{ "type": "Domain", "indicator": "gnu.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/gnu.org", "alexa": "http://www.alexa.com/siteinfo/gnu.org", "indicator": "gnu.org", "type": "domain", "type_title": "Domain", "validation": [ { "source": "akamai", "message": "Akamai rank: #8015", "name": "Akamai Popular Domain" }, { "source": "majestic", "message": "Whitelisted domain gnu.org", "name": "Whitelisted domain" }, { "source": "whitelist", "message": "Whitelisted domain gnu.org", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2234199511, "indicator": "gnu.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "69fc4d77afa81737a1d6262c", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.667000", "created": "2026-05-07T08:29:43.174000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc4d769e89dc96fce03ffe", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.571000", "created": "2026-05-07T08:29:42.377000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc4d75bbb155224dcb27b7", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:55.728000", "created": "2026-05-07T08:29:41.963000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 30, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 432, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4594ea685ae6b9912f97b", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:34.613000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595cd9283fc7a5aa03ab", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:48.152000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 195, "domain": 120, "hostname": 101, "CVE": 1 }, "indicator_count": 3483, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595beae76fc81c99cf63", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:47.895000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595bad55db9318902436", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:47.753000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595b8c340900560463a8", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:47.893000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595a99f229f5b99ce366", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:46.696000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d45947ce0025cf5afbb117", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:27.333000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6980689d04c3d0afa554c247", "name": "Copy of Proton Suite - Apple iPadOS - Drive VPN Calendar Protonmail Ubiquiti Grok - 02.02.26", "description": "Copy of Proton Suite - Apple iPadOS - Drive VPN Calendar Protonmail Ubiquiti Grok - 02.02.26", "modified": "2026-03-04T08:01:36.153000", "created": "2026-02-02T09:04:29.535000", "tags": [ "entity", "skreutzb", "kgs0", "kls0", "please", "javascript", "Proton", "Drive", "Mail", "Calendar", "VPN", "Ubiquiti", "Unifi", "Malcerts", "Certificates", "Apple", "Github", "Cocoapods" ], "references": [ "https://www.virustotal.com/graph/embed/ge36545cffdc8444caaf69c36a825639183ebd69af93f48369156f4dfc5348f8d?theme=dark", "https://www.virustotal.com/gui/collection/1a335578b9905ed48ee04a8c52890951a06a1034dc9362d3ae4e042512eeb027", "https://www.virustotal.com/gui/collection/1a335578b9905ed48ee04a8c52890951a06a1034dc9362d3ae4e042512eeb027/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 20, "FileHash-SHA256": 146, "hostname": 143, "URL": 218, "domain": 35 }, "indicator_count": 586, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "87 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697e63806866d6d68d082321", "name": "Proton Drive - 01.31.26", "description": "Proton Drive - 01.31.26\nFound within Sample -> App (inside app) -> Settings -> Acknowledgements on an Apple iPadOS\nExtremely long list of 3rd party Repositories [ This Pulse & VT Need to be updated ]", "modified": "2026-03-02T21:04:40.390000", "created": "2026-01-31T20:18:08.975000", "tags": [ "Proton", "Drive", "Apple", "iPadOS" ], "references": [ "https://www.virustotal.com/graph/embed/g5e4329cdd3c241339452abac147e83ac58e4ea6ca231474a91e2b98d035c59e1?theme=dark", "https://www.virustotal.com/gui/collection/e60910e3c111b45be5d4ceecb5cde6312258667f270461ad23fa3e39bbebb000/summary", "https://www.virustotal.com/gui/collection/e60910e3c111b45be5d4ceecb5cde6312258667f270461ad23fa3e39bbebb000/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 17, "URL": 166, "domain": 26, "email": 2, "hostname": 13 }, "indicator_count": 224, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6928cdeec9048ce3ac4c559c", "name": "ProtonVPN - 01.31.26", "description": "Apple & Proton VPN\n\nURLS extracted from Settings, Apps, Acknowledgements", "modified": "2026-03-02T19:02:07.911000", "created": "2025-11-27T22:17:18.397000", "tags": [ "skreutzb", "pmnetworking", "please", "javascript" ], "references": [ "https://www.virustotal.com/gui/collection/8e9ce3584f26b9154be707edae1341ffbf3654036d5f623d2a4c0593fa3729a4/iocs", "https://report.netcraft.com/submission/YCvsjEDw42hsBY1Nd8Fnkar2YNrwXV7N?tab=urls", "URLscanio", "01.31.26 https://www.virustotal.com/graph/embed/gc0436b0fbb21440aad3643c68736a1b45c237c7888cc4785918a5eac20cb5997?theme=dark", "01.31.26 https://www.virustotal.com/gui/collection/8e9ce3584f26b9154be707edae1341ffbf3654036d5f623d2a4c0593fa3729a4/summary", "01.31.26 https://www.virustotal.com/gui/collection/8e9ce3584f26b9154be707edae1341ffbf3654036d5f623d2a4c0593fa3729a4/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 194, "domain": 26, "hostname": 12, "FileHash-SHA256": 6 }, "indicator_count": 238, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682bc2458ba622cc1ce0fe31", "name": "hxxps://astromust[.]com - alleged group of Canadian *Hackers* - 05.19.25", "description": "Quick Peak into hxxps://astromust[.]com - alleged group of Canadian *Hackers* - 05.19.25\n-->> Just gotta Graph it out // Add some names // all that jazz\nAstromust is a mobile game set in an intergalactic world, where players are pitted against each other in a race to the moon, and the ultimate space adventure game is on offer.", "modified": "2025-06-20T16:02:07.802000", "created": "2025-05-19T23:44:05.771000", "tags": [ "astromust", "multi universal", "space team", "ai team", "astrostation", "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "etmodules", "sandbox", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "kaspersky threat intelligence portal", "online virus scan file", "online file scanner", "kaspersky online scanner", "online file virus scan", "scan file online", "scan file for virus", "file scanner", "online file virus scanner", "check link for virus", "kaspersky online scan", "check file for virus", "false alarm", "false detection", "false positive", "community", "results", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "file", "service", "prefetch8 ansi", "date", "show process", "ansi", "threat level", "hash seen", "pcap processing", "pcap", "sha256", "command decode", "suspicious", "hybrid", "comspec", "starfield", "close", "click", "hosts", "general", "path", "model", "encrypt", "strings", "contact", "ip location", "osint verdict", "javascript", "technology", "domain status", "server", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "algorithm", "key identifier", "x509v3 subject", "data", "v3 serial", "number", "cus olet", "encrypt cnr10", "validity", "subject public", "UAlberta" ], "references": [ "https://www.filescan.io/uploads/682bbaad0de036ed65ac2b71/reports/331527e9-620a-4de4-8453-ae192d8fa4a0/overview", "https://www.hybrid-analysis.com/sample/00defff362d7d7129f891a2934b04b2ed53e6d951a2211e0846eca4f69c8d67b", "https://opentip.kaspersky.com/https%3A%2F%2Fastromust.com/?tab=lookup", "https://metadefender.com/results/url/aHR0cHM6Ly9hc3Ryb211c3QuY29t", "https://www.hybrid-analysis.com/sample/00defff362d7d7129f891a2934b04b2ed53e6d951a2211e0846eca4f69c8d67b/682bbc44b7f58e83f50c9316", "https://www.virustotal.com/gui/domain/astromust.com/relations", "https://www.virustotal.com/gui/domain/astromust.com/details", "https://polyswarm.network/scan/results/url/b90bd2fbc0b269c2355b17ce439872ce2795d5d297c2321c704c451293830887", "https://www.virustotal.com/gui/collection/1a911851d442fb25c6c63a6cbfe62be07ccd5b0f1eff0f07db8df5a23d1e2d23/iocs", "https://www.virustotal.com/gui/collection/1a911851d442fb25c6c63a6cbfe62be07ccd5b0f1eff0f07db8df5a23d1e2d23", "https://www.virustotal.com/graph/embed/gd3d17be766b04b91a5de8ddd5b16415eb8efe15309a14f5f9584649fd216ca12?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [ { "id": "AstroStation", "display_name": "AstroStation", "target": null } ], "attack_ids": [ { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Government", "Telecommunications", "Healthcare", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 70, "FileHash-SHA256": 801, "URL": 421, "domain": 473, "hostname": 237, "FileHash-MD5": 64, "SSLCertFingerprint": 17, "email": 6 }, "indicator_count": 2089, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "344 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6761c6d68582c49eff306fe6", "name": "Likely malicious Google Analytics Alternative - App & Web Analytics - Matomo", "description": "The full text of the \"suspicious\"obfuscation using unescape has been published on the website tylabs.com, as well as the official release of a new version of PDF.", "modified": "2025-05-14T21:24:25.364000", "created": "2024-12-17T18:45:42.250000", "tags": [ "bitcoin address", "didier stevens", "didierstevens", "bitcoinaddress", "june", "copyright", "t1027", "unesc", "unescape", "flash