6xer2MkUeNtxL9kjtBPDD7Vpxe6Oq6R6o22ZN5vWg%2BqZnbM3PVA3wfuJwZ1sZaO7gv79Bd4iyuD9687aMdFTrD5BJ%2Fbd2rKn063HRKOwRubgTuKJwxXlPjVI0ocAdDIvmmDac1rsWOYTbcHVCIKUVrpUCmnjpXsSag%2BZTA", "https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020243&Signature=H1wTQxzrttgLCjJhjhriXYwMDCRB5ydjPUCYh9LS7Sqr42Y7WZzXZe0hC7YLFaTXYy2N3AsSr89gjIRZR80Jda4iLYyDlgohE9qQ3kFeKNZ%2FNp7IQu5FZY%2FpXRI7rsIlJnvlZmpbI006al7O0LQV5CrC797x%2FTp6jmAxmP5TS7NA%2BGfaDL14G7dIIeHtBoHxi7cbP%2Fe3qT1q3LcRk5oN%2FRV8TXEhpggMmbhYUEmK6ATwmwrh", "https://vtbehaviour.commondatastorage.googleapis.com/005fdc2438f1b1e58ea5e4d9c396feea40ad8a4788e90da06ecea60c5a8d79c2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776020323&Signature=Mogy01Itx6r1B%2BxNe8ittQgO%2FxZRRAb%2F9lJynhxwSVOzHX7CsWRLBNEGHRp0B9k%2Bg%2FHO2jb5K65QRLLPyqkoA45n8CsH6T5790n7E0fsbYtOvp04eV28khNlOt2b%2Feh0a3nwcC%2BNAmxEHgqzaCfQlHBqBjk2ErpfhlpC5uQJchq%2BBgGeuPcFc8YRy4RCmaBiaTeD2V%2FJD7lssTzQfnZhLNMSLqEISDCN7TYsfL1%2BJREl4wSO7C", "https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 302, "FileHash-SHA1": 71, "FileHash-SHA256": 78, "URL": 181, "domain": 34, "hostname": 237 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595cd9283fc7a5aa03ab", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:48.152000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 195, "domain": 120, "hostname": 101, "CVE": 1 }, "indicator_count": 3483, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595beae76fc81c99cf63", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:47.895000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595bad55db9318902436", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:47.753000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595b8c340900560463a8", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:47.893000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595a99f229f5b99ce366", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:46.696000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4594ea685ae6b9912f97b", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:34.613000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d45947ce0025cf5afbb117", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:27.333000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "client.cc", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "client.cc", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780207029.1381593 }