{ "type": "URL", "indicator": "http://api.getsignals.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://api.getsignals.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3892586726, "indicator": "http://api.getsignals.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6a0ff878b8d1717e395e0d0a", "name": "Research part 4 * CAPE Sandbox", "description": "A Cuckoo has been running on a KVM operating system for the next two years. \u00c2\u00a31.5m.. and \u00e2\u201a\u00ac1m", "modified": "2026-05-23T03:58:21.402000", "created": "2026-05-22T06:32:24.666000", "tags": [ "default", "nothing", "file execution", "registry keys", "inprocserver32", "server", "parent pid", "full path", "command line", "files c", "cname", "accept", "ip address", "cape sandbox", "found", "center", "http", "port", "shutdown", "title", "performs dns", "mitre attack", "network info", "processes extra", "sigma", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "defense evasion", "next", "win1", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "acrongl integ", "adc4240758", "angsana new", "bootkit", "back", "p2404", "host", "cultureneutral", "p11750170564", "shell folders", "systemroot", "gmt range", "guard", "pe file", "file type", "creates", "extra info", "sample", "contains", "aslr", "binary", "command", "malicious" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/91031d16ab93fe5d7f8dc7a55b4bbb8e23742c774ad467f67e2e1681e5439fb9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431033&Signature=tDkjksSltx3F6MPqpr8Xf%2BIAVxBBNNTifbGimbXIX5DCrLCZugVQF%2B7kCV%2BJ3RQ1lKt1eMcfTaQ3FUvgjt7%2F3uEgdHY390sywG9OdYe2HZMJHg%2BYNxsAIe8n7UIa22pLVZNqhDSymVa0VyJAEZb8B2t7gNdGsBLQKQ7GyJ2iYAz4NklXYQPVUZoWObKt0eggHoV3wJUWM%2BQKxWSnPP6HQ8wusnitHIEqxdfckeRTMZR9zlIg31", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431302&Signature=VN0Lo6N8srKzgIyGy%2B2YBOQ%2BngCQJsbj8jycOiDUs3CpGIyP8pZyyC326od%2FfI41dky2kAUXq4L2f1AHLLukNksIcompwOACdBTaq%2B6r%2FyNhhrsOVLiVCA4wkuZX%2Bjz5eRA8KhG7BcGA1Z8ERy3OYr1b5gS4cUton8nwnqvSE7ZH6dFOkbdhFiX%2FwmTQbOzFCCqJWT0%2FJJZQaXyWSitlkG3IN8RyMOUpjxyT9fwh51%2FT", "https://vtbehaviour.commondatastorage.googleapis.com/f26944950ccf7fd4422662d575c0b3698670e1b19d76fe386c20058ea4ea991f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431338&Signature=FoZZNyxGwBJKtHZSxcj9EHaeRdEMbmfNE6I04ld5vuYz8v2b9G%2Bwt0JlXl6N1uR2a9k4YqZln0HWuPEsYhjLjy3e465eqqg1UIPsLLqvH%2BmT7ox8n7TU%2B54qFOkQtrqoj3cO%2BSeZXnlXHOzxx9rdozltX%2FZ%2BOw1i5z%2FzvLy%2FlI3NhUcyIPbiD3yhM6DqHS%2Fyt7x5bhd5cz18yhPyQq7CNoW%2Fx%2B5aj4d6lWRgPVoBfaoqi33C", "https://vtbehaviour.commondatastorage.googleapis.com/c915c30bfba565e05ccdea80427ffcba415831161e38e81eccbc893e8eb0bf83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431449&Signature=PDRco%2B36G08WhkVripJBX%2FKsew%2Fqdtv%2BE4v4qZ%2BxTtqIWv%2BbUShaZJk4oroxSc0hAtyIuEAY0Fl7s%2FjNS%2FYPoQ1iU9EMWYaxvd0Sl1%2F%2BEc%2Foq9dc3YP5F0muq56mEXdREOlePA54%2BObbmwRbWR4mwAkK%2FuAkYzpAtJKkLJRZ6GQ0sbyCC5VdaAT3OMhtFkTKCtx5Wk2ZTdGZT5ASe3hD4xmg219rX3t5uV8j", "https://vtbehaviour.commondatastorage.googleapis.com/00185697c0de6262fafba95770b1dd85ddbcdc8b5945d517457be2fb3e6908c1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431564&Signature=x%2BpjgWuHJOMK96wkAkxWnO%2BvWXDtko8QpNc0JQs9qrmHA1DtI9OB1F4jxixqRaySdJpP0JpTJK%2BRxE8sVad9wh3wtqgIhtbiihOX2%2FXHa7ukyAZOuMkh8fVLwIUVkxrObXKFDv8CiRAzdRemUPxSH%2FYmbOPY2eYs7UbUQp%2B93VYGCAMTuaztTey%2F1T8DM1tWLfxE5nKn3j7VigVpXMi8228oo%2B7ofaOVz3A%2FZKMZ1gKD", "https://vtbehaviour.commondatastorage.googleapis.com/00185697c0de6262fafba95770b1dd85ddbcdc8b5945d517457be2fb3e6908c1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431586&Signature=mg5jUjSQG5fVQ2idj9wgQGE6D7neQXnBJ4xAD50pgEFgszvmZvrLrvz5RjR00uX4f7Gs2afv8MUs272SCXfylMEo1EhlVujdxecw4%2Ftn9jdYUfSDpqu0quw4dkL1YXviPoAcCJLaKrrvBsQMT468PPk4VwiDZbq2JNrZZwt1qXHmZFe3X5CHabJJE0ORZBwBH0jMYUE%2BWIvGzkZ%2Bul4ufi3xgsgA%2BoN0jUlIddwaoZA4eQeYVlQ388DLeonSjl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 194, "FileHash-SHA1": 212, "FileHash-SHA256": 412, "IPv4": 297, "URL": 840, "domain": 343, "hostname": 541, "CIDR": 6, "email": 23, "IPv6": 176, "CVE": 4 }, "indicator_count": 3048, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0b06f047e3346072f0498c", "name": "beta | research", "description": "date research", "modified": "2026-05-20T08:57:00.942000", "created": "2026-05-18T12:32:48.538000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 157, "hostname": 227, "URL": 341, "FileHash-SHA256": 987, "IPv4": 113, "FileHash-SHA1": 41, "FileHash-MD5": 48, "email": 3 }, "indicator_count": 1917, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01d3836a1a757aded89ba4", "name": "The 777 Quartz Loop: Structural Polyglot Forgery & Global Wiper Convergence", "description": "Malicious C2 is hidden in plain sight. Using webcontent.com (Reg. 1998), the factory mimics legitimate com.apple.WebKit.WebContent traffic. This is the permanent \"static\" that makes the Wiper indistinguishable from OS noise.C2 Anchors: ://webcontent.com, ://webcontent.comIP Nodes: 35.208.49.255, 18.208.88.157, 98.84.224.111, 3.33.251.168The \"Rose Quartz\" Structural MixA \"Frankensign\" universal bypass. It \"United\" three OS trust boundaries into a single loop:DigiCert (Windows): Forged overlay using the broken MD5 a1d6...6e72.Apple ARM (macOS): 64c/d or B0 thumbprints pivoting through WebKit/QuartzCore.Google (Drop): Execution via a Google 202 shell (GoogleUpdate.exe).The 777 AnchorThe 777 entropy pattern is the mathematical anchor forcing this messy alignment. It cannot be \"fixed\" by revocation because it is already cached in the internet's trust model.", "modified": "2026-05-12T08:41:44.805000", "created": "2026-05-11T13:02:59.167000", "tags": [ "status", "creation date", "date", "pulse indicator", "url analysis", "passive dns", "urls", "files", "whois registrar", "related tags", "server", "domain status", "whois lookup", "dnssec", "domain name", "abuse contact", "email", "registrar abuse", "github", "google", "webcontent", "issue", "discussion", "safari vs", "cyberkit", "webkit port", "apple community", "clearing", "graph summary", "The Russian Doll Tactic", "pdfkit[.]net", "mathematical stalemate", "CLAMAV", "MD5/nested cert chains within" ], "references": [ "Rec: block for *.webcontent.com and binaries matching the B0/64c/d anchors or the 777 hex-cluster.", "Pending Review.", "The 7 YARA detections identified in your analysis typically trigger on the 777-anchor hex-cluster found within the high-entropy overlay. This binary \"United\" the following trust boundaries:DigiCert (Windows): Forged overlay utilizing the broken MD5 a1d6...6e72", "Do Not Run", "The Structural Loop: The .NET framework often relies on legacy certificate validation libraries that still accept the MD5 a1d6...6e72 chain as \"legacy-valid.