define", "matomo", "string", "date", "sufeffxa0", "regexp", "please", "blob", "null", "tag manager", "link", "url https", "ipv4", "url http", "learn", "it for", "no credit", "cloud trial", "start", "contact", "matomo team", "help", "free", "easy", "tools" ], "references": [ "https://matomo.org https://matomo.www.gov.pl/analytics/js/container_68lYTZ79.js", "https://www.filescan.io/uploads/67619a0f99caec9a276f9efd/reports/92e63ab1-1ebd-41a7-90da-f842f0b90392/details" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 62, "YARA": 8, "domain": 83, "URL": 657, "email": 3, "hostname": 152, "IPv4": 15, "CIDR": 1, "FileHash-SHA1": 57, "FileHash-SHA256": 734 }, "indicator_count": 1772, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65eedf74b7bdda41057bef3e", "name": "Source Browse- DNS poisoning \u2022 Device CnC", "description": "Smear + Fear campaign. Parked domain schemes. Swatting, social engineering, crime staging/framing. Cyber bully, shocking, false online content, posters, porn dumping, injection, CnC devices, master keys, break & enter. Victim becomes the accused. Framing. Ability to close bank accounts, skim, call, text, email collection, redirect phone calls, create botnets, engineer malware, injection,divert tax refunds, divert funds, royalties, mail erase job history, attack, hospital, CnC event, IRS audits, fake documentaries, stalkers, attackers, death threats. MD articulated outcome after being SA'd by their employee they vowed to protect.", "modified": "2024-04-10T09:00:27.994000", "created": "2024-03-11T10:39:48.949000", "tags": [ "iocs", "all octoseek", "blacklist https", "gmbh version", "legal", "service privacy", "general full", "reverse dns", "san francisco", "asn13335", "cloudflarenet", "cloudflare", "domains", "service privacy", "modernizr", "domainpath name", "migrate", "phishing", "url https", "united", "line", "threat", "paste", "analyze", "value", "z6s3i string", "a7i string", "y3i string", "e0b function", "x8i string", "source level", "threat analyzer", "urls https", "domain", "webzilla", "cloudflar", "system", "hostnames", "sample", "security tls", "ecdheecdsa", "resource", "hash", "windows nt", "win64", "khtml", "gecko", "veryhigh", "limited", "lsalford", "ocomodo ca", "cncomodo ecc", "secure server", "olet", "encrypt", "cnlet", "identity search", "group", "google https", "expired", "comodo", "tls web", "log id", "criteria id", "1663014711", "summary leaf", "timestamp entry", "log operator", "error", "name size", "parent", "directory", "displays", "targets", "smartfolder", "frame", "bookmarks", "splitcount", "nib files", "design", "boundsstr", "rows", "source browser", "ruby logo", "license", "python", "python software", "foundation", "apple inc", "php logo", "visit", "valid", "no na", "no no", "ip security", "ca id", "research group", "cnisrg root", "mozilla", "android", "binrm", "targetdisk", "create", "crlcachedir", "makefile", "dstroot", "keychainssrc", "srcroot", "crl cache", "install", "ev server", "authentication", "subject", "digicert https", "sectigo https", "certificate", "ca limited", "salford", "greater", "key usage", "access", "ca issuers", "ocsp", "x509v3 subject", "lets", "identifier", "411260982", "poison", "search", "status page", "impressum", "protocol h2", "main", "framing", "geoip", "as13335", "centos", "as32244", "liquidweb", "redirect", "as16509", "as133618", "z6s3i y3i", "as62597", "france unknown", "showing", "link", "z6s3i", "date", "unknown", "meta", "sha256", "google safe", "browsing", "hostname", "samples", "td td", "tr tr", "a td", "a domains", "passive dns", "a th", "urls", "as50295 triple", "triple mirrors", "contact", "moved", "show", "accept", "body", "microsoft", "e4609l", "urls http", "yoa https", "url http", "scan endpoints", "report spam", "created", "weeks ago", "pulse", "brashears", "xvideos", "capture", "expiration", "no expiration", "entries", "status", "as58110 ip", "for privacy", "aaaa", "creation date", "domain name", "germany unknown", "bq mar", "ipv4", "pulse pulses", "files", "artro", "files domain", "files related", "pulses otx", "pulses", "tags", "servers", "record value", "body doctype", "html public", "macintosh", "intel mac", "os x", "technology", "dns replication", "email", "server", "registrar abuse", "dnssec", "expiration date", "registrar iana", "admin country", "tech country", "registry admin", "url text", "facebook url", "google url", "google", "software", "asn15169", "ip https", "february", "request chain", "http", "referer", "aes128gcm", "pragma", "frankfurt", "germany", "asn213250", "itpsolutions", "full url", "software caddy", "express", "ubuntu", "as14061", "digitaloceanasn", "address as", "april", "facebook", "march", "hashes", "ip address", "as autonomous", "fastly", "packet", "kb script", "b script", "october", "resource