{ "type": "Domain", "indicator": "ferventcoder.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ferventcoder.com", "alexa": "http://www.alexa.com/siteinfo/ferventcoder.com", "indicator": "ferventcoder.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3749700687, "indicator": "ferventcoder.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69de16ad2eff99041dc0798f", "name": "CAPE Sandbox", "description": "The full text of the full report on the events of 9 January 2016:-17 February 2017.. and the details will appear on Facebook, Twitter, Instagram and iPlayer, as well as BBC News.Publicly sourced data.", "modified": "2026-05-14T13:12:04.466000", "created": "2026-04-14T10:27:57.413000", "tags": [ "default", "win1", "acrongl integ", "adc4240758", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "angsana new", "accept", "shutdown", "bits", "users", "files c", "registry keys", "parent pid", "full path", "command line", "mutexes nothing", "settings c", "users c", "file type", "ascii text", "html document", "ascii", "smtp", "united", "pe file", "ms windows", "found", "pe32", "exploit", "window", "mydoom", "malicious", "next", "windows sandbox", "calls process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776161759&Signature=r%2BKlsLyBnYpOeeNHzRs9%2B7pdGx2v0X0pOyuXLCoa%2BnUPUCVB26zsfTA6MkxYVG1EJEHvnIlhFuROVrTGOBD3iJ8Pi88PQMXIZ3v2jPn9uE50%2B7sfn3PB%2FD2SBG1luKM%2BcX4xmmAa9lBeO4YV7eHLZRuujfrNAD1p7ibfanLrhtk7C%2BooBJ%2BBrhzZgQiVRPozazGmTh0p9ZDu5uwqfnNncRfsUH3MC2DU7%2F2lLeIXl2i4", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162253&Signature=DsUEk3x0D0tLMeH64e%2BL%2BU0fmDQgZPub6sr2i81od6MJcTmkUHTvUwY4TX7A4UF7CHp6x9os7H6ACU0L6ZaarkQrPNm5dsT7lulfOTfMO4b8%2B9vETdbWgCFKDoxSh1JDRedcaByU9eHDx1EubCyeCzVwlhIQD6DY731Nqnbs%2FbM6xAvxXIrjJXGTEIhmWk2rwD9E7fIYWKxJ3PIwdd9LxuRcfsiqFrEfxSfL%2FhCUtkAzP9VJk%2B", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162273&Signature=sHM7md8FG3NGW4EaoHgxxJxesr%2BwB7HqWHK1D3tULtGS5B9x6lSEfz%2F7oBPbC%2FW1AjBMAQvDCNRY5nUYvLs9v1lyCmWTdlaXzqGLXKKucME3uJxTnsyz%2BD1NufC0hBTMCOi72Sr8g6t%2Fs0AUKgWVoI%2FzNNPjkBnA8yhuPJDg%2FagW1ZWHbCCmuvDq89e7cuw7zAwSyLYepQaw6NwWxkbXxbLmCPt8NgH1FxvePXTh2u6kEBUkC3rfaYMz", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162432&Signature=TWbtmQs4bcHbMfmTekVuORg%2BkrtroxYd8P8uC5usycoJ%2BB%2FHow0wKjA9ZjhOZxjEmMD0SR0LJtJtz9WjU4Bo%2BUGImGkUS%2BpVWmWEUlAnFAifUeH4f5YQ%2F6cNsYropo5WcFbSSs5CBkVFTFkx0oi7v6eoTVbSOB6ZuXf3th4SLotta8FcMAzmgs6224SExEQaOgbe8HNnU%2F7BqF5906uMA793JnqbInA83%2BrUvFoO1vo3f%", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162454&Signature=s%2FL8LyYQ5ohWNf8k%2F4%2BjtOHEZw%2FPBQ50rPOAG6qtrJE1i6GAlRl5exjz0kySLyFUjqw1a%2BRmbp%2BGOUpGT1lFr%2FJQ6MrmypYvlc6FB451hDVD6FGhK1ux%2FDBdqi3jA5ZcM0TBp9nG%2FzUmdBcnXGtpTT6vgdZpgZT6%2FcaTnDSXLieEgVqCAgVX%2FZFQg3ZVxCBndzTcuRqQmR2axdb1QaRQ%2BIFIaYonKsJt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 294, "FileHash-SHA1": 122, "FileHash-SHA256": 1747, "URL": 5866, "hostname": 1673, "domain": 432, "CVE": 1, "email": 2 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69de16a3c7cc241533da1de7", "name": "CAPE Sandbox", "description": "The full text of the full report on the events of 9 January 2016:-17 February 2017.. and the details will appear on Facebook, Twitter, Instagram and iPlayer, as well as BBC News.Publicly sourced data.", "modified": "2026-05-14T11:12:02.310000", "created": "2026-04-14T10:27:47.855000", "tags": [ "default", "win1", "acrongl integ", "adc4240758", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "angsana