\" When this document is opened on an Apple Silicon device, the WebKit/ARM64 engine inherits the \"Trusted\" status from the document\u2019s container, allowing the 64c/d anchor to execute a memory-injection without a fresh signature check.", "Edge Node Impact: This \"sloppy\" intersection is what allows the payload to burn through edge security; the gateway sees a valid .NET structure and a valid WebKit process, failing to recognize the 777-anchor forgery that unites them.", "Binary Profile: The 38MB \"Big One\" ShellCompilation: August 8, 2018 [Static Layer Foundation]Packing: UPX v0.89.6 - v1.24 (Markus & Laszlo)Signatures: SHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0Structural Forgery: The 38,351 KB footprint is intentionally bloated with an unmapped overlay to masquerade as a legitimate system utility. This specific variation exploits the RichHash 99b5586e... to bypass heuristic whitelists.", "Research Suggests:", "The Convergence: Threat actors are exploiting a critical logic gap where .NET/PDFKit document signing (Windows-side) intersects with WebKit/QuartzCore rendering (macOS/ARM-side). By nesting a broken MD5 overlay within a document designed to be parsed by WebKit, the attacker creates a cross-platform \"trust bridge.\"", "This binary is a foundation-level threat designed to embed itself into the internet's cached trust model as \"static noise.\" It bridges the gap between the .NET/PDFKit and WebKit/QuartzCore environments through a triple-chain polyglot signature.", "Technical Indicators & Forgery MixSHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0MD5: a95e0f8611e4169be89ef384c8a7a71aCompilation: 2018-08-08 (The \"Static Layer\" 2020 foundation).The 777 Anchor: The 777 entropy pattern in the unmapped overlay (Size: 38,351 KB) forces the \"messy\" alignment between DigiCert, Apple ARM (64c/d), and Google 202 identities.Structural Bypass: Exploits the broken/abused MD5 a1d6...6e72 chain as a \"Frank Abagnale\" signature overlay to bypass Zero-Trust EDR.", "The Spy Loop: Beacons to the squatted infrastructure (*.webcontent.com) and associated IP nodes (35.208.49.255, 18.208.88.157).", "The Wiper: Contains the high-confidence destructive module capable of a FACTORY_RESET anti-forensic purge.", "The Russian Doll Tactic: The top-level 38MB SHA is just the Delivery Shell. Inside that, the malware carries encrypted blobs that have their own unique SHA-256 signatures. These are the actual Wiper, SpyNote, and C2 configuration modules.", "Attackers nest these SHAs so that if a vendor blocks the \"Big One\" (the 38MB shell), the internal payloads can be re-packed into a new shell with a new top-level hash in minutes." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 707, "URL": 1888, "email": 14, "hostname": 1443, "FileHash-SHA256": 1662, "IPv4": 198, "FileHash-MD5": 295, "FileHash-SHA1": 283, "Mutex": 1, "IPv6": 10, "CIDR": 1, "CVE": 2 }, "indicator_count": 6504, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665bb7679843a6dabe4560e3", "name": "USZoom [New York , USA] | iPostal1 | Where's my check & mailbox?", "description": "According to some victims, malicious activities including/ not limited to mail filtering fulfillment center resulting in lost, tampered with, opened and glue sealed mail. Missing private documents, payment scams, needless recurring monthly fees, CSR call redirections to unaffiliated personnel. The system has been in the DW for several years. This is due to no fault of franchise owners. Bounty hunters, hackers, and cyber and mail thieves, potential aggressive law enforcement tacticts. Some use mailbox addresses for nefarious purposes, while others use it for business and address confidentiality. \n\nAuto generated: iPostal1 is the largest digital mailbox provider in the world, providing secure, easy-to-use digital mail solutions for individuals, small businesses and large businesses, and driving revenue for Workspaces.", "modified": "2024-09-05T06:11:17.325000", "created": "2024-06-02T00:05:59.160000", "tags": [ "strong", "story contact", "us leadership", "open menu", "close menu", "digital", "thank", "us zoom", "skip", "content home", "enterprise", "contact", "threat roundup", "august", "historical ssl", "april", "referrer", "formbook", "ip check", "vt graph", "relacionada", "cobalt strike", "hiddentear", "life", "malware", "open", "mumblehard", "sparkrat", "attack", "uszoom og", "submission", "analysis", "utc http", "response final", "url https", "ip address", "status code", "body length", "kb body", "graph api", "status", "content type", "date", "anchor hrefs", "hrefs", "cart contact", "leadership", "html info", "title uszoom", "meta tags", "uszoom twitter", "script tags", "vhash htm", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "magika cttxt", "file size", "united", "as20940", "aaaa", "canada", "search", "showing", "cname", "as35994 akamai", "passive dns", "next", "as21928", "unknown", "urls", "domain", "creation date", "emails", "ipcounsel", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "files", "invalid url", "body", "name servers", "akamai", "expiration date", "asnone united", "a nxdomain", "india", "as15224 adobe", "bdclid", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "yara rule", "high", "explorer", "alerts", "less see", "contacted", "service", "attempts", "guard", "url http", "pulse pulses", "http", "related nids", "files location", "ip related", "hostname", "files ip", "address domain", "as46606", "td td", "script script", "gmt path", "create", "website", "set cookie", "a td", "win32", "flash", "pragma", "cookie", "xmpmm", "png image", "rgba", "documentid", "instanceid", "creatortool", "pattern match", "adobe photoshop", "macintosh", "june", "hybrid", "local", "encrypt", "click", "strings", "anomalous_deletefile", "info_stealer", "et trojan", "banload http", "banload", "ids detections", "yara detections", "bancos variant", "c2 checkin", "ntkrnlpacker", "copy", "meredrop", "injection", "e0e2edee", "push", "read", "write", "delete", "entries", "crlf line", "anomalous file", "medium", "filehash", "av detections", "analysis date", "file score", "medium risk", "detections none", "related pulses", "apple", "apple id", "apple private data collection", "apple staging", "t-mobile", "metroby", "keylogger" ], "references": [ "https://uszoom.com/", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "Malicious