path", "size", "type mimetype", "redirect chain", "kb image", "b image", "cname", "as32244 liquid", "trojan", "high", "yara rule", "sniffs", "windows", "anomalous file", "medium", "guard", "filehash", "js user", "python connection", "brian sabey", "smithtech", "rexxfield", "connect facebook", "open", "emails", "next", "ssl certificate", "contacted", "whois record", "referrer", "historical ssl", "resolutions", "execution", "whois whois", "contacted urls", "linkid69157 url", "formbook", "spyware", "generic malware", "tag count", "sat jul", "threat report", "ip summary", "url summary", "summary", "generic", "alerts", "icmp traffic", "cust exe", "depot tech", "office depot", "tech", "customer client", "june", "copy", "network_icmp", "inject-x64.exe", "tsara brashears", "apple ios", "hacktool", "download", "malware", "relic", "monitoring", "tofsee", "https://otx.alienvault.com/pulse/65acace20c18a7d6c5da2e27", "darklivity", "hijacker", "remote attackers", "cybercrime", "fear factor", "criminal gang", "jeffrey reimer", "miles it", "history killer", "apple", "apple control", "sreredrum", "men", "man", "hit" ], "references": [ "videolal.com [Exploitation for privilege - Turns victim into target then spys, smears, embeds pornography in devices]", "videolal.com was first found hosted : https://rexxfield.com/ | https://crt.sh/?id=410492573 | https://crt.sh/?id=411260982", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/michael.pbxuser.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/project.pbxproj.auto.html", "https://opensource.apple.com/source/security_certificates/security_certificates-2/roots/", "https://crt.sh/?q=videolal.com", "https://opensource.apple.com/source/security_certificates/security_certificates-2/Makefile.auto.html", "https://opensource.apple.com/source/security_certificates/", "https://crt.sh/?q=videolal.com", "https://crt.sh/?graph=410492573&opt=nometadata", "https://crt.sh/?spkisha256=2c5ef644a15ed2d591aee707a125b2870da480a0bc16d78022a311c93aca5b15", "Tracey Richter smear included Brashears: http://video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Tracey Richter smear: video-lal.com/videos/diabolical-sentencing.html", "Tracey Richter smear: video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Tracey Richter smear: video-lal.com/video/fbcwPGTSo5lrA7e/tracey-richter-documentary?cpc=no", "Malware hosting: http://videolan.mirror.triple-it.nl/vlc-android/3.0.4/VLC-Android-3.0.4-ARMv7.apk", "video-lal.com/videos/sandra-richter-video.html", "Denver Attorney Frank Azar Smear: video-lal.com/videos/sherryce-emery-frank-azar-&-associates.html", "Brashears smear: video-lal.com/videos/tsara-brashears-dead-by-daylight.html", "http://tx-p2p-pull.video-voip.com.dorm.com/Accept-Language", "Crazy: video-lal.com/videos/michael-roberts.html", "https://urlscan.io/screenshots/e40cd846-7c34-45a5-9f79-fea139f5b1ee.png", "http://secure.applegiftcard.com \u2022 199.59.243.224: http://tx-p2p-pull.video-voip.com.dorm.com \u2022 199.59.243.224: http://wpad.dorm.com", "notonmytrack.info \u2022 http://notonmytrack.info \u2022 https://pochta-rf.ru/track74157857 \u2022 patch-tracker.gnewsense.org \u2022 mysql.snore.co", "Darren Meade: https://urlscan.io/result/e5f1d6fe-036e-4291-8595-0a33e5dacba5/#behaviour \u2022 alleged partner turned enemy of Michael Roberts", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe | smithsthermopadtool.com", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe \u2022", "Unclear given names authentic. Michael Roberts, Darren Mitchell Meade , M. Brian Sabey could be used interchangeably. Black hats w/pseudonyms.", "Smith tech may refer to Det. Ben Smith. HallRender; a media company, producing nonsensical, albeit convincing evidence of deeply fake content.", "Possibly false names given by individual involved. Brian Sabey Hall Render | Michael Roberts Rexxfield | Darren Meade former partner of Roberts", "Responsible reopening Richter case via alleged Detective Ben Smith | Names Below linked to porn spewing Videolan , Videolal, Video-lal (Honeypots?) |", "http://www.hallrender.com/attorney/brian-sabey |", "Sabey: https://www.google.com/search?q=tsara+brashears&client=ms-android-tmus-us-rvc3&sca_esv=52c806ab62ec5c59&cs=1&prmd=inv&filter=0&biw=347&bih=710&dpr=2.08#ip=1", "https://www.hallrender.com/attorney/brian-sabey", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png | www.hallrender.com | rexxfield.com", "http://usb.smithtech.us \u2022 http://usb.smithtech.us/apps/downloads/NSISPortable.exe \u2022 http://usb.smithtech.us/apps/downloads/xplorer2.lite.portable.exe", "http://usb.smithtech.us/projects/downloads/\u2022 http://usb.smithtech.us/projects/downloads/psu.exe \u2022 smithsthermopadtool.com", "servicer.mgid.com \u2022 