new", "accept", "shutdown", "bits", "users", "files c", "registry keys", "parent pid", "full path", "command line", "mutexes nothing", "settings c", "users c", "file type", "ascii text", "html document", "ascii", "smtp", "united", "pe file", "ms windows", "found", "pe32", "exploit", "window", "mydoom", "malicious", "next", "windows sandbox", "calls process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776161759&Signature=r%2BKlsLyBnYpOeeNHzRs9%2B7pdGx2v0X0pOyuXLCoa%2BnUPUCVB26zsfTA6MkxYVG1EJEHvnIlhFuROVrTGOBD3iJ8Pi88PQMXIZ3v2jPn9uE50%2B7sfn3PB%2FD2SBG1luKM%2BcX4xmmAa9lBeO4YV7eHLZRuujfrNAD1p7ibfanLrhtk7C%2BooBJ%2BBrhzZgQiVRPozazGmTh0p9ZDu5uwqfnNncRfsUH3MC2DU7%2F2lLeIXl2i4", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162253&Signature=DsUEk3x0D0tLMeH64e%2BL%2BU0fmDQgZPub6sr2i81od6MJcTmkUHTvUwY4TX7A4UF7CHp6x9os7H6ACU0L6ZaarkQrPNm5dsT7lulfOTfMO4b8%2B9vETdbWgCFKDoxSh1JDRedcaByU9eHDx1EubCyeCzVwlhIQD6DY731Nqnbs%2FbM6xAvxXIrjJXGTEIhmWk2rwD9E7fIYWKxJ3PIwdd9LxuRcfsiqFrEfxSfL%2FhCUtkAzP9VJk%2B", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162273&Signature=sHM7md8FG3NGW4EaoHgxxJxesr%2BwB7HqWHK1D3tULtGS5B9x6lSEfz%2F7oBPbC%2FW1AjBMAQvDCNRY5nUYvLs9v1lyCmWTdlaXzqGLXKKucME3uJxTnsyz%2BD1NufC0hBTMCOi72Sr8g6t%2Fs0AUKgWVoI%2FzNNPjkBnA8yhuPJDg%2FagW1ZWHbCCmuvDq89e7cuw7zAwSyLYepQaw6NwWxkbXxbLmCPt8NgH1FxvePXTh2u6kEBUkC3rfaYMz", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162432&Signature=TWbtmQs4bcHbMfmTekVuORg%2BkrtroxYd8P8uC5usycoJ%2BB%2FHow0wKjA9ZjhOZxjEmMD0SR0LJtJtz9WjU4Bo%2BUGImGkUS%2BpVWmWEUlAnFAifUeH4f5YQ%2F6cNsYropo5WcFbSSs5CBkVFTFkx0oi7v6eoTVbSOB6ZuXf3th4SLotta8FcMAzmgs6224SExEQaOgbe8HNnU%2F7BqF5906uMA793JnqbInA83%2BrUvFoO1vo3f%", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162454&Signature=s%2FL8LyYQ5ohWNf8k%2F4%2BjtOHEZw%2FPBQ50rPOAG6qtrJE1i6GAlRl5exjz0kySLyFUjqw1a%2BRmbp%2BGOUpGT1lFr%2FJQ6MrmypYvlc6FB451hDVD6FGhK1ux%2FDBdqi3jA5ZcM0TBp9nG%2FzUmdBcnXGtpTT6vgdZpgZT6%2FcaTnDSXLieEgVqCAgVX%2FZFQg3ZVxCBndzTcuRqQmR2axdb1QaRQ%2BIFIaYonKsJt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 346, "FileHash-SHA1": 338, "FileHash-SHA256": 859, "URL": 1100, "hostname": 374, "domain": 30 }, "indicator_count": 3047, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6836497513b6637e7e6f39d2", "name": "Exploited Host", "description": "", "modified": "2025-06-26T22:03:25.914000", "created": "2025-05-27T23:23:33.814000", "tags": [ "cname", "aaaa", "record type", "ttl value", "ascii text", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "sha256", "united", "pattern match", "mitre att", "date", "path", "encrypt", "starfield", "hybrid", "general", "local", "click", "strings", "4624", "records", "amazon02", "us ie", "dns ns", "dns a", "dns mx", "command decode", "ck id", "show technique", "ck matrix", "filehashsha1", "filehashsha256", "filehashmd5", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "pulses", "url https", "ipv4", "ccus asnas33070", "role", "value a", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 70, "FileHash-MD5": 225, "FileHash-SHA1": 232, "FileHash-SHA256": 1004, "domain": 138, "hostname": 74, "SSLCertFingerprint": 19, "email": 1 }, "indicator_count": 1763, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683614d951f4e789950071b3", "name": "Malicious blockade", "description": "Malicious blockade, redirecting, bot activity affecting client-firm/entity interactions (outreach organizations, legal, possibly educational\u2018 doubtful ) Botnet & monitoring\u2026my OTX profile is not working to it\u2019s full capacity. I am unable to do anything except upload and post in description.