Score: 10", "Yara Detections: DotNET_Reactor", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "Yara Detections stack_string , Armadillov1xxv2xx", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Keylogger.Susppack-9876601-0", "display_name": "Win.Keylogger.Susppack-9876601-0", "target": null }, { "id": "Win.Trojan.Sdum-9807706-0", "display_name": "Win.Trojan.Sdum-9807706-0", "target": null }, { "id": "Win32.Meredrop Checkin", "display_name": "Win32.Meredrop Checkin", "target": null }, { "id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "target": null }, { "id": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048.002", "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1434", "name": "App Delivered via Email Attachment", "display_name": "T1434 - App Delivered via Email Attachment" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 8, "FileHash-MD5": 167, "FileHash-SHA1": 129, "FileHash-SHA256": 2008, "URL": 11241, "domain": 1853, "hostname": 4198, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 19615, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6671e5844c155814e69ba4dd", "name": "Mirai Botnet Injection affecting Alienvault.", "description": "It's unclear if some users or service itself is injecting users or if service is under a Mirai attack. I found evidence of both outbound & inbound activities. *Crowdsourced context: Activity related to MIRAI - according to source Cluster25 - \nThis IPV4 is used by MIRAI. Mirai is a malware that created a big botnet of networked devices running Linux making them remotely controlled bots that can be used for large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.\n#zbetcheckin tracker\nDownloaded on 2023-11-07 19:34:59 UTC\nSRC URL : http://171.228.209.167/x86_64\nIP : 171.228.209.167\nAS : AS7552 Viettel Group\nYARA : #contentis_base64 #debuggerpattern__rdtsc #ip #math_entropy_6 #is__elf #http #ft_elf #executable_elf64", "modified": "2024-07-18T19:02:50.386000", "created": "2024-06-18T19:52:36.849000", "tags": [ "problems", "threat network", "infrastructure", "historical ssl", "microsoft stuff", "domain check", "referrer", "generic malware", "injector", "no data", "tag count", "fri mar", "analyzer threat", "ip summary", "url summary", "summary", "downloader", "generic", "united", "as14315", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "files", "america asn", "unknown", "ransom", "body", "coinminer", "malware generic", "wed jan", "first", "status", "creation date", "search", "date", "expiration date", "name servers", "next", "mirai", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "reverse dns", "location lao", "viet nam", "domain", "all search", "otx scoreblue", "hostname", "files ip", "lazarus", "as7552 viettel", "vietnam unknown", "win32", "worm", "win32sfone jul", "vietnam", "etag", "telecom", "as16625 akamai", "as20940", "germany", "united kingdom", "singapore", "as20546 soprado", "hong kong", "as45102 alibaba", "taobao network", "cname", "aaaa", "entries", "showing", "a domains", "as38731 vietel", "plesk", "a li", "default page", "plesk a", "mirai variant", "useragent", "apache", "accept", "hello", "create c", "read c", "delete", "write", "default", "create", "show", "medium", "dock", "execution", "copy", "xport", "address", "as131392", "cape", "orsam", "malware", "script urls", "moved", "record value", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malicious site", "phishing site", "malicious url", "opencandy", "exploit", "agent", "phishing", "acint", "iframe", "crack", "conduit", "artemis", "riskware", "mimikatz", "swrort", "downldr", "systweak", "behav", "tiggre", "genkryptik", "presenoker", "filetour", "cleaner", "wacatac", "outbreak", "installcore", "iobit", "rostpay", "dropper", "mediaget", "related pulses", "whois", "related", "msil", "zombie", "dridex", "location viet", "pulse submit", "url analysis", "content", "google tag", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "deep malware", "iframes", "trackers", "external-resources", "text/html", "elf info", "header class", "elf64 data", "header version", "os abi", "unix", "v object", "file type", "exec", "executable file", "progbits", "type address", "offset size", "flags", "null", "nobits", "strtab", "ip detections", "country", "us bundled", "detections file", "name", "graph summary", "get hello", "jaws webserver", "outbound", "mvpower dvr", "shell uce", "inbound", "activity mirai", "mirai", "info", "performs dns", "mitre att", "access ta0006", "os credential", "dumping t1003", "enumerates", "command", "control ta0011", "protocol t1071", "protocol t1095", "relacionada", "mirai malware", "mirai 04022024", "nciipc", "ip reputaion", "msie", "windows nt", "slcc2", "media center", "china as37963", "simplified", "trojanspy", "virustotal", "panda", "detections type", "shell", "javascript", "dns replication", "files referring", "lookups", "as7552", "vhash", "ssdeep", "magic elf", "sysv", "trid elf", "executable", "linux", "elf executable", "loccel1", "echobot", "bashlite", "malwarebazaar", "echobot malware", "win32 exe", "magic msdos", "pe32 executable", "intel", "ms windows", "trid dos", "compiler", "delphi", "serial number", "algorithm", "thumbprint", "valid from", "code signing", "from", "microsoft root", "name microsoft", "verisign time", "stamping", "contained", "info sections", "name virtual", "address virtual", "size raw", "size entropy", "md5 chi2", "regsetvalueexa", "type rtrcdata", "sha256 file", "threat roundup", "october", "august", "june", "september", "highly targeted", "cyberstalking", "round", "december", "sneaky server", "facebook", "stealer", "agent tesla", "pony", "april", "whitelisted", "encrypt", "targeting", "tsara brashears", "otx", "alienvault", "memcommit", "regsz", "regopenkeyexw", "english", "module load", "t1129", "t1082", "windows module", "dlls", "redline stealer", "updater", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "data redacted", "cloudflare", "redacted", "for privacy", "code", "server", "registrar abuse", "redacted for", "postal code", "registrant name", "red team", "shit", "logistics", "cyber defense", "gootloader", "march", "sinkhole", "just", "ramnit", "netsupport rat", "microsoft", "vault", "karen", "gifts", "hidden privacy", "threats", "malicious", "darkgate", "core", "hacktool", "emotet" ], "references": [ "https://botnet.ngocronglau.xyz > link discovered by an Alienvault user who notified me they found it researching message from am active