http://iv-u15.com/imbd-104-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-\u00e5\u00a4\u008f\u00e5\u00b0\u2018\u00e5\u00a5\u00b3-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-blu-ray \u2022 https://load77.exelator.com/pixel.gif", "brain-portal.net", "303 Status. Ide redirect from: https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/64d018ee4623e8fcd386c2e1", "https://otx.alienvault.com/pulse/65418472eb20b10ee5510fde", "https://otx.alienvault.com/pulse/64d65255c80d866add600bac", "https://otx.alienvault.com/pulse/65204565ac1e8bce4de26df3", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/65a342310ab3d2c69778d608", "Refuses to remove target from adult content \"tagging\"" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Win.Malware.Farfli-6824119-0", "display_name": "Win.Malware.Farfli-6824119-0", "target": null }, { "id": "Win32:TrojanX-Gen[Trj]", "display_name": "Win32:TrojanX-Gen[Trj]", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1602.002", "name": "Network Device Configuration Dump", "display_name": "T1602.002 - Network Device Configuration Dump" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5328, "domain": 2339, "hostname": 2434, "FileHash-MD5": 1210, "FileHash-SHA1": 721, "FileHash-SHA256": 2784, "SSLCertFingerprint": 5, "CVE": 2, "URI": 2, "email": 10, "CIDR": 3 }, "indicator_count": 14838, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "780 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b6cbd4df7fed0272d3cf39", "name": "Apple | Xfinity | QakBot | IEXPLORE.EXE", "description": "Dark Access. QakBot still targeting vulnerable devices.", "modified": "2024-02-27T21:01:37.895000", "created": "2024-01-28T21:49:08.540000", "tags": [ "whois record", "ssl certificate", "contacted", "bundled", "communicating", "apple", "execution", "whois whois", "whois", "qakbot sslcert", "attack", "icmp", "pegasus related", "ie explorer", "active threat", "malware evader", "high risk", "yara", "sigma", "mitre", "CVE-2023-4966", "dns", "http method", "get response", "cgb stgreater", "ocomodo ca", "server ca", "number", "subject", "secure server", "http requests", "dns resolutions", "hashes", "botnet", "network", "xfinity" ], "references": [ "CS Sigma: Windows Binaries Write Suspicious Extensions by Nasreddine Bencherchali", "CS Sigma: User with Privileges Logon by frack113", "CS Yara: QakBot from ruleset QakBot by kevoreilly", "CS Yara: Windows_Trojan_Qbot_1ac22a26 from ruleset Windows_Trojan_Qbot by Elastic Security", "CS Yara: MAL_QakBot_ConfigExtraction_Feb23 from ruleset mal_qbot_feb23 by kevoreilly", "win_qakbot_auto from ruleset win.qakbot_auto by Felix Bilstein - yara-signator at cocacoding dot com", "IEXPLORE.EXE: FileHash-SHA256 0686ffb62b3787e05388beb655b0d3ce446be054c36408fde8ccd3378ef36270" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "trojan.zusy/qbot", "display_name": "trojan.zusy/qbot", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "CVE": 1, "FileHash-MD5": 133, "FileHash-SHA1": 127, "FileHash-SHA256": 592, "domain": 84, "hostname": 119 }, "indicator_count": 1151, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "823 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65b80917b37806f40391abc7", "name": "Apple | Xfinity | QakBot | IEXPLORE.EXE", "description": "", "modified": "2024-02-27T21:01:37.895000", "created": "2024-01-29T20:22:47.866000", "tags": [ "whois record", "ssl certificate", "contacted", "bundled", "communicating", "apple", "execution", "whois whois", "whois", "qakbot sslcert", "attack", "icmp", "pegasus related", "ie explorer", "active threat", "malware evader", "high risk", "yara", "sigma", "mitre", "CVE-2023-4966", "dns", "http method", "get response", "cgb stgreater", "ocomodo ca", "server ca", "number", "subject", "secure server", "http requests", "dns resolutions", "hashes", "botnet", "network", "xfinity" ], "references": [ "CS Sigma: Windows Binaries Write Suspicious Extensions by Nasreddine Bencherchali", "CS Sigma: User with Privileges Logon by frack113", "CS Yara: QakBot from ruleset QakBot by kevoreilly", "CS Yara: Windows_Trojan_Qbot_1ac22a26 from ruleset Windows_Trojan_Qbot by Elastic Security", "CS Yara: MAL_QakBot_ConfigExtraction_Feb23 from ruleset mal_qbot_feb23 by kevoreilly", "win_qakbot_auto from ruleset win.qakbot_auto by Felix Bilstein - yara-signator at cocacoding dot com", "IEXPLORE.EXE: FileHash-SHA256 0686ffb62b3787e05388beb655b0d3ce446be054c36408fde8ccd3378ef36270" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "trojan.zusy/qbot", "display_name": "trojan.zusy/qbot", "target": null } ], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Civil Society" ], "TLP": "white", "cloned_from": "65b6cbd4df7fed0272d3cf39", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "CVE": 1, "FileHash-MD5": 