\nIPv4\n141.193.213.10\ncommand_and_control || IPv4\n142.250.150.26\nexploit_source || IPv4\n142.251.16.26\nexploit_source || IPv4\n142.251.163.26\nexploit_source ||\nhttps://crimestoppers.ab.ca\nphishing\t|| IPv4\n142.250.27.27 || Alerts - injection_inter_process\ncreates_largekey\nnetwork_bind\npersistence_autorun\npersistence_autorun_tasks\ncape_detected_threat\ninjection_process_hollowing\nantivm_generic_services\ndeletes_executed_files\ndeletes_self\ninjection_runpe\nIndirect_Command_Execution_Via_ConsoleWindowHost\npersistence_ads\nrecon_fingerprint\nsuspicious_command ||", "modified": "2025-06-26T19:05:21.983000", "created": "2025-05-27T19:39:05.470000", "tags": [ "backdoor", "hstr", "checkin", "entries", "urls", "files", "location united", "america flag", "united", "america asn", "trojandropper", "ransom", "trojan", "cycbot", "hash avast", "avg clamav", "msdefender jan", "virtool", "cves all", "time", "alfper", "less see", "all av" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 24, "FileHash-MD5": 159, "FileHash-SHA1": 159, "FileHash-SHA256": 1440, "domain": 128, "hostname": 236, "email": 1 }, "indicator_count": 2147, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68361628539ed40883b8ee66", "name": "Cycbot | Prevents affected individuals from contacting intended entities ", "description": "", "modified": "2025-06-26T19:05:21.983000", "created": "2025-05-27T19:44:40.311000", "tags": [ "backdoor", "hstr", "checkin", "entries", "urls", "files", "location united", "america flag", "united", "america asn", "trojandropper", "ransom", "trojan", "cycbot", "hash avast", "avg clamav", "msdefender jan", "virtool", "cves all", "time", "alfper", "less see", "all av" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "683614d951f4e789950071b3", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 24, "FileHash-MD5": 159, "FileHash-SHA1": 159, "FileHash-SHA256": 1440, "domain": 128, "hostname": 236, "email": 1 }, "indicator_count": 2147, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a59fe40c1e4412af5b5710", "name": "Qakbot Continues | DNSpionage | Gmail l Carnegie Mellon University", "description": "Qakbot continues to attack vulnerable devices; this attack affecting Chrome, Chromium, Google PlayStore - Redline Stealer, Gmail accounts.\n\nQakBot\u2019s modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike[1], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti[2], ProLock[3], Egregor[4], REvil[5], MegaCortex[6], Black Basta[7], Royal[8], and PwndLocker.", "modified": "2024-02-14T19:00:40.517000", "created": "2024-01-15T21:13:08.734000", "tags": [ "present jun", "scan endpoints", "all octoseek", "ipv4", "passive dns", "urls", "files", "reverse dns", "pittsburgh", "united", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "win32", "whois record", "ssl certificate", "threat roundup", "july", "communicating", "whois whois", "referrer", "contacted", "attack", "execution", "malware", "august", "copy", "april", "qakbot", "ursnif", "azorult", "hacktool", "metro", "banker", "keylogger", "malicious", "february", "mydoom-90", "worm", "cmu server", "caltech.edu", "gmail", "google attack", "google playstore", "chrome", "targeting", "carnegie mellon university", "algorithm", "v3 serial", "number", "issuer", "cus cnincommon", "rsa server", "ca lann", "stmi ouincommon", "validity", "key algorithm", "info", "first", "carnegie mellon", "server", "domain