user.", "https://otx.alienvault.com/indicator/file/02b19639ad1efa59e77f45d130447c05bd2466e26a657cb9cc6ac2e8b30a0026", "https://otx.alienvault.com/indicator/file/001546d210a35b7c4c072b6c265f621cf4a9abdd152741d9b58deae2be204355", "https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "CnC IP: https://otx.alienvault.com/indicator/ip/142.202.242.45", "https://otx.alienvault.com/indicator/domain/bunny.net", "https://otx.alienvault.com/indicator/ip/210.211.117.205", "https://otx.alienvault.com/indicator/ip/143.244.50.212", "https://otx.alienvault.com/indicator/ip/125.235.4.59", "AV Detection: ELF:Mirai-GH\\ [Trj]", "IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST", "IDS Detections: Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World)", "IDS Detections: 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST) ...", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication network_cnc_http network_http p2p_cnc writes_to_stdout", "Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz", "https://otx.alienvault.com/indicator/file/2b5deac6176124ee1f7d237f070c39b03c964fce9a9fba0aaa1bce102710d2e0", "cu-payment-porch.pdv-3.ap-southeast-2.production.jet-external.com | qa.proxy.cognito.tigomoney.io | https://trackon.fr/track/clique", "Crowdsourced YARA rules Matches: rule INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Crowdsourced YARA rules Matches: INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Crowdsourced YARA rules Matches: SUSP_Unsigned_OSPPSVC from ruleset gen_sign_anomalies by Florian Roth (Nextron Systems", "Crowdsourced YARA rules Matches: IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems)", "Crowdsourced YARA rules Matches: Matches rule IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com", "Was anyone else notified? I'm not sure why I was.", "Through research I did notice many references to target I'm researching for. Phishing/Injection attempt? I didn't click on links.", "CS Sigma: Matches rule Python Initiated Connection by frack113" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "ALF:E5.SpikeAex.rhh_mcv", "display_name": "ALF:E5.SpikeAex.rhh_mcv", "target": null }, { "id": "Win.Dropper.Bulz-9910065-0", "display_name": "Win.Dropper.Bulz-9910065-0", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Win.Dropper.Autoit-6688751-0", "display_name": "Win.Dropper.Autoit-6688751-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Win.Dropper.Dridex-9986041-0", "display_name": "Win.Dropper.Dridex-9986041-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Zombie", "display_name": "ALF:HeraklezEval:Trojan:Win32/Zombie", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Worm:Win32/Sfone.A", "display_name": "Worm:Win32/Sfone.A", "target": "/malware/Worm:Win32/Sfone.A" }, { "id": "Worm:Win32/Sfone", "display_name": "Worm:Win32/Sfone", "target": "/malware/Worm:Win32/Sfone" }, { "id": "Win.Malware.Bbabdcdc-7358312-0", "display_name": "Win.Malware.Bbabdcdc-7358312-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "trojan.mirai/fszhh", "display_name": "trojan.mirai/fszhh", "target": null }, { "id": "DDOS:Linux/Mirai", "display_name": "DDOS:Linux/Mirai", "target": "/malware/DDOS:Linux/Mirai" }, { "id": "ANDROID/AVE.Mirai.fszhh", "display_name": "ANDROID/AVE.Mirai.fszhh", "target": null }, { "id": "Flyagent L", "display_name": "Flyagent L", "target": null }, { "id": "Win-Trojan/Malpacked5.Gen", "display_name": "Win-Trojan/Malpacked5.Gen", "target": null }, { "id": "Atros3.LDJ", "display_name": "Atros3.LDJ", "target": null }, { "id": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted", "display_name": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted", "target": null }, { "id": "TrojanSpy:Win32/Gucotut.A", "display_name": "TrojanSpy:Win32/Gucotut.A", "target": "/malware/TrojanSpy:Win32/Gucotut.A" }, { "id": "W32/Pidgeon-A", "display_name": "W32/Pidgeon-A", "target": null }, { "id": "Variant.Zusy.151902", "display_name": "Variant.Zusy.151902", "target": null }, { "id": "trojan.mirai/fedr", "display_name": "trojan.mirai/fedr", "target": null }, { "id": "Win.Malware.Trojanx-9862538-0", "display_name": "Win.Malware.Trojanx-9862538-0", "target": null }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "virus.ramnit/nimnul", "display_name": "virus.ramnit/nimnul", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 351, "FileHash-SHA1": 349, "FileHash-SHA256": 3715, "domain": 3326, "hostname": 5200, "URL": 13151, "email": 9, "CVE": 7, "CIDR": 2 }, "indicator_count": 26110, "is_author": false, "is_subscribing": null, "subscriber_count": 248, "modified_text": "682 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f6738d3aa876f83738d0", "name": "USZoom [New York , USA] | iPostal1", "description": "", "modified": "2024-07-01T23:00:42.052000", "created": "2024-07-01T00:21:07.491000", "tags": [ "strong", "story contact", "us leadership", "open menu", "close menu", "digital", "thank", "us zoom", "skip", "content home", "enterprise", "contact", "threat roundup", "august", "historical ssl", "april", "referrer", "formbook", "ip check", "vt graph", "relacionada", "cobalt strike", "hiddentear", "life", "malware", "open", "mumblehard", "sparkrat", "attack", "uszoom og", "submission", "analysis", "utc http", "response final", "url https", "ip address", "status code", "body length", "kb body", "graph api", "status", "content type", "date", "anchor hrefs", "hrefs", "cart contact", "leadership", "html info", "title uszoom", "meta tags", "uszoom twitter", "script tags", "vhash htm", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "magika cttxt", "file size", "united", "as20940", "aaaa", "canada", "search", "showing", "cname", "as35994 akamai", "passive dns", "next", "as21928", "unknown", "urls", "domain", "creation date", "emails", "ipcounsel", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "files", "invalid url", "body", "name servers", "akamai", "expiration date", "asnone united", "a nxdomain", "india", "as15224 adobe", "bdclid", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "yara rule", "high", "explorer", "alerts", "less see", "contacted", "service", "attempts", "guard", "url http", "pulse pulses", "http", "related nids", "files location", "ip related", "hostname", "files ip", "address domain", "as46606", "td td", "script script", "gmt path", "create", "website", "set cookie", "a td", "win32", "flash", "pragma", "cookie", "xmpmm", "png image", "rgba", "documentid", "instanceid", "creatortool", "pattern match", "adobe photoshop", "macintosh", "june", "hybrid", "local", "encrypt", "click", "strings", "anomalous_deletefile", "info_stealer", "et trojan", "banload http", "banload", "ids