133, "FileHash-SHA1": 127, "FileHash-SHA256": 592, "domain": 84, "hostname": 119 }, "indicator_count": 1151, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "823 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Responsible reopening Richter case via alleged Detective Ben Smith | Names Below linked to porn spewing Videolan , Videolal, Video-lal (Honeypots?) |", "https://www.virustotal.com/gui/collection/e60910e3c111b45be5d4ceecb5cde6312258667f270461ad23fa3e39bbebb000/iocs", "https://www.hybrid-analysis.com/sample/00defff362d7d7129f891a2934b04b2ed53e6d951a2211e0846eca4f69c8d67b", "https://otx.alienvault.com/pulse/64d018ee4623e8fcd386c2e1", "https://www.filescan.io/uploads/682bbaad0de036ed65ac2b71/reports/331527e9-620a-4de4-8453-ae192d8fa4a0/overview", "https://www.hallrender.com/wp-content/uploads/2017/10/Sabey_Brian_web-150x150.png | www.hallrender.com | rexxfield.com", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/michael.pbxuser.auto.html", "https://www.virustotal.com/gui/collection/e60910e3c111b45be5d4ceecb5cde6312258667f270461ad23fa3e39bbebb000/summary", "https://otx.alienvault.com/pulse/64d65255c80d866add600bac", "https://opentip.kaspersky.com/https%3A%2F%2Fastromust.com/?tab=lookup", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe \u2022", "http://www.hallrender.com/attorney/brian-sabey |", "CS Sigma: Windows Binaries Write Suspicious Extensions by Nasreddine Bencherchali", "https://www.virustotal.com/gui/collection/1a335578b9905ed48ee04a8c52890951a06a1034dc9362d3ae4e042512eeb027/iocs", "Tracey Richter smear: video-lal.com/video/fbcwPGTSo5lrA7e/tracey-richter-documentary?cpc=no", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/project.pbxproj.auto.html", "https://matomo.org https://matomo.www.gov.pl/analytics/js/container_68lYTZ79.js", "Malware hosting: http://videolan.mirror.triple-it.nl/vlc-android/3.0.4/VLC-Android-3.0.4-ARMv7.apk", "videolal.com was first found hosted : https://rexxfield.com/ | https://crt.sh/?id=410492573 | https://crt.sh/?id=411260982", "notonmytrack.info \u2022 http://notonmytrack.info \u2022 https://pochta-rf.ru/track74157857 \u2022 patch-tracker.gnewsense.org \u2022 mysql.snore.co", "https://www.virustotal.com/gui/collection/1a335578b9905ed48ee04a8c52890951a06a1034dc9362d3ae4e042512eeb027", "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "IEXPLORE.EXE: FileHash-SHA256 0686ffb62b3787e05388beb655b0d3ce446be054c36408fde8ccd3378ef36270", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://urlscan.io/screenshots/e40cd846-7c34-45a5-9f79-fea139f5b1ee.png", "https://www.hallrender.com/attorney/brian-sabey", "http://usb.smithtech.us/projects/downloads/shortcutcreator4u3-setup.exe | smithsthermopadtool.com", "Tracey Richter smear included Brashears: http://video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n", "Darren Meade: https://urlscan.io/result/e5f1d6fe-036e-4291-8595-0a33e5dacba5/#behaviour \u2022 alleged partner turned enemy of Michael Roberts", "URLscanio", "Sabey: https://www.google.com/search?q=tsara+brashears&client=ms-android-tmus-us-rvc3&sca_esv=52c806ab62ec5c59&cs=1&prmd=inv&filter=0&biw=347&bih=710&dpr=2.08#ip=1", "https://www.virustotal.com/graph/embed/ge36545cffdc8444caaf69c36a825639183ebd69af93f48369156f4dfc5348f8d?theme=dark", "CS Yara: QakBot from ruleset QakBot by kevoreilly", "https://www.virustotal.com/graph/embed/g5e4329cdd3c241339452abac147e83ac58e4ea6ca231474a91e2b98d035c59e1?theme=dark", "https://otx.alienvault.com/pulse/64cf438a574eae18716e5954", "https://otx.alienvault.com/pulse/65204565ac1e8bce4de26df3", "https://crt.sh/?spkisha256=2c5ef644a15ed2d591aee707a125b2870da480a0bc16d78022a311c93aca5b15", "https://www.virustotal.com/gui/domain/astromust.com/details", "01.31.26 https://www.virustotal.com/graph/embed/gc0436b0fbb21440aad3643c68736a1b45c237c7888cc4785918a5eac20cb5997?theme=dark", "https://crt.sh/?graph=410492573&opt=nometadata", "https://www.virustotal.com/gui/domain/astromust.com/relations", "01.31.26 https://www.virustotal.com/gui/collection/8e9ce3584f26b9154be707edae1341ffbf3654036d5f623d2a4c0593fa3729a4/summary", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "video-lal.com/videos/sandra-richter-video.html", "http://secure.applegiftcard.com \u2022 199.59.243.224: http://tx-p2p-pull.video-voip.com.dorm.com \u2022 199.59.243.224: http://wpad.dorm.com", "https://report.netcraft.com/submission/YCvsjEDw42hsBY1Nd8Fnkar2YNrwXV7N?tab=urls", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "CS Yara: MAL_QakBot_ConfigExtraction_Feb23 from ruleset mal_qbot_feb23 by kevoreilly", "videolal.com [Exploitation for privilege - Turns victim into target then spys, smears, embeds pornography in devices]", "Possibly false names given by individual involved. Brian Sabey Hall Render | Michael