{ "type": "Domain", "indicator": "dotster.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/dotster.com", "alexa": "http://www.alexa.com/siteinfo/dotster.com", "indicator": "dotster.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain dotster.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 1179667515, "indicator": "dotster.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "6a0e70462533707c15e72292", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T03:36:39.925000", "created": "2026-05-21T02:39:02.897000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 212, "FileHash-SHA1": 226, "FileHash-SHA256": 1512, "IPv4": 409, "URL": 880, "hostname": 1350, "domain": 378, "CIDR": 1, "email": 3, "Mutex": 3 }, "indicator_count": 4974, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e703e7c0457682c548691", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:54.394000", "created": "2026-05-21T02:38:54.394000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e703e6a884aeed75d9180", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:54.205000", "created": "2026-05-21T02:38:54.205000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e7033ee9e679939ba3294", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:43.726000", "created": "2026-05-21T02:38:43.726000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e702f7b1b513a66e1789e", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:39.508000", "created": "2026-05-21T02:38:39.508000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a956460f257cf96c454071", "name": "Piracy \u2022 Cloudfront \u2022 Ransom \u2022 Code Overlaps \u2022 Unrelenting attacks.", "description": "Indie songwriter , publisher, promoter, producer & her artists affected by years long copyright infringement , hacking & reputation damage. Website now downed.\n\nBrashears had been involved in music under pseudonyms for decades as a was songwriter , ghostwriter, sold catalogs , charting singles, chops was sponsored. In this instance music was grossly pirated. Initially asked for hook rights then told hook would be used without her permission. Believed dispute resolved verbally + copyright.\n\nTsara learned from an insider/s her hook was pirated & used by artists listed. Modifications make songs pirated samples.\nBrashears song written in 2010 later vaulted in a private catalog later released by her artist. YouTube audio quality tampering on pirated song. \n\nBrashears loved music, not the industry as an artist; preferring business. Always held her privacy to remain unknown. Tsara lived 10 lives at once.\n\nLikely involves male who contacted her @ by email as mentioned in earlier pulse.\n#trulymissed", "modified": "2025-09-21T21:03:28.771000", "created": "2025-08-23T05:48:54.534000", "tags": [ "domains", "hashes", "passive dns", "urls", "url add", "http", "hostname", "files domain", "files related", "related tags", "a domains", "entries", "next associated", "files show", "date hash", "avast avg", "trojanspy", "entries http", "scans show", "search", "body", "body doctype", "dynamicloader", "medium", "reg add", "regsz d", "high", "windows", "audio drivers", "write c", "virtool", "copy", "write", "june", "united", "unknown ns", "samsara", "new york", "city ny", "ip address", "record value", "meta", "date", "music", "encrypt", "win32", "dangeroussig", "lowfi", "msie", "chrome", "precondition", "trojan", "title", "canada unknown", "unknown cname", "domain add", "files", "location united", "hostname add", "verdict", "domain", "files ip", "address", "asn as13335", "hash avast", "avg clamav", "msdefender feb", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "file", "size", "ascii text", "pattern match", "august", "hybrid", "general", "path", "click", "strings", "roboto", "mozilla", "contact", "t1179 hooking", "installs", "t1035 service", "crlf line", "runtime process", "malicious", "unknown", "ssl certificate", "defense evasion", "amazon02", "americachicago", "windows nt", "win64", "khtml", "gecko", "veryhigh", "found", "geo menifee", "california", "as30148", "us note", "route", "ptr record", "information", "t1053", "taskjob", "t1055", "injection", "t1082", "t1112", "modify registry", "t1119", "t1129", "service", "capture", "url http", "url https", "type indicator", "role title", "added active", "related pulses", "showing", "ipv6", "ipv4", "dicator role", "title added", "active related", "sweden", "netherlands", "scan", "iocs", "learn more", "types of", "kingdom", "united