{ "type": "Domain", "indicator": "exploit.py", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/exploit.py", "alexa": "http://www.alexa.com/siteinfo/exploit.py", "indicator": "exploit.py", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3570745417, "indicator": "exploit.py", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "67c6bb5aa601e91b1314ff44", "name": "SCANID: S-KhOoOrXsco8: Thor Lite Linux 64 - Sample Lab Device 2 - incomplete (not enriched)", "description": "Thor Lite Linux 64 - Sample Lab Device 2 - incomplete\nhttps://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d\nSCANID: S-KhOoOrXsco8", "modified": "2025-04-22T06:02:28.535000", "created": "2025-03-04T08:35:38.390000", "tags": [ "misc", "filename ioc", "scanid", "sigtype1", "reasonscount", "sg2backup drive", "thu feb", "log entry", "exists1", "matched1", "warp", "trash", "rooter", "service", "puppet", "apache", "ruby", "execution", "android", "glasses", "agent", "hermes", "atlas", "score", "open", "orion", "entity", "download", "enterprise", "nexus", "beyond", "patch", "rest", "bsod", "bind", "june", "upgrade", "project", "surtr", "path", "mandrake", "accept", "openssl", "null", "responder", "shell", "servu", "cargo", "bypass", "green", "python", "iframe", "webex", "blink", "code", "netty", "fall", "grab", "metasploit", "webdav", "postscript", "middle", "assistant", "energy", "august", "diego", "february", "hold", "write", "extras", "fusion", "trace", "click", "rust", "anna", "virustotal", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "probe", "win32", "snoopy", "vuln", "april", "format", "flash", "domino", "calendar", "cryptocat", "orca", "hello", "stream", "confi", "sharepoint", "launcher", "hypervisor", "malicious", "lame", "attack", "prior", "simple", "hpack", "homepage", "easy", "live", "cookie", "explorer", "config", "rush", "spark", "chat", "media", "webview", "trigger", "northstar", "monitoring", "false", "impact", "dino", "example", "splash", "macos", "notifier", "error", "spring", "this", "neutrino", "tools", "template", "crow", "magento", "zimbra", "drop", "stack", "linear", "blocker", "deleter", "main", "face", "arch", "hosts", "bifrost", "recursive", "cobaltstrike", "luckycat", "brain", "apt", "php", "rat", "hacktool", "worm", "meterpreter", "obfuscated", "evasive", "exaramel", "anti-vm" ], "references": [ "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/iocs", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/summary", "https://www.virustotal.com/graph/embed/ga8f86f452d6d4819b2dedf4c1981843304472a457d9b4b339f35679f4693ce9c?theme=dark", "https://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d", "https://cyber-fortress.com/docs/result/index.php?id=67c6bb9cc8d04e92a4bed8fc", "https://www.filescan.io/uploads/67c6bd19e95d0f9029e3804f/reports/834b740f-9bcb-42d9-b6a1-a0a8dbd07b07/overview", "https://www.filescan.io/uploads/67df8585fae452b82c2115b7/reports/65f03ad1-b5bc-41a8-ae82-21970a18efcb/ioc", "https://hybrid-analysis.com/sample/a6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45/67df874be4fc8d105e0230d1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [ "Education", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14071, "FileHash-MD5": 979, "FileHash-SHA1": 2568, "FileHash-SHA256": 636, "URL": 43905, "domain": 2031, "email": 31, "hostname": 3621 }, "indicator_count": 67842, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a219f7c06d372f86335d64", "name": "Thor Linux Lite Scan - Sample Device & SG2 - 02.07.25 - Unenriched", "description": "Took a few tries but here is the complete thor Linux 64 Lite Scan on: Sample Device & a single drive (one of many) of the 77 TB of: things I have but don't know what to do with\n---\nOld Notes on previous scan attempts for this sample.