Roberts Rexxfield | Darren Meade former partner of Roberts", "http://usb.smithtech.us/projects/downloads/\u2022 http://usb.smithtech.us/projects/downloads/psu.exe \u2022 smithsthermopadtool.com", "Smith tech may refer to Det. Ben Smith. HallRender; a media company, producing nonsensical, albeit convincing evidence of deeply fake content.", "servicer.mgid.com \u2022 http://iv-u15.com/imbd-104-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-\u00e5\u00a4\u008f\u00e5\u00b0\u2018\u00e5\u00a5\u00b3-\u00e9\u00bb\u2019\u00e5\u00ae\u00ae\u00e3\u201a\u0152\u00e3\u0081\u201e-blu-ray \u2022 https://load77.exelator.com/pixel.gif", "https://www.filescan.io/uploads/67619a0f99caec9a276f9efd/reports/92e63ab1-1ebd-41a7-90da-f842f0b90392/details", "https://otx.alienvault.com/pulse/65a342310ab3d2c69778d608", "http://tx-p2p-pull.video-voip.com.dorm.com/Accept-Language", "CS Yara: Windows_Trojan_Qbot_1ac22a26 from ruleset Windows_Trojan_Qbot by Elastic Security", "https://otx.alienvault.com/pulse/65e85fd4842119fff4e327cf", "Crazy: video-lal.com/videos/michael-roberts.html", "303 Status. Ide redirect from: https://otx.alienvault.com/pulse/65e843669f4ba77affa4b297", "https://www.virustotal.com/gui/collection/1a911851d442fb25c6c63a6cbfe62be07ccd5b0f1eff0f07db8df5a23d1e2d23", "https://otx.alienvault.com/pulse/65418472eb20b10ee5510fde", "Tracey Richter smear: video-lal.com/videos/diabolical-sentencing.html", "Brashears smear: video-lal.com/videos/tsara-brashears-dead-by-daylight.html", "Unclear given names authentic. Michael Roberts, Darren Mitchell Meade , M. Brian Sabey could be used interchangeably. Black hats w/pseudonyms.", "https://crt.sh/?q=videolal.com", "Denver Attorney Frank Azar Smear: video-lal.com/videos/sherryce-emery-frank-azar-&-associates.html", "https://www.virustotal.com/gui/collection/1a911851d442fb25c6c63a6cbfe62be07ccd5b0f1eff0f07db8df5a23d1e2d23/iocs", "https://opensource.apple.com/source/security_certificates/security_certificates-2/Makefile.auto.html", "01.31.26 https://www.virustotal.com/gui/collection/8e9ce3584f26b9154be707edae1341ffbf3654036d5f623d2a4c0593fa3729a4/iocs", "https://polyswarm.network/scan/results/url/b90bd2fbc0b269c2355b17ce439872ce2795d5d297c2321c704c451293830887", "https://opensource.apple.com/source/security_certificates/security_certificates-2/roots/", "https://opensource.apple.com/source/security_certificates/", "CS Sigma: User with Privileges Logon by frack113", "http://usb.smithtech.us \u2022 http://usb.smithtech.us/apps/downloads/NSISPortable.exe \u2022 http://usb.smithtech.us/apps/downloads/xplorer2.lite.portable.exe", "https://www.virustotal.com/graph/embed/gd3d17be766b04b91a5de8ddd5b16415eb8efe15309a14f5f9584649fd216ca12?theme=dark", "https://www.virustotal.com/gui/collection/8e9ce3584f26b9154be707edae1341ffbf3654036d5f623d2a4c0593fa3729a4/iocs", "https://metadefender.com/results/url/aHR0cHM6Ly9hc3Ryb211c3QuY29t", "brain-portal.net", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://www.hybrid-analysis.com/sample/00defff362d7d7129f891a2934b04b2ed53e6d951a2211e0846eca4f69c8d67b/682bbc44b7f58e83f50c9316", "Refuses to remove target from adult content \"tagging\"", "win_qakbot_auto from ruleset win.qakbot_auto by Felix Bilstein - yara-signator at cocacoding dot com", "https://opensource.apple.com/source/security_certificates/security_certificates-2/security_certificates.xcode/", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h", "Tracey Richter smear: video-lal.com/video/26kiRlUTTmGzje2/diabolical-women-tracey-richter-s1-e2?cpc=n" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "[Unnamed group]" ], "malware_families": [ "Win.malware.farfli-6824119-0", "Astrostation", "Generic", "Trojan.zusy/qbot", "Artro", "Win32:trojanx-gen[trj]", "Qakbot" ], "industries": [ "Healthcare", "Telecommunications", "Technology", "Education", "Civil society", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 18, "pulses": [ { "id": "69fc4d77afa81737a1d6262c", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.667000", "created": "2026-05-07T08:29:43.174000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc4d769e89dc96fce03ffe", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.571000", "created": "2026-05-07T08:29:42.377000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc4d75bbb155224dcb27b7", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:55.728000", "created": "2026-05-07T08:29:41.963000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 30, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 432, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4594ea685ae6b9912f97b", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:34.613000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595cd9283fc7a5aa03ab", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:48.152000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 