kingdom", "denmark", "icator role", "malware attacks", "find encrypted", "t1021", "remote", "t1068", "ta0043", "t1016", "discovery", "t1221", "nobody love", "tori", "kelley", "dj khaled", "justin bieber", "sophos video", "x rack", "x frame", "october", "songculture", "song culture", "tsara brashears", "jess 4", "queryfoundry", "beyond sampling", "pirated", "youtube", "spotify", "twitter", "spy", "tracking" ], "references": [ "https://songculture.com/tsara-brashears-music | Cloudfront below was attached to body of work", "https://d3jjg4nf4bbybe.cloudfront.net/u/210425/397f80d871fe6dla1704cela4b712e387ed8a48a/large/kedence-out-of-my-sight", "\"Nobody Love\" Tori Kelley \"'m the One\" DJ Khaled ft Justin Bieber (Pirated Hook)", "8-25-220-162-static.reverse.queryfoundry.net", "http://117-114-251-162-static.reverse.queryfoundry.net/ - queryfoundry.net", "https://www.youtube.com/watch?v=bJWJbOqg9cM - Falsely flagged to demonetize and not rank", "Dr.Web violence/adult content (False) ThreatSeeker social web - youtube", "music.apple.com \u2022 linktr.ee \u2022 sentient.industries? samsara has been showing up often.", "There is money in the industry for well established , \u2018souled\u2019 out artists. It\u2019s a racket! T signed & exited early", "Worked at some studios attacked by Lazarus Group who allegedly attacked Sony Music", "I apologize if you don\u2019t like my background stories", "\u2018Passin\u2019 I deleted the pulses you asked me to. Your links were malicious. I haven\u2019t weaponize anything I\u2019ve learned... yet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nivdort", "display_name": "Nivdort", "target": null }, { "id": "Virtool", "display_name": "Virtool", "target": null }, { "id": "Evo", "display_name": "Evo", "target": null }, { "id": "Trojanspy", "display_name": "Trojanspy", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Malware Gen", "display_name": "Malware Gen", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Media", "Technology", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1833, "hostname": 902, "domain": 386, "FileHash-MD5": 406, "FileHash-SHA1": 402, "FileHash-SHA256": 1437, "email": 2, "SSLCertFingerprint": 5, "CIDR": 2 }, "indicator_count": 5375, "is_author": false, "is_subscribing": null, "subscriber_count": 148, "modified_text": "252 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b7a0a606360e458f77aad9", "name": "Exploit Enterprise Resources-Steam Powered | x.com | Hunt | Crypt", "description": "Remotely attacks social media , game services, hunting for IP addresses, and all personal locations of targets. Service modifier, registry modifier.", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-10T17:17:26.271000", "tags": [ "as46606", "united", "unknown", "passive dns", "all scoreblue", "ipv4", "url analysis", "search", "a nxdomain", "whitelisted", "accept", "ns nxdomain", "soa nxdomain", "aaaa nxdomain", "reverse dns", "as29873", "trojan", "hacktool", "hosting", "ttl value", "algorithm", "full name", "data", "v3 serial", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "server", "registrar abuse", "dns replication", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "first", "android", "united states", "status", "hostname", "as13414 twitter", "aaaa", "nxdomain", "date", "as44273 host", "scan endpoints", "systemroot", "ogoogle trust", "cngts ca", "delete c", "tofsee", "stcalifornia", "lsan francisco", "win64", "grum", "copy", "write", "malware", "encrypt", "memcommit", "read c", "yara detections", "medium", "memreserve", "command line", "get ip address", "steam", "api get ip", "steam get ip", "entries", "show", "windows nt", "khtml", "gecko", "next", "showing", "ip address", "writeconsolea", "february", "write c", "regsetvalueexa", "regdword", "delete", "napolar", "persistence", "execution", "network service", "location hunting", "ip hunting" ], "references": [ "analytics.x.com", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Anti , dbgdetect_procs", "Crypt: 1.3.6.1", "Crypt: FileHash-SHA256 71f1f6c91dbe8050e7c5d54f294f5eabec02dccbe97fb0100e7ebf8f35b0d062", "Crypt: FileHash-SHA1 d8b665ef01e3f9feaa746833cddadf3bf29f72d1", "Crypt: FileHash-MD5 5dd89c5f70c95bae85d864c7baf27b20", "Yara Detections: ryuk_1007_fx2_12_multi_for_crypt_x86 , dbgdetect_files", "IDS Detections: Win32/Tofsee.AX google.com connectivity check HTTP Request with Lowercase host Header Observed External IP Lookup ip-api.com", "Antivirus Detections: Win.Packer.pkr_ce1a-9980177-0", "IDS Detections: Observed External IP Lookup ip-api.