name", "domain record", "domain", "city", "orgid", "rtechhandle", "net128", "net1280000", "error", "dns replication", "date", "win32 exe", "winamp", "detections type", "name" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a", "128.2.42.10 'CMU' Carnegie Mellon University Server", "caltech.edu | Carnegie Mellon University", "https://otx.alienvault.com/pulse/65a57ec1d13648277c52328a", "https://otx.alienvault.com/indicator/ip/142.250.69.206", "CVE-2022-26134", "http://matfyz.cz/ | phishing", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple Password Cracker]", "http://alohatube.xyz/search/tsara-brashears/ [BotNet]", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www.studentaffairs.cmu.edu", "3.0.8.6 Carnegie Mellon University [cmu.edu projects]", "http://www.casos.cs.cmu.edu/projects/ora/software/3.0.8.6/ORA-NetScenes-gpt-iw-64.exe [cmu.edu projects]", "googlepassword.cmu.edu", "google.cmu.edu.", "https://otx.alienvault.com/indicator/hostname/ww.google.com.uy" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 82, "FileHash-SHA1": 78, "FileHash-SHA256": 1270, "URL": 1188, "domain": 242, "hostname": 684, "CVE": 2, "CIDR": 1, "email": 2 }, "indicator_count": 3549, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "837 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64f7efd15e05f08f517c1f9f", "name": "Ferventcoder.com malware server java.exe", "description": "283,000 files, communicating, 200 files, referring, all infected, worms, chargers, various malware.", "modified": "2023-10-06T08:04:19.660000", "created": "2023-09-06T03:19:45.968000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Hell-On-A-Stick", "id": "186907", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "FileHash-SHA1": 141, "FileHash-SHA256": 1779, "domain": 51, "email": 1, "URL": 126, "hostname": 54 }, "indicator_count": 2295, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "969 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://otx.alienvault.com/pulse/65a57ec1d13648277c52328a", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple Password Cracker]", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162253&Signature=DsUEk3x0D0tLMeH64e%2BL%2BU0fmDQgZPub6sr2i81od6MJcTmkUHTvUwY4TX7A4UF7CHp6x9os7H6ACU0L6ZaarkQrPNm5dsT7lulfOTfMO4b8%2B9vETdbWgCFKDoxSh1JDRedcaByU9eHDx1EubCyeCzVwlhIQD6DY731Nqnbs%2FbM6xAvxXIrjJXGTEIhmWk2rwD9E7fIYWKxJ3PIwdd9LxuRcfsiqFrEfxSfL%2FhCUtkAzP9VJk%2B", "http://matfyz.cz/ | phishing", "google.cmu.edu.", "128.2.42.10 'CMU' Carnegie Mellon University Server", "3.0.8.6 Carnegie Mellon University [cmu.edu projects]", "alohatube.xyz", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162273&Signature=sHM7md8FG3NGW4EaoHgxxJxesr%2BwB7HqWHK1D3tULtGS5B9x6lSEfz%2F7oBPbC%2FW1AjBMAQvDCNRY5nUYvLs9v1lyCmWTdlaXzqGLXKKucME3uJxTnsyz%2BD1NufC0hBTMCOi72Sr8g6t%2Fs0AUKgWVoI%2FzNNPjkBnA8yhuPJDg%2FagW1ZWHbCCmuvDq89e7cuw7zAwSyLYepQaw6NwWxkbXxbLmCPt8NgH1FxvePXTh2u6kEBUkC3rfaYMz", "www.studentaffairs.cmu.edu", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776161759&Signature=r%2BKlsLyBnYpOeeNHzRs9%2B7pdGx2v0X0pOyuXLCoa%2BnUPUCVB26zsfTA6MkxYVG1EJEHvnIlhFuROVrTGOBD3iJ8Pi88PQMXIZ3v2jPn9uE50%2B7sfn3PB%2FD2SBG1luKM%2BcX4xmmAa9lBeO4YV7eHLZRuujfrNAD1p7ibfanLrhtk7C%2BooBJ%2BBrhzZgQiVRPozazGmTh0p9ZDu5uwqfnNncRfsUH3MC2DU7%2F2lLeIXl2i4", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162432&Signature=TWbtmQs4bcHbMfmTekVuORg%2BkrtroxYd8P8uC5usycoJ%2BB%2FHow0wKjA9ZjhOZxjEmMD0SR0LJtJtz9WjU4Bo%2BUGImGkUS%2BpVWmWEUlAnFAifUeH4f5YQ%2F6cNsYropo5WcFbSSs5CBkVFTFkx0oi7v6eoTVbSOB6ZuXf3th4SLotta8FcMAzmgs6224SExEQaOgbe8HNnU%2F7BqF5906uMA793JnqbInA83%2BrUvFoO1vo3f%", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+", "googlepassword.cmu.edu", "caltech.edu | Carnegie Mellon University", "https://otx.alienvault.com/indicator/hostname/ww.google.com.uy", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162454&Signature=s%2FL8LyYQ5ohWNf8k%2F4%2BjtOHEZw%2FPBQ50rPOAG6qtrJE1i6GAlRl5exjz0kySLyFUjqw1a%2BRmbp%2BGOUpGT1lFr%2FJQ6MrmypYvlc6FB451hDVD6FGhK1ux%2FDBdqi3jA5ZcM0TBp9nG%2FzUmdBcnXGtpTT6vgdZpgZT6%2FcaTnDSXLieEgVqCAgVX%2FZFQg3ZVxCBndzTcuRqQmR2axdb1QaRQ%2BIFIaYonKsJt", "https://otx.alienvault.com/indicator/ip/142.250.69.206", "http://alohatube.xyz/search/tsara-brashears/ [BotNet]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a", "CVE-2022-26134", "http://www.casos.cs.cmu.edu/projects/ora/software/3.0.8.6/ORA-NetScenes-gpt-iw-64.exe [cmu.edu projects]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Cycbot" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69de16ad2eff99041dc0798f", "name": "CAPE Sandbox", "description": "The full text of the full report on the events of 9 January 2016:-17 February 2017.. and the details will appear on Facebook, Twitter, Instagram and iPlayer, as well as BBC News.Publicly sourced data.", "modified": "2026-05-14T13:12:04.466000", "created": "2026-04-14T10:27:57.413000", "tags": [ "default", "win1", "acrongl integ", "adc4240758", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "angsana new", "accept", "shutdown", "bits", "users", "files c", "registry keys", "parent pid", "full path", "command line", "mutexes nothing", "settings c", "users c", "file type", "ascii text", "html document", "ascii", "smtp", "united", "pe file", "ms windows", "found", "pe32", "exploit", "window", "mydoom", "malicious", "next", "windows sandbox", "calls process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776161759&Signature=r%2BKlsLyBnYpOeeNHzRs9%2B7pdGx2v0X0pOyuXLCoa%2BnUPUCVB26zsfTA6MkxYVG1EJEHvnIlhFuROVrTGOBD3iJ8Pi88PQMXIZ3v2jPn9uE50%2B7sfn3PB%2FD2SBG1luKM%2BcX4xmmAa9lBeO4YV7eHLZRuujfrNAD1p7ibfanLrhtk7C%2BooBJ%2BBrhzZgQiVRPozazGmTh0p9ZDu5uwqfnNncRfsUH3MC2DU7%2F2lLeIXl2i4", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162253&Signature=DsUEk3x0D0tLMeH64e%2BL%2BU0fmDQgZPub6sr2i81od6MJcTmkUHTvUwY4TX7A4UF7CHp6x9os7H6ACU0L6ZaarkQrPNm5dsT7lulfOTfMO4b8%2B9vETdbWgCFKDoxSh1JDRedcaByU9eHDx1EubCyeCzVwlhIQD6DY731Nqnbs%2FbM6xAvxXIrjJXGTEIhmWk2rwD9E7fIYWKxJ3PIwdd9LxuRcfsiqFrEfxSfL%2FhCUtkAzP9VJk%2B", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162273&Signature=sHM7md8FG3NGW4EaoHgxxJxesr%2BwB7HqWHK1D3tULtGS5B9x6lSEfz%2F7oBPbC%2FW1AjBMAQvDCNRY5nUYvLs9v1lyCmWTdlaXzqGLXKKucME3uJxTnsyz%2BD1NufC0hBTMCOi72Sr8g6t%2Fs0AUKgWVoI%2FzNNPjkBnA8yhuPJDg%2FagW1ZWHbCCmuvDq89e7cuw7zAwSyLYepQaw6NwWxkbXxbLmCPt8NgH1FxvePXTh2u6kEBUkC3rfaYMz", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162432&Signature=TWbtmQs4bcHbMfmTekVuORg%2BkrtroxYd8P8uC5usycoJ%2BB%2FHow0wKjA9ZjhOZxjEmMD0SR0LJtJtz9WjU4Bo%2BUGImGkUS%2BpVWmWEUlAnFAifUeH4f5YQ%2F6cNsYropo5WcFbSSs5CBkVFTFkx0oi7v6eoTVbSOB6ZuXf3th4SLotta8FcMAzmgs6224SExEQaOgbe8HNnU%2F7BqF5906uMA793JnqbInA83%2BrUvFoO1vo3f%", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162454&Signature=s%2FL8LyYQ5ohWNf8k%2F4%2BjtOHEZw%2FPBQ50rPOAG6qtrJE1i6GAlRl5exjz0kySLyFUjqw1a%2BRmbp%2BGOUpGT1lFr%2FJQ6MrmypYvlc6FB451hDVD6FGhK1ux%2FDBdqi3jA5ZcM0TBp9nG%2FzUmdBcnXGtpTT6vgdZpgZT6%2FcaTnDSXLieEgVqCAgVX%2FZFQg3ZVxCBndzTcuRqQmR2axdb1QaRQ%2BIFIaYonKsJt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 