detections", "yara detections", "bancos variant", "c2 checkin", "ntkrnlpacker", "copy", "meredrop", "injection", "e0e2edee", "push", "read", "write", "delete", "entries", "crlf line", "anomalous file", "medium", "filehash", "av detections", "analysis date", "file score", "medium risk", "detections none", "related pulses", "apple", "apple id", "apple private data collection", "apple staging", "t-mobile", "metroby", "keylogger" ], "references": [ "https://uszoom.com/", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "Malicious Score: 10", "Yara Detections: DotNET_Reactor", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "Yara Detections stack_string , Armadillov1xxv2xx", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Keylogger.Susppack-9876601-0", "display_name": "Win.Keylogger.Susppack-9876601-0", "target": null }, { "id": "Win.Trojan.Sdum-9807706-0", "display_name": "Win.Trojan.Sdum-9807706-0", "target": null }, { "id": "Win32.Meredrop Checkin", "display_name": "Win32.Meredrop Checkin", "target": null }, { "id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "target": null }, { "id": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048.002", "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1434", "name": "App Delivered via Email Attachment", "display_name": "T1434 - App Delivered via Email Attachment" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": "665bb7679843a6dabe4560e3", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 8, "FileHash-MD5": 167, "FileHash-SHA1": 129, "FileHash-SHA256": 1890, "URL": 10360, "domain": 1799, "hostname": 3994, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 18358, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "699 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "Crowdsourced YARA rules Matches: rule INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Rec: block for *.webcontent.com and binaries matching the B0/64c/d anchors or the 777 hex-cluster.", "Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution", "Malicious Score: 10", "CS Sigma: Matches rule Python Initiated Connection by frack113", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://uszoom.com/", "Binary Profile: The 38MB \"Big One\" ShellCompilation: August 8, 2018 [Static Layer Foundation]Packing: UPX v0.89.6 - v1.24 (Markus & Laszlo)Signatures: SHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0Structural Forgery: The 38,351 KB footprint is intentionally bloated with an unmapped overlay to masquerade as a legitimate system utility. This specific variation exploits the RichHash 99b5586e... to bypass heuristic whitelists.", "Yara Detections: DotNET_Reactor", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication network_cnc_http network_http p2p_cnc writes_to_stdout", "Crowdsourced YARA rules Matches: SUSP_Unsigned_OSPPSVC from ruleset gen_sign_anomalies by Florian Roth (Nextron Systems", "IDS Detections: 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST) ...", "Was anyone else notified? I'm not sure why I was.", "Yara Detections stack_string , Armadillov1xxv2xx", "Crowdsourced YARA rules Matches: IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems)", "https://vtbehaviour.commondatastorage.googleapis.com/00185697c0de6262fafba95770b1dd85ddbcdc8b5945d517457be2fb3e6908c1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431586&Signature=mg5jUjSQG5fVQ2idj9wgQGE6D7neQXnBJ4xAD50pgEFgszvmZvrLrvz5RjR00uX4f7Gs2afv8MUs272SCXfylMEo1EhlVujdxecw4%2Ftn9jdYUfSDpqu0quw4dkL1YXviPoAcCJLaKrrvBsQMT468PPk4VwiDZbq2JNrZZwt1qXHmZFe3X5CHabJJE0ORZBwBH0jMYUE%2BWIvGzkZ%2Bul4ufi3xgsgA%2BoN0jUlIddwaoZA4eQeYVlQ388DLeonSjl", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431302&Signature=VN0Lo6N8srKzgIyGy%2B2YBOQ%2BngCQJsbj8jycOiDUs3CpGIyP8pZyyC326od%2FfI41dky2kAUXq4L2f1AHLLukNksIcompwOACdBTaq%2B6r%2FyNhhrsOVLiVCA4wkuZX%2Bjz5eRA8KhG7BcGA1Z8ERy3OYr1b5gS4cUton8nwnqvSE7ZH6dFOkbdhFiX%2FwmTQbOzFCCqJWT0%2FJJZQaXyWSitlkG3IN8RyMOUpjxyT9fwh51%2FT", "https://botnet.ngocronglau.xyz > link discovered by an Alienvault user who notified me they found it researching message from am active user.", "Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz", "https://vtbehaviour.commondatastorage.googleapis.com/f26944950ccf7fd4422662d575c0b3698670e1b19d76fe386c20058ea4ea991f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431338&Signature=FoZZNyxGwBJKtHZSxcj9EHaeRdEMbmfNE6I04ld5vuYz8v2b9G%2Bwt0JlXl6N1uR2a9k4YqZln0HWuPEsYhjLjy3e465eqqg1UIPsLLqvH%2BmT7ox8n7TU%2B54qFOkQtrqoj3cO%2BSeZXnlXHOzxx9rdozltX%2FZ%2BOw1i5z%2FzvLy%2FlI3NhUcyIPbiD3yhM6DqHS%2Fyt7x5bhd5cz18yhPyQq7CNoW%2Fx%2B5aj4d6lWRgPVoBfaoqi33C", "Technical Indicators & Forgery MixSHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0MD5: a95e0f8611e4169be89ef384c8a7a71aCompilation: 2018-08-08 (The \"Static Layer\" 2020 foundation).The 777 Anchor: The 777 entropy pattern in the unmapped overlay (Size: 38,351 KB) forces the \"messy\" alignment between DigiCert, Apple ARM (64c/d), and Google 202 identities.Structural Bypass: Exploits the broken/abused MD5 a1d6...6e72 chain as a \"Frank Abagnale\" signature overlay to bypass Zero-Trust EDR.", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "https://otx.alienvault.com/indicator/domain/bunny.net", "The Wiper: Contains the high-confidence destructive module capable of a FACTORY_RESET anti-forensic purge.", "https://vtbehaviour.commondatastorage.googleapis.com/c915c30bfba565e05ccdea80427ffcba415831161e38e81eccbc893e8eb0bf83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431449&Signature=PDRco%2B36G08WhkVripJBX%2FKsew%2Fqdtv%2BE4v4qZ%2BxTtqIWv%2BbUShaZJk4oroxSc0hAtyIuEAY0Fl7s%2FjNS%2FYPoQ1iU9EMWYaxvd0Sl1%2F%2BEc%2Foq9dc3YP5F0muq56mEXdREOlePA54%2BObbmwRbWR4mwAkK%2FuAkYzpAtJKkLJRZ6GQ0sbyCC5VdaAT3OMhtFkTKCtx5Wk2ZTdGZT5ASe3hD4xmg219rX3t5uV8j", "This binary is a foundation-level threat designed to embed itself into the internet's cached trust model as \"static noise.