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Crypt", "display_name": "Crypt", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 570, "domain": 563, "hostname": 1131, "FileHash-SHA1": 498, "FileHash-SHA256": 2070, "URL": 83, "email": 7, "SSLCertFingerprint": 10 }, "indicator_count": 4932, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "598 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a39f005c7f0a1c1eb33125", "name": "Formbook", "description": "FormBook is a data stealer that is being distributed as a MaaS. FormBook is available in the dark web market as a Malware-as-Service.\n I n known situations targets were contacted by bad actors via social media accounts Twitter & Facebook.", "modified": "2024-03-21T10:00:24.070000", "created": "2024-01-14T08:44:48.297000", "tags": [ "ssl certificate", "contacted", "execution", "ah6itbtgl", "whois record", "historical ssl", "referrer", "subdomains", "resolutions", "formbook", "threat roundup", "malware", "metro", "social engineering", "jansky", "script urls", "a domains", "united", "search", "date", "script domains", "creation date", "record value", "showing", "unknown", "meta", "body", "encrypt", "as63949 linode", "as41357", "united kingdom", "scan endpoints", "all octoseek", "domain", "pulse submit", "url analysis", "server", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "email", "registry domain", "win32 exe", "javascript", "eqsray", "zip blaze", "ms excel", "detections type", "name", "text", "csv order", "files", "microsoft", "dns replication", "bt6lcuigydc9yc", "jxaavf4jnzza0", "submission", "community score", "no security", "graph api", "status", "content type", "xcitium verdict", "cloud marketing", "history first", "thebrotherssabey", "passive dns", "gmt content", "plesklin", "ipv4", "pulse pulses", "urls", "vbs", "data center", "reverse dns", "first", "utc submissions", "submitters", "bbonline uk", "namecheap inc", "summary iocs", "graph community", "ionos se", "keysystems gmbh", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "sabey", "all search", "otx octoseek", "url http", "http", "hostname", "files domain", "msie", "chrome", "expiration date", "next", "whois lookup", "dnssec", "domain name", "abuse contact", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "cname", "as44273 host", "ip address" ], "references": [ "appleremote.net", "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111", "FormBook", "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc", "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1708, "hostname": 1920, "domain": 2221, "URL": 4822, "FileHash-MD5": 100, "FileHash-SHA1": 119, "email": 2, "CIDR": 1 }, "indicator_count": 10893, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "801 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a4880cf26f0feaf9a75648", "name": "Formbook", "description": "", "modified": "2024-02-13T08:03:20.064000", "created": "2024-01-15T01:19:08.041000", "tags": [ "ssl certificate", "contacted", "execution", "ah6itbtgl", "whois record", "historical ssl", "referrer", "subdomains", "resolutions", "formbook", "threat roundup", "malware", "metro", "social engineering", "jansky", "script urls", "a domains", "united", "search", "date", "script domains", "creation date", "record value", "showing", "unknown", "meta", "body", "encrypt", "as63949 linode", "as41357", "united kingdom", "scan endpoints", "all octoseek", "domain", "pulse submit", "url analysis", "server", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "email", "registry domain", "win32 exe", "javascript", "eqsray", "zip blaze", "ms excel", "detections type", "name", "text", "csv order", "files", "microsoft", "dns replication", "bt6lcuigydc9yc", "jxaavf4jnzza0", "submission", "community score", "no security", "graph api", "status", "content type", "xcitium verdict", "cloud marketing", "history first", "thebrotherssabey", "passive dns", "gmt content", "plesklin", "ipv4", "pulse pulses", "urls", "vbs", "data center", "reverse dns", "first", "utc submissions", "submitters", "bbonline uk", "namecheap inc", "summary iocs", "graph community", "ionos se", "keysystems gmbh", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "sabey", "all search", "otx octoseek", "url http", "http", "hostname", "files domain", "msie", "chrome", "expiration date", "next", "whois lookup", "dnssec", "domain name", "abuse contact", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "cname", "as44273 