294, "FileHash-SHA1": 122, "FileHash-SHA256": 1747, "URL": 5866, "hostname": 1673, "domain": 432, "CVE": 1, "email": 2 }, "indicator_count": 10137, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69de16a3c7cc241533da1de7", "name": "CAPE Sandbox", "description": "The full text of the full report on the events of 9 January 2016:-17 February 2017.. and the details will appear on Facebook, Twitter, Instagram and iPlayer, as well as BBC News.Publicly sourced data.", "modified": "2026-05-14T11:12:02.310000", "created": "2026-04-14T10:27:47.855000", "tags": [ "default", "win1", "acrongl integ", "adc4240758", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "angsana new", "accept", "shutdown", "bits", "users", "files c", "registry keys", "parent pid", "full path", "command line", "mutexes nothing", "settings c", "users c", "file type", "ascii text", "html document", "ascii", "smtp", "united", "pe file", "ms windows", "found", "pe32", "exploit", "window", "mydoom", "malicious", "next", "windows sandbox", "calls process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776161759&Signature=r%2BKlsLyBnYpOeeNHzRs9%2B7pdGx2v0X0pOyuXLCoa%2BnUPUCVB26zsfTA6MkxYVG1EJEHvnIlhFuROVrTGOBD3iJ8Pi88PQMXIZ3v2jPn9uE50%2B7sfn3PB%2FD2SBG1luKM%2BcX4xmmAa9lBeO4YV7eHLZRuujfrNAD1p7ibfanLrhtk7C%2BooBJ%2BBrhzZgQiVRPozazGmTh0p9ZDu5uwqfnNncRfsUH3MC2DU7%2F2lLeIXl2i4", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162253&Signature=DsUEk3x0D0tLMeH64e%2BL%2BU0fmDQgZPub6sr2i81od6MJcTmkUHTvUwY4TX7A4UF7CHp6x9os7H6ACU0L6ZaarkQrPNm5dsT7lulfOTfMO4b8%2B9vETdbWgCFKDoxSh1JDRedcaByU9eHDx1EubCyeCzVwlhIQD6DY731Nqnbs%2FbM6xAvxXIrjJXGTEIhmWk2rwD9E7fIYWKxJ3PIwdd9LxuRcfsiqFrEfxSfL%2FhCUtkAzP9VJk%2B", "https://vtbehaviour.commondatastorage.googleapis.com/19a366688d6cbe45c99c2eb49ae11f06ac85a63b83753bdae693ba36032dbc3f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162273&Signature=sHM7md8FG3NGW4EaoHgxxJxesr%2BwB7HqWHK1D3tULtGS5B9x6lSEfz%2F7oBPbC%2FW1AjBMAQvDCNRY5nUYvLs9v1lyCmWTdlaXzqGLXKKucME3uJxTnsyz%2BD1NufC0hBTMCOi72Sr8g6t%2Fs0AUKgWVoI%2FzNNPjkBnA8yhuPJDg%2FagW1ZWHbCCmuvDq89e7cuw7zAwSyLYepQaw6NwWxkbXxbLmCPt8NgH1FxvePXTh2u6kEBUkC3rfaYMz", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162432&Signature=TWbtmQs4bcHbMfmTekVuORg%2BkrtroxYd8P8uC5usycoJ%2BB%2FHow0wKjA9ZjhOZxjEmMD0SR0LJtJtz9WjU4Bo%2BUGImGkUS%2BpVWmWEUlAnFAifUeH4f5YQ%2F6cNsYropo5WcFbSSs5CBkVFTFkx0oi7v6eoTVbSOB6ZuXf3th4SLotta8FcMAzmgs6224SExEQaOgbe8HNnU%2F7BqF5906uMA793JnqbInA83%2BrUvFoO1vo3f%", "https://vtbehaviour.commondatastorage.googleapis.com/00013c14102d59e189e1ad191b4367fda0146a1a1d354ae36bd8b315186042ad_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776162454&Signature=s%2FL8LyYQ5ohWNf8k%2F4%2BjtOHEZw%2FPBQ50rPOAG6qtrJE1i6GAlRl5exjz0kySLyFUjqw1a%2BRmbp%2BGOUpGT1lFr%2FJQ6MrmypYvlc6FB451hDVD6FGhK1ux%2FDBdqi3jA5ZcM0TBp9nG%2FzUmdBcnXGtpTT6vgdZpgZT6%2FcaTnDSXLieEgVqCAgVX%2FZFQg3ZVxCBndzTcuRqQmR2axdb1QaRQ%2BIFIaYonKsJt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 346, "FileHash-SHA1": 338, "FileHash-SHA256": 859, "URL": 1100, "hostname": 374, "domain": 30 }, "indicator_count": 3047, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6836497513b6637e7e6f39d2", "name": "Exploited Host", "description": "", "modified": "2025-06-26T22:03:25.914000", "created": "2025-05-27T23:23:33.814000", "tags": [ "cname", "aaaa", "record type", "ttl value", "ascii text", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "sha256", "united", "pattern match", "mitre