\nSee Comments on VT\nMD5\nde880994c51d4055c960e2d32db89774\n \nSHA-1\n539e7c2eefd7a6aa17db436d83738c117f26798c\n \nSHA-256\na6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45\n \nSSDEEP\n98304:hpUsCWtdIdOKfb44V0ipGuEwWPKhmMWMCURFfxzRq6R5qJJfrPOOD86U6BDfIokW:BKftFfuDfqAfPPfa4f3\n \nTLSH\nT10D571AC3C70811188D2373EBE1B4BA59BD06381EDECA9D59F08D642C97946467A2EDCF", "modified": "2025-03-09T16:04:43.604000", "created": "2025-02-04T13:45:27.169000", "tags": [ "stuff", "data", "no problems", "upload", "problems1", "progressb", "progressi", "onedrive", "files", "bitdefender", "scanid", "lite version", "ioc jan", "thor lite", "ip address", "writing", "cron", "envcheck", "filescan", "firewall", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "virustotal", "arch", "hosts" ], "references": [ "pop-os_files_md5s.csv", "https://www.virustotal.com/graph/embed/g532ea94109c54d96ba1bde62201fb4439ef00ab8d0af4a2f99ee42846ad158df?theme=dark", "SCANID: S-yIBIO4Ib0l4", "SCANID: S-9uT7vEdHwHk", "SCANID: S-4FSYbAVw6TA", "SCANID: S-4jjwyMrjTU0", "SCANID: S-jZUP9vdJp8E", "https://www.virustotal.com/gui/collection/d8bbd97abe2ea808a02db46380171df0803a43a379ed3795a316cb1f947939de/iocs", "SCANID: S-CadvV0Kd35c", "SCANID: S-0LxiGnOve0Q", "SCANID: S-YV38dG9guZE", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/iocs", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/summary" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Education", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 701, "FileHash-SHA1": 871, "FileHash-SHA256": 897, "URL": 2920, "domain": 388, "email": 17, "CVE": 830, "hostname": 295 }, "indicator_count": 6919, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "405 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666ac558d08da6cfb3ba135b", "name": "Thor Lite Scanner - Cigabuntu (Parrot Version) vs. The Book of Shadows", "description": "A little unclear on 'just exactly what all of this is' - Other than Huntress Catching things and Thor & Bitdefender Gravutyzone ****ing the bed\n\nScan ID: S-6vsmMgE47Gk\nScan Id: S-H9GdDtmU2vU\n\n06.13.24: https://www.virustotal.com/graph/embed/g14ccc2b5794648cc838da283a8fbfcda4d95dde6ddc44798be19c2832778787f?theme=dark", "modified": "2024-07-13T09:05:44.647000", "created": "2024-06-13T10:09:28.617000", "tags": [ "entity", "please", "javascript", "valhalla", "php", "filename ioc", "mon jun", "module", "sigtype1", "reasonscount", "tue jun", "exploit code", "file names", "matched1", "score", "shellcode", "form", "mimikatz", "powershell", "cobaltstrike", "null", "trace", "shell", "import", "empire", "hermanos", "cobalt strike", "void", "body", "exploit", "webshell", "antak", "anomaly", "error", "generic", "target", "obfus", "skeletonkey", "virustotal", "dllimport", "false", "flash", "info", "click", "macos", "test", "powersploit", "powercat", "tools", "metasploit", "twitter", "open", "path", "xploit" ], "references": [ "https://www.virustotal.com/graph/embed/g14ccc2b5794648cc838da283a8fbfcda4d95dde6ddc44798be19c2832778787f?theme=dark", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/summary", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/iocs", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/graph" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VALHALLA", "display_name": "VALHALLA", "target": null }, { "id": "PHP", "display_name": "PHP", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 74, "CVE": 156, "FileHash-MD5": 828, "FileHash-SHA1": 1126, "FileHash-SHA256": 746, "domain": 130, "email": 4, "hostname": 21 }, "indicator_count": 3085, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6668b85065eec626e4766a38", "name": "Thor-Lite Linux 64 (06.11.24) - enriched a bit more but not 'pruned'", "description": "Please note: This sample is a tad 'outdated' as I ran both scans kind of by accident lol (i.e. did not update w. the utils utility). I was a bit tired so a happy accident of more data? - but gives a general 'picture' or 'painting' anyways on a rather small set of data.\n\nHave some more data to put up (picked up by Huntress Labs) - just have to get that back online.\n\nWould love to accommodate for some confounding variables - e.g. filter for false positives, windows logs, networking capabilities (better than what I have now) to better inform the team taking care of me (us). \n\nNote: Given it was using some outdated thor modules (lite-version), it was 'good enough' to provide some data worth looking into that 'falls in line' w. what I've come across. \n\nJust a combined sample (2 in 1) of a thor-lite scan of a linux instance (06.11.24)\n\nI've just listed a few places I have some direct ties to in one way or another (not including the other UAlberta students affected that have been in contact with me or reached out).", "modified": "2024-07-11T21:08:15.880000", "created": "2024-06-11T20:49:20.318000", "tags": [ "mon jun", "filename ioc", "scanid", "sigtype1", "group", "reason1", "matched1", "reasonscount", "dangerous file", "exploit code", "trace", "anomaly", "project", "import", "mimikatz", "form", "powershell", "shellcode", "cobaltstrike", "hermanos", "cobalt strike", "inject", "body", "null", "confuserex", "virustotal", "generic", "comspec", "injectdll", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "webshell", "phpshell", "error", "exploit", "dllimport", "info", "kill", "path", "arch", "hosts", "bifrost", "thor", "false", "tools", "flash", "cve201711882", "macos", "bypass", "green", "team", "target", "cred", "powersploit", "recursive", "term", "download", "zero", "antak", "install", "metasploit", "local", "meterpreter", "shell", "please", "javascript", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/iocs", "https://www.virustotal.com/graph/embed/gfdb1aa99d73447818bfcd10130b237a4e92dbf316d5f4f028ad64f71f882bccc?theme=dark", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/graph", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/summary", "https://urlscan.io/search/#user:me%20OR%20team:me", "https://viz.greynoise.io/analysis/eaa63cd1-14fd-4d03-9e83-29bd58eab538" ], "public": 1, "adversary": "Unknown", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Anguilla", "Panama", "Trinidad and Tobago", "Saint Martin (French part)", "Saint Vincent and the Grenadines", "Sint Maarten (Dutch part)", "Mexico", "Philippines", "Japan", "Aruba", "Costa Rica", "Guatemala", "China", "Barbados", "Saint Kitts and Nevis", "Cayman Islands", "Cura\u00e7ao", "Virgin Islands, U.S." ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" } ], "industries": [ "Education", "Technology", "Government", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 247, "FileHash-MD5": 1183, "FileHash-SHA1": 1553, "FileHash-SHA256": 1240, "URL": 486, "domain": 294, "email": 8, "hostname": 138 }, "indicator_count": 5149, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "646 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6588588d4b9eb5c3530caabf", "name": "Ghost RAT | Apple Domain Robot | Cherry Creek, Colorado Retail", "description": "", "modified": "2024-01-23T17:03:33.038000", "created": "2023-12-24T16:13:01.574000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d1e650a97b0611cf796551", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28182, "FileHash-MD5": 4761, "FileHash-SHA1": 3109, "FileHash-SHA256": 10324, "domain": 3628, "hostname": 9624, "email": 90, "CIDR": 8, "CVE": 42 }, "indicator_count": 59768, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "816 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "634854b6498d7bc8f671d247", "name": "A new Chinese malware attack targets Windows, macOS, and Linux systems", "description": "", "modified": "2022-11-12T18:03:17.931000", "created": "2022-10-13T18:11:02.171000", "tags": [], "references": [ "October 13, 2022 - CryptoGen Cyber Threat Intelligence - A new Chinese malware attack targets Windows, macOS, and Linux systems .pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 23 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 486, "modified_text": "1253 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d", "https://www.filescan.io/uploads/67c6bd19e95d0f9029e3804f/reports/834b740f-9bcb-42d9-b6a1-a0a8dbd07b07/overview", "SCANID: S-CadvV0Kd35c", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/summary", "https://hybrid-analysis.com/sample/a6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45/67df874be4fc8d105e0230d1", "https://www.virustotal.com/gui/collection/d8bbd97abe2ea808a02db46380171df0803a43a379ed3795a316cb1f947939de/iocs", "https://www.virustotal.com/graph/embed/g14ccc2b5794648cc838da283a8fbfcda4d95dde6ddc44798be19c2832778787f?theme=dark", "https://viz.greynoise.io/analysis/eaa63cd1-14fd-4d03-9e83-29bd58eab538", "SCANID: S-0LxiGnOve0Q", "SCANID: S-9uT7vEdHwHk", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/iocs", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/iocs", "SCANID: S-yIBIO4Ib0l4", "https://www.virustotal.com/graph/embed/gfdb1aa99d73447818bfcd10130b237a4e92dbf316d5f4f028ad64f71f882bccc?theme=dark", "SCANID: S-jZUP9vdJp8E", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/iocs", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/iocs", "https://www.virustotal.com/graph/embed/ga8f86f452d6d4819b2dedf4c1981843304472a457d9b4b339f35679f4693ce9c?theme=dark", "https://cyber-fortress.com/docs/result/index.php?id=67c6bb9cc8d04e92a4bed8fc", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/summary", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/summary", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/summary", "https://urlscan.io/search/#user:me%20OR%20team:me", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/graph", "pop-os_files_md5s.csv", "October 13, 2022 - CryptoGen Cyber Threat Intelligence - A new Chinese malware attack targets Windows, macOS, and Linux systems .pdf", "SCANID: S-4jjwyMrjTU0", "SCANID: S-4FSYbAVw6TA", "https://www.virustotal.com/graph/embed/g532ea94109c54d96ba1bde62201fb4439ef00ab8d0af4a2f99ee42846ad158df?theme=dark", "SCANID: S-YV38dG9guZE", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/graph", "https://www.filescan.io/uploads/67df8585fae452b82c2115b7/reports/65f03ad1-b5bc-41a8-ae82-21970a18efcb/ioc" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Unknown" ], "malware_families": [ "Php", "Valhalla" ], "industries": [ "Telecommunications", "Healthcare", "Education", "Government", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "67c6bb5aa601e91b1314ff44", "name": "SCANID: S-KhOoOrXsco8: Thor Lite Linux 64 - Sample Lab Device 2 - incomplete (not enriched)", "description": "Thor Lite Linux 64 - Sample Lab Device 2 - incomplete\nhttps://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d\nSCANID: S-KhOoOrXsco8", "modified": "2025-04-22T06:02:28.535000", "created": "2025-03-04T08:35:38.390000", "tags": [ "misc", "filename ioc", "scanid", "sigtype1", "reasonscount", "sg2backup drive", "thu feb", "log entry", "exists1", "matched1", "warp", "trash", "rooter", "service", "puppet", "apache", "ruby", "execution", "android", "glasses", "agent", "hermes", "atlas", "score", "open", "orion", "entity", "download", "enterprise", "nexus", "beyond", "patch", "rest", "bsod", "bind", "june", "upgrade", "project", "surtr", "path", "mandrake", "accept", "openssl", "null", "responder", "shell", "servu", "cargo", "bypass", "green", "python", "iframe", "webex", "blink", "code", "netty", "fall", "grab", "metasploit", "webdav", "postscript", "middle", "assistant", "energy", "august", "diego", "february", "hold", "write", "extras", "fusion", "trace", "click", "rust", "anna", "virustotal", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "probe", "win32", "snoopy", "vuln", "april", "format", "flash", "domino", "calendar", "cryptocat", "orca", "hello", "stream", "confi", "sharepoint", "launcher", "hypervisor", "malicious", "lame", "attack", "prior", "simple", "hpack", "homepage", "easy", "live", "cookie", "explorer", "config", "rush", "spark", "chat", "media", "webview", "trigger", "northstar", "monitoring", "false", "impact", "dino", "example", "splash", "macos", "notifier", "error", "spring", "this", "neutrino", "tools", "template", "crow", "magento", "zimbra", "drop", "stack", "linear", "blocker", "deleter", "main", "face", "arch", "hosts", "bifrost", "recursive", "cobaltstrike", "luckycat", "brain", "apt", "php", "rat", "hacktool", "worm", "meterpreter", "obfuscated", "evasive", "exaramel", "anti-vm" ], "references": [ "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/iocs", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/summary", "https://www.virustotal.com/graph/embed/ga8f86f452d6d4819b2dedf4c1981843304472a457d9b4b339f35679f4693ce9c?theme=dark", "https://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d", "https://cyber-fortress.com/docs/result/index.php?id=67c6bb9cc8d04e92a4bed8fc", "https://www.filescan.io/uploads/67c6bd19e95d0f9029e3804f/reports/834b740f-9bcb-42d9-b6a1-a0a8dbd07b07/overview", "https://www.filescan.io/uploads/67df8585fae452b82c2115b7/reports/65f03ad1-b5bc-41a8-ae82-21970a18efcb/ioc", "https://hybrid-analysis.com/sample/a6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45/67df874be4fc8d105e0230d1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [ "Education", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14071, "FileHash-MD5": 979, "FileHash-SHA1": 2568, "FileHash-SHA256": 636, "URL": 43905, "domain": 2031, "email": 31, "hostname": 3621 }, "indicator_count": 67842, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a219f7c06d372f86335d64", "name": "Thor Linux Lite Scan - Sample Device & SG2 - 02.07.25 - Unenriched", "description": "Took a few tries but here is the complete thor Linux 64 Lite Scan on: Sample Device & a single drive (one of many) of the 77 TB of: things I have but don't know what to do with\n---\nOld Notes on previous scan attempts for this sample.