host", "ip address" ], "references": [ "appleremote.net", "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111", "FormBook", "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc", "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65a39f005c7f0a1c1eb33125", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1650, "hostname": 1778, "domain": 2102, "URL": 4435, "FileHash-MD5": 100, "FileHash-SHA1": 119, "email": 2, "CIDR": 1 }, "indicator_count": 10187, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Worked at some studios attacked by Lazarus Group who allegedly attacked Sony Music", "analytics.x.com", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ", "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL", "Antivirus Detections: Win.Packer.pkr_ce1a-9980177-0", "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "IDS Detections: Win32/Tofsee.AX google.com connectivity check HTTP Request with Lowercase host Header Observed External IP Lookup ip-api.com", "https://songculture.com/tsara-brashears-music | Cloudfront below was attached to body of work", "Crypt: FileHash-MD5 5dd89c5f70c95bae85d864c7baf27b20", "Yara Detections: ryuk_1007_fx2_12_multi_for_crypt_x86 , dbgdetect_files", "IDS Detections: Observed External IP Lookup ip-api.com", "There is money in the industry for well established , \u2018souled\u2019 out artists. It\u2019s a racket! T signed & exited early", "https://www.youtube.com/watch?v=bJWJbOqg9cM - Falsely flagged to demonetize and not rank", "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "I apologize if you don\u2019t like my background stories", "https://d3jjg4nf4bbybe.cloudfront.net/u/210425/397f80d871fe6dla1704cela4b712e387ed8a48a/large/kedence-out-of-my-sight", "\"Nobody Love\" Tori Kelley \"'m the One\" DJ Khaled ft Justin Bieber (Pirated Hook)", "http://117-114-251-162-static.reverse.queryfoundry.net/ - queryfoundry.net", "8-25-220-162-static.reverse.queryfoundry.net", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "Crypt: FileHash-SHA256 71f1f6c91dbe8050e7c5d54f294f5eabec02dccbe97fb0100e7ebf8f35b0d062", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Anti , dbgdetect_procs", "Dr.Web violence/adult content (False) ThreatSeeker social web - youtube", "appleremote.net", "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc", "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "Crypt: 1.3.6.1", "FormBook", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "music.apple.com \u2022 linktr.ee \u2022 sentient.industries? samsara has been showing up often.", "Crypt: FileHash-SHA1 d8b665ef01e3f9feaa746833cddadf3bf29f72d1", "\u2018Passin\u2019 I deleted the pulses you asked me to. Your links were malicious. I haven\u2019t weaponize anything I\u2019ve learned... yet" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Virtool", "Trojanspy", "Trojanspy:win32/nivdort", "Ransom", "Win.packer.pkr_ce1a-9980177-0", "Malware", "Evo", "Nivdort", "Formbook", "Malware gen", "Crypt", "Emotet" ], "industries": [ "Media", "Telecommunications", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "6a0e70462533707c15e72292", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T03:36:39.925000", "created": "2026-05-21T02:39:02.897000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 212, "FileHash-SHA1": 226, "FileHash-SHA256": 1512, "IPv4": 409, "URL": 880, "hostname": 1350, "domain": 378, "CIDR": 1, "email": 3, "Mutex": 3 }, "indicator_count": 4974, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e703e7c0457682c548691", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:54.394000", "created": "2026-05-21T02:38:54.394000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e703e6a884aeed75d9180", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:54.205000", "created": "2026-05-21T02:38:54.205000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e7033ee9e679939ba3294", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:43.726000", "created": "2026-05-21T02:38:43.726000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e702f7b1b513a66e1789e", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:39.508000", "created": "2026-05-21T02:38:39.508000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a956460f257cf96c454071", "name": "Piracy \u2022 Cloudfront \u2022 Ransom \u2022 Code Overlaps \u2022 Unrelenting attacks.", "description": "Indie songwriter , publisher, promoter, producer & her artists affected by years long copyright infringement , hacking & reputation damage. Website now downed.