att", "date", "path", "encrypt", "starfield", "hybrid", "general", "local", "click", "strings", "4624", "records", "amazon02", "us ie", "dns ns", "dns a", "dns mx", "command decode", "ck id", "show technique", "ck matrix", "filehashsha1", "filehashsha256", "filehashmd5", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "pulses", "url https", "ipv4", "ccus asnas33070", "role", "value a", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 70, "FileHash-MD5": 225, "FileHash-SHA1": 232, "FileHash-SHA256": 1004, "domain": 138, "hostname": 74, "SSLCertFingerprint": 19, "email": 1 }, "indicator_count": 1763, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683614d951f4e789950071b3", "name": "Malicious blockade", "description": "Malicious blockade, redirecting, bot activity affecting client-firm/entity interactions (outreach organizations, legal, possibly educational\u2018 doubtful ) Botnet & monitoring\u2026my OTX profile is not working to it\u2019s full capacity. I am unable to do anything except upload and post in description.\nIPv4\n141.193.213.10\ncommand_and_control || IPv4\n142.250.150.26\nexploit_source || IPv4\n142.251.16.26\nexploit_source || IPv4\n142.251.163.26\nexploit_source ||\nhttps://crimestoppers.ab.ca\nphishing\t|| IPv4\n142.250.27.27 || Alerts - injection_inter_process\ncreates_largekey\nnetwork_bind\npersistence_autorun\npersistence_autorun_tasks\ncape_detected_threat\ninjection_process_hollowing\nantivm_generic_services\ndeletes_executed_files\ndeletes_self\ninjection_runpe\nIndirect_Command_Execution_Via_ConsoleWindowHost\npersistence_ads\nrecon_fingerprint\nsuspicious_command ||", "modified": "2025-06-26T19:05:21.983000", "created": "2025-05-27T19:39:05.470000", "tags": [ "backdoor", "hstr", "checkin", "entries", "urls", "files", "location united", "america flag", "united", "america asn", "trojandropper", "ransom", "trojan", "cycbot", "hash avast", "avg clamav", "msdefender jan", "virtool", "cves all", "time", "alfper", "less see", "all av" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 24, "FileHash-MD5": 159, "FileHash-SHA1": 159, "FileHash-SHA256": 1440, "domain": 128, "hostname": 236, "email": 1 }, "indicator_count": 2147, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68361628539ed40883b8ee66", "name": "Cycbot | Prevents affected individuals from contacting intended entities ", "description": "", "modified": "2025-06-26T19:05:21.983000", "created": "2025-05-27T19:44:40.311000", "tags": [ "backdoor", "hstr", "checkin", "entries", "urls", "files", "location united", "america flag", "united", "america asn", "trojandropper", "ransom", "trojan", "cycbot", "hash avast", "avg clamav", "msdefender jan", "virtool", "cves all", "time", "alfper", "less see", "all av" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "683614d951f4e789950071b3", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 24, "FileHash-MD5": 159, "FileHash-SHA1": 159, "FileHash-SHA256": 1440, "domain": 128, "hostname": 236, "email": 1 }, "indicator_count": 2147, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a59fe40c1e4412af5b5710", "name": "Qakbot Continues | DNSpionage | Gmail l Carnegie Mellon University", "description": "Qakbot continues to attack vulnerable devices; this attack affecting Chrome, Chromium, Google PlayStore - Redline Stealer, Gmail accounts.