\" It bridges the gap between the .NET/PDFKit and WebKit/QuartzCore environments through a triple-chain polyglot signature.", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "IDS Detections: Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World)", "Through research I did notice many references to target I'm researching for. Phishing/Injection attempt? I didn't click on links.", "The 7 YARA detections identified in your analysis typically trigger on the 777-anchor hex-cluster found within the high-entropy overlay. This binary \"United\" the following trust boundaries:DigiCert (Windows): Forged overlay utilizing the broken MD5 a1d6...6e72", "CnC IP: https://otx.alienvault.com/indicator/ip/142.202.242.45", "https://otx.alienvault.com/indicator/file/2b5deac6176124ee1f7d237f070c39b03c964fce9a9fba0aaa1bce102710d2e0", "https://vtbehaviour.commondatastorage.googleapis.com/00185697c0de6262fafba95770b1dd85ddbcdc8b5945d517457be2fb3e6908c1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431564&Signature=x%2BpjgWuHJOMK96wkAkxWnO%2BvWXDtko8QpNc0JQs9qrmHA1DtI9OB1F4jxixqRaySdJpP0JpTJK%2BRxE8sVad9wh3wtqgIhtbiihOX2%2FXHa7ukyAZOuMkh8fVLwIUVkxrObXKFDv8CiRAzdRemUPxSH%2FYmbOPY2eYs7UbUQp%2B93VYGCAMTuaztTey%2F1T8DM1tWLfxE5nKn3j7VigVpXMi8228oo%2B7ofaOVz3A%2FZKMZ1gKD", "Crowdsourced YARA rules Matches: Matches rule IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems", "https://otx.alienvault.com/indicator/ip/210.211.117.205", "Research Suggests:", "https://otx.alienvault.com/indicator/file/001546d210a35b7c4c072b6c265f621cf4a9abdd152741d9b58deae2be204355", "cu-payment-porch.pdv-3.ap-southeast-2.production.jet-external.com | qa.proxy.cognito.tigomoney.io | https://trackon.fr/track/clique", "https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "Edge Node Impact: This \"sloppy\" intersection is what allows the payload to burn through edge security; the gateway sees a valid .NET structure and a valid WebKit process, failing to recognize the 777-anchor forgery that unites them.", "The Russian Doll Tactic: The top-level 38MB SHA is just the Delivery Shell. Inside that, the malware carries encrypted blobs that have their own unique SHA-256 signatures. These are the actual Wiper, SpyNote, and C2 configuration modules.", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "wallpapers-nature.com", "Pending Review.", "AV Detection: ELF:Mirai-GH\\ [Trj]", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "Crowdsourced YARA rules Matches: INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "The Structural Loop: The .NET framework often relies on legacy certificate validation libraries that still accept the MD5 a1d6...6e72 chain as \"legacy-valid.\" When this document is opened on an Apple Silicon device, the WebKit/ARM64 engine inherits the \"Trusted\" status from the document\u2019s container, allowing the 64c/d anchor to execute a memory-injection without a fresh signature check.", "https://vtbehaviour.commondatastorage.googleapis.com/91031d16ab93fe5d7f8dc7a55b4bbb8e23742c774ad467f67e2e1681e5439fb9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431033&Signature=tDkjksSltx3F6MPqpr8Xf%2BIAVxBBNNTifbGimbXIX5DCrLCZugVQF%2B7kCV%2BJ3RQ1lKt1eMcfTaQ3FUvgjt7%2F3uEgdHY390sywG9OdYe2HZMJHg%2BYNxsAIe8n7UIa22pLVZNqhDSymVa0VyJAEZb8B2t7gNdGsBLQKQ7GyJ2iYAz4NklXYQPVUZoWObKt0eggHoV3wJUWM%2BQKxWSnPP6HQ8wusnitHIEqxdfckeRTMZR9zlIg31", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "Do Not Run", "https://otx.alienvault.com/indicator/ip/125.235.4.59", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://otx.alienvault.com/indicator/file/02b19639ad1efa59e77f45d130447c05bd2466e26a657cb9cc6ac2e8b30a0026", "https://otx.alienvault.com/indicator/ip/143.244.50.212", "The Spy Loop: Beacons to the squatted infrastructure (*.webcontent.com) and associated IP nodes (35.208.49.255, 18.208.88.157).", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "Attackers nest these SHAs so that if a vendor blocks the \"Big One\" (the 38MB shell), the internal payloads can be re-packed into a new shell with a new top-level hash in minutes.", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |", "The Convergence: Threat actors are exploiting a critical logic gap where .NET/PDFKit document signing (Windows-side) intersects with WebKit/QuartzCore rendering (macOS/ARM-side). By nesting a broken MD5 overlay within a document designed to be parsed by WebKit, the attacker creates a cross-platform \"trust bridge.\"" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Virus.ramnit/nimnul", "#lowfi:hstr:trojanspy:win32/bancos", "Generic", "Elf:mirai-gh\\ [trj]", "W32/pidgeon-a", "Win32:malware-gen", "Flyagent l", "Win.packer.pkr_ce1a-9980177-0", "Win32:pwsx-gen\\ [trj]", "Win32:trojan-gen", "Trojan.mirai/fszhh", "Win.malware.trojanx-9862538-0", "A variant of win32/flystudio.packed.ad potentially unwanted", "Win-trojan/malpacked5.gen", "Unix.trojan.mirai-9441505-0", "Android/ave.mirai.fszhh", "Alf:heraklezeval:trojan:win32/clipbanker", "Atros3.ldj", "Win.malware.bbabdcdc-7358312-0", "Ddos:linux/mirai", "Pdf.phishing.ttraffrobotinstall-7605656-0", "Trojanspy:win32/gucotut.a", "Worm:win32/sfone", "Variant.zusy.151902", "Win.dropper.autoit-6688751-0", "Win.dropper.dridex-9986041-0", "Alf:e5.spikeaex.rhh_mcv", "Win.dropper.bulz-9910065-0", "Win.keylogger.susppack-9876601-0", "Worm:win32/sfone.a", "Win32.meredrop checkin", "Alf:heraklezeval:trojan:win32/zombie", "Win.trojan.sdum-9807706-0", "Trojan.mirai/fedr" ], "industries": [ "Technology", "Civil society", "Telecommunications" ], "unique_indicators": 50956 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/getsignals.com", "whois": "http://whois.domaintools.com/getsignals.com", "domain": "getsignals.com", "hostname": "api.getsignals.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6a0ff878b8d1717e395e0d0a", "name": "Research part 4 * CAPE Sandbox", "description": "A Cuckoo has been running on a KVM operating system for the next two years. \u00c2\u00a31.5m.. and \u00e2\u201a\u00ac1m", "modified": "2026-05-23T03:58:21.402000", "created": "2026-05-22T06:32:24.666000", "tags": [ "default", "nothing", "file execution", "registry keys", "inprocserver32", "server", "parent pid", "full path", "command line", "files c", "cname", "accept", "ip address", "cape sandbox", "found", "center", "http", "port", "shutdown", "title", "performs dns", "mitre attack", "network info", "processes extra", "sigma", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "defense evasion", "next", "win1", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "acrongl integ", "adc4240758", "angsana new", "bootkit", "back", "p2404", "host", "cultureneutral", "p11750170564", "shell folders", "systemroot", "gmt range", "guard", "pe file", "file type", "creates", "extra