\n\nBrashears had been involved in music under pseudonyms for decades as a was songwriter , ghostwriter, sold catalogs , charting singles, chops was sponsored. In this instance music was grossly pirated. Initially asked for hook rights then told hook would be used without her permission. Believed dispute resolved verbally + copyright.\n\nTsara learned from an insider/s her hook was pirated & used by artists listed. Modifications make songs pirated samples.\nBrashears song written in 2010 later vaulted in a private catalog later released by her artist. YouTube audio quality tampering on pirated song. \n\nBrashears loved music, not the industry as an artist; preferring business. Always held her privacy to remain unknown. Tsara lived 10 lives at once.\n\nLikely involves male who contacted her @ by email as mentioned in earlier pulse.\n#trulymissed", "modified": "2025-09-21T21:03:28.771000", "created": "2025-08-23T05:48:54.534000", "tags": [ "domains", "hashes", "passive dns", "urls", "url add", "http", "hostname", "files domain", "files related", "related tags", "a domains", "entries", "next associated", "files show", "date hash", "avast avg", "trojanspy", "entries http", "scans show", "search", "body", "body doctype", "dynamicloader", "medium", "reg add", "regsz d", "high", "windows", "audio drivers", "write c", "virtool", "copy", "write", "june", "united", "unknown ns", "samsara", "new york", "city ny", "ip address", "record value", "meta", "date", "music", "encrypt", "win32", "dangeroussig", "lowfi", "msie", "chrome", "precondition", "trojan", "title", "canada unknown", "unknown cname", "domain add", "files", "location united", "hostname add", "verdict", "domain", "files ip", "address", "asn as13335", "hash avast", "avg clamav", "msdefender feb", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "file", "size", "ascii text", "pattern match", "august", "hybrid", "general", "path", "click", "strings", "roboto", "mozilla", "contact", "t1179 hooking", "installs", "t1035 service", "crlf line", "runtime process", "malicious", "unknown", "ssl certificate", "defense evasion", "amazon02", "americachicago", "windows nt", "win64", "khtml", "gecko", "veryhigh", "found", "geo menifee", "california", "as30148", "us note", "route", "ptr record", "information", "t1053", "taskjob", "t1055", "injection", "t1082", "t1112", "modify registry", "t1119", "t1129", "service", "capture", "url http", "url https", "type indicator", "role title", "added active", "related pulses", "showing", "ipv6", "ipv4", "dicator role", "title added", "active related", "sweden", "netherlands", "scan", "iocs", "learn more", "types of", "kingdom", "united kingdom", "denmark", "icator role", "malware attacks", "find encrypted", "t1021", "remote", "t1068", "ta0043", "t1016", "discovery", "t1221", "nobody love", "tori", "kelley", "dj khaled", "justin bieber", "sophos video", "x rack", "x frame", "october", "songculture", "song culture", "tsara brashears", "jess 4", "queryfoundry", "beyond sampling", "pirated", "youtube", "spotify", "twitter", "spy", "tracking" ], "references": [ "https://songculture.com/tsara-brashears-music | Cloudfront below was attached to body of work", "https://d3jjg4nf4bbybe.cloudfront.net/u/210425/397f80d871fe6dla1704cela4b712e387ed8a48a/large/kedence-out-of-my-sight", "\"Nobody Love\" Tori Kelley \"'m the One\" DJ Khaled ft Justin Bieber (Pirated Hook)", "8-25-220-162-static.reverse.queryfoundry.net", "http://117-114-251-162-static.reverse.queryfoundry.net/ - queryfoundry.net", "https://www.youtube.com/watch?v=bJWJbOqg9cM - Falsely flagged to demonetize and not rank", "Dr.Web violence/adult content (False) ThreatSeeker social web - youtube", "music.apple.com \u2022 linktr.ee \u2022 sentient.industries? samsara has been showing up often.", "There is money in the industry for well established , \u2018souled\u2019 out artists. It\u2019s a racket! T signed & exited early", "Worked at some studios attacked by Lazarus Group who allegedly attacked Sony Music", "I apologize if you don\u2019t like my background stories", "\u2018Passin\u2019 I deleted the pulses you asked me to. Your links were malicious. I haven\u2019t weaponize anything I\u2019ve learned... yet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nivdort", "display_name": "Nivdort", "target": null }, { "id": "Virtool", "display_name": "Virtool", "target": null }, { "id": "Evo", "display_name": "Evo", "target": null }, { "id": "Trojanspy", "display_name": "Trojanspy", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "Malware Gen", "display_name": "Malware Gen", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1593.001", "name": "Social Media", "display_name": "T1593.001 - Social Media" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" } ], "industries": [ "Media", "Technology", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1833, "hostname": 902, "domain": 386, "FileHash-MD5": 406, "FileHash-SHA1": 402, "FileHash-SHA256": 1437, "email": 2, "SSLCertFingerprint": 5, "CIDR": 2 }, "indicator_count": 5375, "is_author": false, "is_subscribing": null, "subscriber_count": 148, "modified_text": "252 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b7a0a606360e458f77aad9", "name": "Exploit Enterprise Resources-Steam Powered | x.com | Hunt | Crypt", "description": "Remotely attacks social media , game services, hunting for IP addresses, and all personal locations of targets. Service modifier, registry modifier.", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-10T17:17:26.271000", "tags": [ "as46606", "united", "unknown", "passive dns", "all scoreblue", "ipv4", "url analysis", "search", "a nxdomain", "whitelisted", "accept", "ns nxdomain", "soa nxdomain", "aaaa nxdomain", "reverse dns", "as29873", "trojan", "hacktool", "hosting", "ttl value", "algorithm", "full name", "data", "v3 serial", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "server", "registrar abuse", "dns replication", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "first", "android", "united states", "status", "hostname", "as13414 twitter", "aaaa", "nxdomain", "date", "as44273 host", "scan endpoints", "systemroot", "ogoogle trust", "cngts ca", "delete c", "tofsee", "stcalifornia", "lsan francisco", "win64", "grum", "copy", "write", "malware", "encrypt", "memcommit", "read c", "yara detections", "medium", "memreserve", "command line", "get ip address", "steam", "api get ip", "steam get ip", "entries", "show", "windows nt", "khtml", "gecko", "next", "showing", "ip address", "writeconsolea", "february", "write c", "regsetvalueexa", "regdword", "delete", "napolar", "persistence", "execution", "network service", "location hunting", "ip hunting" ], "references": [ "analytics.x.com", "Yara Detections: ConventionEngine_Term_Users , ConventionEngine_Keyword_Anti , dbgdetect_procs", "Crypt: 1.3.6.1", "Crypt: FileHash-SHA256 71f1f6c91dbe8050e7c5d54f294f5eabec02dccbe97fb0100e7ebf8f35b0d062", "Crypt: FileHash-SHA1 d8b665ef01e3f9feaa746833cddadf3bf29f72d1", "Crypt: FileHash-MD5 5dd89c5f70c95bae85d864c7baf27b20", "Yara Detections: ryuk_1007_fx2_12_multi_for_crypt_x86 , dbgdetect_files", "IDS Detections: Win32/Tofsee.AX google.com connectivity check HTTP Request with Lowercase host Header Observed External IP Lookup ip-api.com", "Antivirus Detections: Win.Packer.pkr_ce1a-9980177-0", "IDS Detections: Observed External IP Lookup ip-api.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Crypt", "display_name": "Crypt", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" }, { "id": "T1585.001", "name": "Social Media Accounts", "display_name": "T1585.001 - Social Media Accounts" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 570, "domain": 563, "hostname": 1131, "FileHash-SHA1": 498, "FileHash-SHA256": 2070, "URL": 83, "email": 7, "SSLCertFingerprint": 10 }, "indicator_count": 4932, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "598 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a39f005c7f0a1c1eb33125", "name": "Formbook", "description": "FormBook is a data stealer that is being distributed as a MaaS. FormBook is available in the dark web market as a Malware-as-Service.\n I n known situations targets were contacted by bad actors via social media accounts Twitter & Facebook.", "modified": "2024-03-21T10:00:24.070000", "created": "2024-01-14T08:44:48.297000", "tags": [ "ssl certificate", "contacted", "execution", "ah6itbtgl", "whois record", "historical ssl", "referrer", "subdomains", "resolutions", "formbook", "threat roundup", "malware", "metro", "social engineering", "jansky", "script urls", "a domains", "united", "search", "date", "script domains", "creation date", "record value", "showing", "unknown", "meta", "body", "encrypt", "as63949 linode", "as41357", "united kingdom", "scan endpoints", "all octoseek", "domain", "pulse submit", "url analysis", "server", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "email", "registry domain", "win32 exe", "javascript", "eqsray", "zip