\nSee Comments on VT\nMD5\nde880994c51d4055c960e2d32db89774\n \nSHA-1\n539e7c2eefd7a6aa17db436d83738c117f26798c\n \nSHA-256\na6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45\n \nSSDEEP\n98304:hpUsCWtdIdOKfb44V0ipGuEwWPKhmMWMCURFfxzRq6R5qJJfrPOOD86U6BDfIokW:BKftFfuDfqAfPPfa4f3\n \nTLSH\nT10D571AC3C70811188D2373EBE1B4BA59BD06381EDECA9D59F08D642C97946467A2EDCF", "modified": "2025-03-09T16:04:43.604000", "created": "2025-02-04T13:45:27.169000", "tags": [ "stuff", "data", "no problems", "upload", "problems1", "progressb", "progressi", "onedrive", "files", "bitdefender", "scanid", "lite version", "ioc jan", "thor lite", "ip address", "writing", "cron", "envcheck", "filescan", "firewall", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "virustotal", "arch", "hosts" ], "references": [ "pop-os_files_md5s.csv", "https://www.virustotal.com/graph/embed/g532ea94109c54d96ba1bde62201fb4439ef00ab8d0af4a2f99ee42846ad158df?theme=dark", "SCANID: S-yIBIO4Ib0l4", "SCANID: S-9uT7vEdHwHk", "SCANID: S-4FSYbAVw6TA", "SCANID: S-4jjwyMrjTU0", "SCANID: S-jZUP9vdJp8E", "https://www.virustotal.com/gui/collection/d8bbd97abe2ea808a02db46380171df0803a43a379ed3795a316cb1f947939de/iocs", "SCANID: S-CadvV0Kd35c", "SCANID: S-0LxiGnOve0Q", "SCANID: S-YV38dG9guZE", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/iocs", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/summary" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Education", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 701, "FileHash-SHA1": 871, "FileHash-SHA256": 897, "URL": 2920, "domain": 388, "email": 17, "CVE": 830, "hostname": 295 }, "indicator_count": 6919, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "405 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666ac558d08da6cfb3ba135b", "name": "Thor Lite Scanner - Cigabuntu (Parrot Version) vs. The Book of Shadows", "description": "A little unclear on 'just exactly what all of this is' - Other than Huntress Catching things and Thor & Bitdefender Gravutyzone ****ing the bed\n\nScan ID: S-6vsmMgE47Gk\nScan Id: S-H9GdDtmU2vU\n\n06.13.24: https://www.virustotal.com/graph/embed/g14ccc2b5794648cc838da283a8fbfcda4d95dde6ddc44798be19c2832778787f?theme=dark", "modified": "2024-07-13T09:05:44.647000", "created": "2024-06-13T10:09:28.617000", "tags": [ "entity", "please", "javascript", "valhalla", "php", "filename ioc", "mon jun", "module", "sigtype1", "reasonscount", "tue jun", "exploit code", "file names", "matched1", "score", "shellcode", "form", "mimikatz", "powershell", "cobaltstrike", "null", "trace", "shell", "import", "empire", "hermanos", "cobalt strike", "void", "body", "exploit", "webshell", "antak", "anomaly", "error", "generic", "target", "obfus", "skeletonkey", "virustotal", "dllimport", "false", "flash", "info", "click", "macos", "test", "powersploit", "powercat", "tools", "metasploit", "twitter", "open", "path", "xploit" ], "references": [ "https://www.virustotal.com/graph/embed/g14ccc2b5794648cc838da283a8fbfcda4d95dde6ddc44798be19c2832778787f?theme=dark", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/summary", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/iocs", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/graph" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VALHALLA", "display_name": "VALHALLA", "target": null }, { "id": "PHP", "display_name": "PHP", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 74, "CVE": 156, "FileHash-MD5": 828, "FileHash-SHA1": 1126, "FileHash-SHA256": 746, "domain": 130, "email": 4, "hostname": 21 }, "indicator_count": 3085, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6668b85065eec626e4766a38", "name": "Thor-Lite Linux 64 (06.11.24) - enriched a bit more but not 'pruned'", "description": "Please note: This sample is a tad 'outdated' as I ran both scans kind of by accident lol (i.e. did not update w. the utils utility). I was a bit tired so a happy accident of more data? - but gives a general 'picture' or 'painting' anyways on a rather small set of data.