info", "sample", "contains", "aslr", "binary", "command", "malicious" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/91031d16ab93fe5d7f8dc7a55b4bbb8e23742c774ad467f67e2e1681e5439fb9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431033&Signature=tDkjksSltx3F6MPqpr8Xf%2BIAVxBBNNTifbGimbXIX5DCrLCZugVQF%2B7kCV%2BJ3RQ1lKt1eMcfTaQ3FUvgjt7%2F3uEgdHY390sywG9OdYe2HZMJHg%2BYNxsAIe8n7UIa22pLVZNqhDSymVa0VyJAEZb8B2t7gNdGsBLQKQ7GyJ2iYAz4NklXYQPVUZoWObKt0eggHoV3wJUWM%2BQKxWSnPP6HQ8wusnitHIEqxdfckeRTMZR9zlIg31", "https://vtbehaviour.commondatastorage.googleapis.com/beddd6543579e4744aa3aceb91c6ff522e5d4a9cf54c41b27ad97d6533cff57e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431302&Signature=VN0Lo6N8srKzgIyGy%2B2YBOQ%2BngCQJsbj8jycOiDUs3CpGIyP8pZyyC326od%2FfI41dky2kAUXq4L2f1AHLLukNksIcompwOACdBTaq%2B6r%2FyNhhrsOVLiVCA4wkuZX%2Bjz5eRA8KhG7BcGA1Z8ERy3OYr1b5gS4cUton8nwnqvSE7ZH6dFOkbdhFiX%2FwmTQbOzFCCqJWT0%2FJJZQaXyWSitlkG3IN8RyMOUpjxyT9fwh51%2FT", "https://vtbehaviour.commondatastorage.googleapis.com/f26944950ccf7fd4422662d575c0b3698670e1b19d76fe386c20058ea4ea991f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431338&Signature=FoZZNyxGwBJKtHZSxcj9EHaeRdEMbmfNE6I04ld5vuYz8v2b9G%2Bwt0JlXl6N1uR2a9k4YqZln0HWuPEsYhjLjy3e465eqqg1UIPsLLqvH%2BmT7ox8n7TU%2B54qFOkQtrqoj3cO%2BSeZXnlXHOzxx9rdozltX%2FZ%2BOw1i5z%2FzvLy%2FlI3NhUcyIPbiD3yhM6DqHS%2Fyt7x5bhd5cz18yhPyQq7CNoW%2Fx%2B5aj4d6lWRgPVoBfaoqi33C", "https://vtbehaviour.commondatastorage.googleapis.com/c915c30bfba565e05ccdea80427ffcba415831161e38e81eccbc893e8eb0bf83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431449&Signature=PDRco%2B36G08WhkVripJBX%2FKsew%2Fqdtv%2BE4v4qZ%2BxTtqIWv%2BbUShaZJk4oroxSc0hAtyIuEAY0Fl7s%2FjNS%2FYPoQ1iU9EMWYaxvd0Sl1%2F%2BEc%2Foq9dc3YP5F0muq56mEXdREOlePA54%2BObbmwRbWR4mwAkK%2FuAkYzpAtJKkLJRZ6GQ0sbyCC5VdaAT3OMhtFkTKCtx5Wk2ZTdGZT5ASe3hD4xmg219rX3t5uV8j", "https://vtbehaviour.commondatastorage.googleapis.com/00185697c0de6262fafba95770b1dd85ddbcdc8b5945d517457be2fb3e6908c1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431564&Signature=x%2BpjgWuHJOMK96wkAkxWnO%2BvWXDtko8QpNc0JQs9qrmHA1DtI9OB1F4jxixqRaySdJpP0JpTJK%2BRxE8sVad9wh3wtqgIhtbiihOX2%2FXHa7ukyAZOuMkh8fVLwIUVkxrObXKFDv8CiRAzdRemUPxSH%2FYmbOPY2eYs7UbUQp%2B93VYGCAMTuaztTey%2F1T8DM1tWLfxE5nKn3j7VigVpXMi8228oo%2B7ofaOVz3A%2FZKMZ1gKD", "https://vtbehaviour.commondatastorage.googleapis.com/00185697c0de6262fafba95770b1dd85ddbcdc8b5945d517457be2fb3e6908c1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779431586&Signature=mg5jUjSQG5fVQ2idj9wgQGE6D7neQXnBJ4xAD50pgEFgszvmZvrLrvz5RjR00uX4f7Gs2afv8MUs272SCXfylMEo1EhlVujdxecw4%2Ftn9jdYUfSDpqu0quw4dkL1YXviPoAcCJLaKrrvBsQMT468PPk4VwiDZbq2JNrZZwt1qXHmZFe3X5CHabJJE0ORZBwBH0jMYUE%2BWIvGzkZ%2Bul4ufi3xgsgA%2BoN0jUlIddwaoZA4eQeYVlQ388DLeonSjl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 194, "FileHash-SHA1": 212, "FileHash-SHA256": 412, "IPv4": 297, "URL": 840, "domain": 343, "hostname": 541, "CIDR": 6, "email": 23, "IPv6": 176, "CVE": 4 }, "indicator_count": 3048, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0b06f047e3346072f0498c", "name": "beta | research", "description": "date research", "modified": "2026-05-20T08:57:00.942000", "created": "2026-05-18T12:32:48.538000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 157, "hostname": 227, "URL": 341, "FileHash-SHA256": 987, "IPv4": 113, "FileHash-SHA1": 41, "FileHash-MD5": 48, "email": 3 }, "indicator_count": 1917, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01d3836a1a757aded89ba4", "name": "The 777 Quartz Loop: Structural Polyglot Forgery & Global Wiper Convergence", "description": "Malicious C2 is hidden in plain sight. Using webcontent.com (Reg. 1998), the factory mimics legitimate com.apple.WebKit.WebContent traffic. This is the permanent \"static\" that makes the Wiper indistinguishable from OS noise.C2 Anchors: ://webcontent.com, ://webcontent.comIP Nodes: 35.208.49.255, 18.208.88.157, 98.84.224.111, 3.33.251.168The \"Rose Quartz\" Structural MixA \"Frankensign\" universal bypass. It \"United\" three OS trust boundaries into a single loop:DigiCert (Windows): Forged overlay using the broken MD5 a1d6...6e72.Apple ARM (macOS): 64c/d or B0 thumbprints pivoting through WebKit/QuartzCore.Google (Drop): Execution via a Google 202 shell (GoogleUpdate.exe).The 777 AnchorThe 777 entropy pattern is the mathematical anchor forcing this messy alignment. It cannot be \"fixed\" by revocation because it is already cached in the internet's trust model.", "modified": "2026-05-12T08:41:44.805000", "created": "2026-05-11T13:02:59.167000", "tags": [ "status", "creation date", "date", "pulse indicator", "url analysis", "passive dns", "urls", "files", "whois registrar", "related tags", "server", "domain status", "whois lookup", "dnssec", "domain name", "abuse contact", "email", "registrar abuse", "github", "google", "webcontent", "issue", "discussion", "safari vs", "cyberkit", "webkit port", "apple community", "clearing", "graph summary", "The Russian Doll Tactic", "pdfkit[.]net", "mathematical stalemate", "CLAMAV", "MD5/nested cert chains within" ], "references": [ "Rec: block for *.webcontent.com and binaries matching the B0/64c/d anchors or the 777 hex-cluster.", "Pending Review.", "The 7 YARA detections identified in your analysis typically trigger on the 777-anchor hex-cluster found within the high-entropy overlay. This binary \"United\" the following trust boundaries:DigiCert (Windows): Forged overlay utilizing the broken MD5 a1d6...6e72", "Do Not Run", "The Structural Loop: The .NET framework often relies on legacy certificate validation libraries that still accept the MD5 a1d6...6e72 chain as \"legacy-valid.\" When this document is opened on an Apple Silicon device, the WebKit/ARM64 engine inherits the \"Trusted\" status from the document\u2019s container, allowing the 64c/d anchor to execute a memory-injection without a fresh signature check.", "Edge Node Impact: This \"sloppy\" intersection is what allows the payload to burn through edge security; the gateway sees a valid .NET structure and a valid WebKit process, failing to recognize the 777-anchor forgery that unites them.", "Binary Profile: The 38MB \"Big One\" ShellCompilation: August 8, 2018 [Static Layer Foundation]Packing: UPX v0.89.6 - v1.24 (Markus & Laszlo)Signatures: SHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0Structural Forgery: The 38,351 KB footprint is intentionally bloated with an unmapped overlay to masquerade as a legitimate system utility. This specific variation exploits the RichHash 99b5586e... to bypass heuristic whitelists.", "Research Suggests:", "The Convergence: Threat actors are exploiting a critical logic gap where .NET/PDFKit document signing (Windows-side) intersects with WebKit/QuartzCore rendering (macOS/ARM-side). By nesting a broken MD5 overlay within a document designed to be parsed by WebKit, the attacker creates a cross-platform \"trust bridge.\"", "This binary is a foundation-level threat designed to embed itself into the internet's cached trust model as \"static noise.