blaze", "ms excel", "detections type", "name", "text", "csv order", "files", "microsoft", "dns replication", "bt6lcuigydc9yc", "jxaavf4jnzza0", "submission", "community score", "no security", "graph api", "status", "content type", "xcitium verdict", "cloud marketing", "history first", "thebrotherssabey", "passive dns", "gmt content", "plesklin", "ipv4", "pulse pulses", "urls", "vbs", "data center", "reverse dns", "first", "utc submissions", "submitters", "bbonline uk", "namecheap inc", "summary iocs", "graph community", "ionos se", "keysystems gmbh", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "sabey", "all search", "otx octoseek", "url http", "http", "hostname", "files domain", "msie", "chrome", "expiration date", "next", "whois lookup", "dnssec", "domain name", "abuse contact", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "cname", "as44273 host", "ip address" ], "references": [ "appleremote.net", "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111", "FormBook", "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc", "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1708, "hostname": 1920, "domain": 2221, "URL": 4822, "FileHash-MD5": 100, "FileHash-SHA1": 119, "email": 2, "CIDR": 1 }, "indicator_count": 10893, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "801 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a4880cf26f0feaf9a75648", "name": "Formbook", "description": "", "modified": "2024-02-13T08:03:20.064000", "created": "2024-01-15T01:19:08.041000", "tags": [ "ssl certificate", "contacted", "execution", "ah6itbtgl", "whois record", "historical ssl", "referrer", "subdomains", "resolutions", "formbook", "threat roundup", "malware", "metro", "social engineering", "jansky", "script urls", "a domains", "united", "search", "date", "script domains", "creation date", "record value", "showing", "unknown", "meta", "body", "encrypt", "as63949 linode", "as41357", "united kingdom", "scan endpoints", "all octoseek", "domain", "pulse submit", "url analysis", "server", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "email", "registry domain", "win32 exe", "javascript", "eqsray", "zip blaze", "ms excel", "detections type", "name", "text", "csv order", "files", "microsoft", "dns replication", "bt6lcuigydc9yc", "jxaavf4jnzza0", "submission", "community score", "no security", "graph api", "status", "content type", "xcitium verdict", "cloud marketing", "history first", "thebrotherssabey", "passive dns", "gmt content", "plesklin", "ipv4", "pulse pulses", "urls", "vbs", "data center", "reverse dns", "first", "utc submissions", "submitters", "bbonline uk", "namecheap inc", "summary iocs", "graph community", "ionos se", "keysystems gmbh", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "ec oid", "sabey", "all search", "otx octoseek", "url http", "http", "hostname", "files domain", "msie", "chrome", "expiration date", "next", "whois lookup", "dnssec", "domain name", "abuse contact", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "x509v3 extended", "info", "cname", "as44273 host", "ip address" ], "references": [ "appleremote.net", "CnC 103.224.182.241 | 188.240.191.162 | 207.148.248.143 | 70.32.23.111", "FormBook", "FileHash-SHA256 3072c32dcb5754e08282a8ce2c7c60d93a5ad2ee3ae216d23c94b1f536471acc", "http://www.nimtax.com/k9/,Formbook,Medium,9/9/2019,1/7/2020", "http://t.go.leadthrottle.com/ls/click?upn=QhIPT8KEOABIXMIAxwxPqJ280BBgOcomwXzYntjGICKScv8M4tWQQv4cQuNEja5M44qD_uKOrj1xe-2BYklVyDerLi-2F8mevEGdJeLwCcy3wsiM69F4EC3HAQoZ582VU8uxrVcciNra6YszFQV9gxv53c9iiXOjTuuW-2Fx2QeRPLTofIbYdsrV0aHfkFFhlixBU98mWJE7J0sEjKal1RV6nobxwnEeiVnye8NmQRJx-2FU9UfSEgWQJkTRSj9fP71LBPXBfsc8hOmZFtxOK0v3NQPflOZaAcy5iWdp2hFJGs4seKW1H2KrW5ufvec0BQBd1-2BT0vkNMAbCRhYmaLIAIyjw8lLFewDKeh7z1Ab1irO0L76m8UtAPp2ggxJTpeu-2BTpA0DNS2YtJw0V8Ucha5zN7OgSKumBbxxQEaK8UUm3ZjUVbsX-2Fyv-2B-2BteXtCeZE-2FzL3wmcIL" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "FormBook", "display_name": "FormBook", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65a39f005c7f0a1c1eb33125", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1650, "hostname": 1778, "domain": 2102, "URL": 4435, "FileHash-MD5": 100, "FileHash-SHA1": 119, "email": 2, "CIDR": 1 }, "indicator_count": 10187, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "838 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "dotster.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "dotster.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780292108.8045874 }