\n\nHave some more data to put up (picked up by Huntress Labs) - just have to get that back online.\n\nWould love to accommodate for some confounding variables - e.g. filter for false positives, windows logs, networking capabilities (better than what I have now) to better inform the team taking care of me (us). \n\nNote: Given it was using some outdated thor modules (lite-version), it was 'good enough' to provide some data worth looking into that 'falls in line' w. what I've come across. \n\nJust a combined sample (2 in 1) of a thor-lite scan of a linux instance (06.11.24)\n\nI've just listed a few places I have some direct ties to in one way or another (not including the other UAlberta students affected that have been in contact with me or reached out).", "modified": "2024-07-11T21:08:15.880000", "created": "2024-06-11T20:49:20.318000", "tags": [ "mon jun", "filename ioc", "scanid", "sigtype1", "group", "reason1", "matched1", "reasonscount", "dangerous file", "exploit code", "trace", "anomaly", "project", "import", "mimikatz", "form", "powershell", "shellcode", "cobaltstrike", "hermanos", "cobalt strike", "inject", "body", "null", "confuserex", "virustotal", "generic", "comspec", "injectdll", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "webshell", "phpshell", "error", "exploit", "dllimport", "info", "kill", "path", "arch", "hosts", "bifrost", "thor", "false", "tools", "flash", "cve201711882", "macos", "bypass", "green", "team", "target", "cred", "powersploit", "recursive", "term", "download", "zero", "antak", "install", "metasploit", "local", "meterpreter", "shell", "please", "javascript", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/iocs", "https://www.virustotal.com/graph/embed/gfdb1aa99d73447818bfcd10130b237a4e92dbf316d5f4f028ad64f71f882bccc?theme=dark", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/graph", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/summary", "https://urlscan.io/search/#user:me%20OR%20team:me", "https://viz.greynoise.io/analysis/eaa63cd1-14fd-4d03-9e83-29bd58eab538" ], "public": 1, "adversary": "Unknown", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Anguilla", "Panama", "Trinidad and Tobago", "Saint Martin (French part)", "Saint Vincent and the Grenadines", "Sint Maarten (Dutch part)", "Mexico", "Philippines", "Japan", "Aruba", "Costa Rica", "Guatemala", "China", "Barbados", "Saint Kitts and Nevis", "Cayman Islands", "Cura\u00e7ao", "Virgin Islands, U.S." ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" } ], "industries": [ "Education", "Technology", "Government", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 247, "FileHash-MD5": 1183, "FileHash-SHA1": 1553, "FileHash-SHA256": 1240, "URL": 486, "domain": 294, "email": 8, "hostname": 138 }, "indicator_count": 5149, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "646 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6588588d4b9eb5c3530caabf", "name": "Ghost RAT | Apple Domain Robot | Cherry Creek, Colorado Retail", "description": "", "modified": "2024-01-23T17:03:33.038000", "created": "2023-12-24T16:13:01.574000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64d1e650a97b0611cf796551", "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28182, "FileHash-MD5": 4761, "FileHash-SHA1": 3109, "FileHash-SHA256": 10324, "domain": 3628, "hostname": 9624, "email": 90, "CIDR": 8, "CVE": 42 }, "indicator_count": 59768, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "816 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "634854b6498d7bc8f671d247", "name": "A new Chinese malware attack targets Windows, macOS, and Linux systems", "description": "", "modified": "2022-11-12T18:03:17.931000", "created": "2022-10-13T18:11:02.171000", "tags": [], "references": [ "October 13, 2022 - CryptoGen Cyber Threat Intelligence - A new Chinese malware attack targets Windows, macOS, and Linux systems .pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 23 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 486, "modified_text": "1253 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "exploit.py", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "exploit.py", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776591718.9265842 }