195, "domain": 120, "hostname": 101, "CVE": 1 }, "indicator_count": 3483, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595beae76fc81c99cf63", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:47.895000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595bad55db9318902436", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:47.753000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595b8c340900560463a8", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:47.893000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4595a99f229f5b99ce366", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:46.696000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d45947ce0025cf5afbb117", "name": "VirusTotal Windows Sandbox - steganography", "description": "A full analysis of data gathered from an archive of files stored on a server at the University of California, Los Angeles, and stored in a secure server, has been published online by the National Security Agency (NSA).", "modified": "2026-05-07T01:01:09.875000", "created": "2026-04-07T01:09:27.333000", "tags": [ "windows sandbox", "calls clear", "file type", "png image", "rgba", "ms windows", "mpeg adts", "monaural", "jpeg image", "jfif", "gif image", "ascii text", "burma", "persistence", "window", "malicious", "union", "next", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "php script", "ascii", "crlf line", "unix", "mitre attack", "wed jun", "overview", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "creates", "network info", "sigma", "defense evasion", "sample", "t1055 process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fdaa5bef329a103c6a38f971023a23214954b2038f74091fcb85a6c5b3ee6793_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524056&Signature=IRSYa160YBvfdiw9tFfaCqtY9z8rs45D1Ve6%2BpTMouiseLJI%2F4JyM0rAk55VfNmIzUGfryzxeHvYct6ob6QriZBkNDXCbk6M3QVOAqXQrpNBhFRpRMzqvG4bGBzfXaGO3JH%2FTaYejWQRB7Mjas3ENDiTanlcgTbBa9F0dlIn9glEYIvRq5IaDr1xMbyygt4IT0oJ2B27OxFY8TcpM4T3emxrp17iYN%2FF3Imo6bFRTYVHFbPF", "https://vtbehaviour.commondatastorage.googleapis.com/1cf762ebb36225bf2de49fd9baa4a724fb6fc6552982f7cde3eb8750a1396dec_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524101&Signature=YafvX%2FKbHVKXFED6nVuUgoWZdNWqqwItgxDl5Bp9Zdo%2Ff%2FTWC5kJWRGA47ZowHZh4EHc%2FFCAhOR4hifZEhlDC9cbmSs%2FMY5ulZLp78eChDgCY4CIs2SwjotobahaTms3z7t7TRUdIHKGnwY%2BBKFBQDjnoeTV7AOaSpqizw51XA60Hu%2BUYVLPbGrLff%2B64VYK3uuHUNH1TrAYfUa%2BkJqwlpueD%2Bcp4iqLPBZC%2Fje1DnEVe8e%", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524206&Signature=gWMfmLkoqQlDMb2RkNFcKrRqEBTNwkGuJnOc9uYaCYYGUohkAqUCNV2fjuOBD99RjZOm8wqWNn%2FXYjXHsOu2xg1EehIoxPcojD6qR1oGvRdqYtGScazp5qTmu2Mt95kBncGOrN3FpTiqA2TEqGmHrtBquZHDt7huxi3puJ3z0X1nqPFbmirt%2FRkfDFS9TEQp6piBIbuuoVClP9myw%2FdSfLOMovw4i0CKwtUFikUQ", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524231&Signature=Wv5G2ljAtLZs5UD7wbg53RFvucHo7IiRhkyNVLmeK6NA42BzJseS4otL9OJksO0gkN3drBP2pHrsvpqZqi7sTKiOXrVsQiR9kD1qF4wp7uKJfdbPjqUwlanEbw5yw5kd0CSm9P6dQm1uok3EVaAdczKUEAbW2aMMiUzm4WkW2MEFZaL0f2guNhLxgcALLfBbr%2BaPq6FvfadgfDFj1rHHbiG7L4%2FWVnyJeK%2BpMRcTKcx%2FvKJPKycGQtIQzPlg7a", "https://vtbehaviour.commondatastorage.googleapis.com/85b51c6796de06101424d187c6bca9f90da990eabe4045a0006bc7c1bf8dc4b3_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524270&Signature=Yn%2ByoAMXhl%2Fwe0poWrffqiJpt3ipHbmhmOj3wrO%2Bv0aI4XM%2BGTb3WYnUbwO%2BB4%2FvHy5B2E%2FI7lF5iq%2BFIW9tRm2ZBhCZY8p9zroZfwv1uFCqifhQLOzXFHGMp%2FptY89k%2B3c4Yi%2BoV6DCdRmHM9fAY5Y%2F%2FSzimGN6G2gOBFIFrOiAaMr1OO4tCC2KBL0a7pAYEx7pUEonfvjmdj2S7X8ZF2s4yhp30aASJGdx", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524306&Signature=cXthPzwlRZxsgwUQSNKMDsPG6OynZQby1pdDJzqxAgQCcbcq37BfhqePhPxs9aKAB2o1j55rzzqlUEwiBke5LjKvRpZTJih560GCz5YWc9qeHPBBv%2FVcUEL%2FhoqasTTjfAJjT1l%2BzRVeQ%2B%2F8cuEf9QIfBl%2BvXhzSB%2B9p0JtpepQKunyqYNbRyzJ5S23SKkW3sqxPkbN0ywosD9wAT%2FqPRrowVS1rou", "https://vtbehaviour.commondatastorage.googleapis.com/de5a9417dec59d03c07c57078270197621ac62397b5a691f07af522441f7e58a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775524330&Signature=ZJzvK6ex%2B4WDprMFZXUHM%2BlO6Ocvx3kqb%2FSV%2Br7oW4AldeE%2FSYCUkm1fOjShI0dT2puSwxTD0dbfVH%2FxiHe5YY9c68q0bgC%2FdWgIIlm5IPfDNaglObv3%2BFsaR%2Bbt%2F2za%2FHaRujccLsITjfKH55VkVPdFNOTWeypsbVndDtzOkIkK3VmWNZQGEQnJ1HqMlPPfWvp5r58eVXUhAT%2BbwZ9Sg9LXqdGPZsBgt5hdKVT%2Bev4h" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 71, "FileHash-SHA1": 74, "FileHash-SHA256": 2921, "URL": 194, "domain": 120, "hostname": 101 }, "indicator_count": 3481, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "gnu.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "gnu.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780206494.3697042 }