\n\nQakBot\u2019s modular structure allows for various malicious features, including process and web injection, victim network enumeration and credential stealing, and the delivery of follow-on payloads such as Cobalt Strike[1], Brute Ratel, and other malware. QakBot infections are particularly known to precede the deployment of human-operated ransomware, including Conti[2], ProLock[3], Egregor[4], REvil[5], MegaCortex[6], Black Basta[7], Royal[8], and PwndLocker.", "modified": "2024-02-14T19:00:40.517000", "created": "2024-01-15T21:13:08.734000", "tags": [ "present jun", "scan endpoints", "all octoseek", "ipv4", "passive dns", "urls", "files", "reverse dns", "pittsburgh", "united", "ghost rat", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "redlinestealer", "installcore", "installbrain", "emotet", "tofsee", "bradesco", "agent tesla", "trojanspy", "suppobox", "occamy", "dnspionage", "stealer", "networm", "win32", "whois record", "ssl certificate", "threat roundup", "july", "communicating", "whois whois", "referrer", "contacted", "attack", "execution", "malware", "august", "copy", "april", "qakbot", "ursnif", "azorult", "hacktool", "metro", "banker", "keylogger", "malicious", "february", "mydoom-90", "worm", "cmu server", "caltech.edu", "gmail", "google attack", "google playstore", "chrome", "targeting", "carnegie mellon university", "algorithm", "v3 serial", "number", "issuer", "cus cnincommon", "rsa server", "ca lann", "stmi ouincommon", "validity", "key algorithm", "info", "first", "carnegie mellon", "server", "domain name", "domain record", "domain", "city", "orgid", "rtechhandle", "net128", "net1280000", "error", "dns replication", "date", "win32 exe", "winamp", "detections type", "name" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-242a", "128.2.42.10 'CMU' Carnegie Mellon University Server", "caltech.edu | Carnegie Mellon University", "https://otx.alienvault.com/pulse/65a57ec1d13648277c52328a", "https://otx.alienvault.com/indicator/ip/142.250.69.206", "CVE-2022-26134", "http://matfyz.cz/ | phishing", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [Apple Password Cracker]", "http://alohatube.xyz/search/tsara-brashears/ [BotNet]", "alohatube.xyz", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]", "www.studentaffairs.cmu.edu", "3.0.8.6 Carnegie Mellon University [cmu.edu projects]", "http://www.casos.cs.cmu.edu/projects/ora/software/3.0.8.6/ORA-NetScenes-gpt-iw-64.exe [cmu.edu projects]", "googlepassword.cmu.edu", "google.cmu.edu.", "https://otx.alienvault.com/indicator/hostname/ww.google.com.uy" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 82, "FileHash-SHA1": 78, "FileHash-SHA256": 1270, "URL": 1188, "domain": 242, "hostname": 684, "CVE": 2, "CIDR": 1, "email": 2 }, "indicator_count": 3549, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "837 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64f7efd15e05f08f517c1f9f", "name": "Ferventcoder.com malware server java.exe", "description": "283,000 files, communicating, 200 files, referring, all infected, worms, chargers, various malware.", "modified": "2023-10-06T08:04:19.660000", "created": "2023-09-06T03:19:45.968000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Hell-On-A-Stick", "id": "186907", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 143, "FileHash-SHA1": 141, "FileHash-SHA256": 1779, "domain": 51, "email": 1, "URL": 126, "hostname": 54 }, "indicator_count": 2295, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "969 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ferventcoder.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ferventcoder.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780308620.052184 }