\" It bridges the gap between the .NET/PDFKit and WebKit/QuartzCore environments through a triple-chain polyglot signature.", "Technical Indicators & Forgery MixSHA-256: 3a23e3eb2bc7c91ccb52aaa1daf33ac78b1ace02107717ba50f27abba4aa44b0MD5: a95e0f8611e4169be89ef384c8a7a71aCompilation: 2018-08-08 (The \"Static Layer\" 2020 foundation).The 777 Anchor: The 777 entropy pattern in the unmapped overlay (Size: 38,351 KB) forces the \"messy\" alignment between DigiCert, Apple ARM (64c/d), and Google 202 identities.Structural Bypass: Exploits the broken/abused MD5 a1d6...6e72 chain as a \"Frank Abagnale\" signature overlay to bypass Zero-Trust EDR.", "The Spy Loop: Beacons to the squatted infrastructure (*.webcontent.com) and associated IP nodes (35.208.49.255, 18.208.88.157).", "The Wiper: Contains the high-confidence destructive module capable of a FACTORY_RESET anti-forensic purge.", "The Russian Doll Tactic: The top-level 38MB SHA is just the Delivery Shell. Inside that, the malware carries encrypted blobs that have their own unique SHA-256 signatures. These are the actual Wiper, SpyNote, and C2 configuration modules.", "Attackers nest these SHAs so that if a vendor blocks the \"Big One\" (the 38MB shell), the internal payloads can be re-packed into a new shell with a new top-level hash in minutes." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 707, "URL": 1888, "email": 14, "hostname": 1443, "FileHash-SHA256": 1662, "IPv4": 198, "FileHash-MD5": 295, "FileHash-SHA1": 283, "Mutex": 1, "IPv6": 10, "CIDR": 1, "CVE": 2 }, "indicator_count": 6504, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "665bb7679843a6dabe4560e3", "name": "USZoom [New York , USA] | iPostal1 | Where's my check & mailbox?", "description": "According to some victims, malicious activities including/ not limited to mail filtering fulfillment center resulting in lost, tampered with, opened and glue sealed mail. Missing private documents, payment scams, needless recurring monthly fees, CSR call redirections to unaffiliated personnel. The system has been in the DW for several years. This is due to no fault of franchise owners. Bounty hunters, hackers, and cyber and mail thieves, potential aggressive law enforcement tacticts. Some use mailbox addresses for nefarious purposes, while others use it for business and address confidentiality. \n\nAuto generated: iPostal1 is the largest digital mailbox provider in the world, providing secure, easy-to-use digital mail solutions for individuals, small businesses and large businesses, and driving revenue for Workspaces.", "modified": "2024-09-05T06:11:17.325000", "created": "2024-06-02T00:05:59.160000", "tags": [ "strong", "story contact", "us leadership", "open menu", "close menu", "digital", "thank", "us zoom", "skip", "content home", "enterprise", "contact", "threat roundup", "august", "historical ssl", "april", "referrer", "formbook", "ip check", "vt graph", "relacionada", "cobalt strike", "hiddentear", "life", "malware", "open", "mumblehard", "sparkrat", "attack", "uszoom og", "submission", "analysis", "utc http", "response final", "url https", "ip address", "status code", "body length", "kb body", "graph api", "status", "content type", "date", "anchor hrefs", "hrefs", "cart contact", "leadership", "html info", "title uszoom", "meta tags", "uszoom twitter", "script tags", "vhash htm", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "magika cttxt", "file size", "united", "as20940", "aaaa", "canada", "search", "showing", "cname", "as35994 akamai", "passive dns", "next", "as21928", "unknown", "urls", "domain", "creation date", "emails", "ipcounsel", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "files", "invalid url", "body", "name servers", "akamai", "expiration date", "asnone united", "a nxdomain", "india", "as15224 adobe", "bdclid", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "yara rule", "high", "explorer", "alerts", "less see", "contacted", "service", "attempts", "guard", "url http", "pulse pulses", "http", "related nids", "files location", "ip related", "hostname", "files ip", "address domain", "as46606", "td td", "script script", "gmt path", "create", "website", "set cookie", "a td", "win32", "flash", "pragma", "cookie", "xmpmm", "png image", "rgba", "documentid", "instanceid", "creatortool", "pattern match", "adobe photoshop", "macintosh", "june", "hybrid", "local", "encrypt", "click", "strings", "anomalous_deletefile", "info_stealer", "et trojan", "banload http", "banload", "ids detections", "yara detections", "bancos variant", "c2 checkin", "ntkrnlpacker", "copy", "meredrop", "injection", "e0e2edee", "push", "read", "write", "delete", "entries", "crlf line", "anomalous file", "medium", "filehash", "av detections", "analysis date", "file score", "medium risk", "detections none", "related pulses", "apple", "apple id", "apple private data collection", "apple staging", "t-mobile", "metroby", "keylogger" ], "references": [ "https://uszoom.com/", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "Malicious Score: 10", "Yara Detections: DotNET_Reactor", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "Yara Detections stack_string , Armadillov1xxv2xx", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Keylogger.Susppack-9876601-0", "display_name": "Win.Keylogger.Susppack-9876601-0", "target": null }, { "id": "Win.Trojan.Sdum-9807706-0", "display_name": "Win.Trojan.Sdum-9807706-0", "target": null }, { "id": "Win32.Meredrop Checkin", "display_name": "Win32.Meredrop Checkin", "target": null }, { "id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "target": null }, { "id": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048.002", "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1434", "name": "App Delivered via Email Attachment", "display_name": "T1434 - App Delivered via Email Attachment" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 8, "FileHash-MD5": 167, "FileHash-SHA1": 129, "FileHash-SHA256": 2008, "URL": 11241, "domain": 1853, "hostname": 4198, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 19615, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6671e5844c155814e69ba4dd", "name": "Mirai Botnet Injection affecting Alienvault.", "description": "It's unclear if some users or service itself is injecting users or if service is under a Mirai attack. I found evidence of both outbound & inbound activities. *Crowdsourced context: Activity related to MIRAI - according to source Cluster25 - \nThis IPV4 is used by MIRAI. Mirai is a malware that created a big botnet of networked devices running Linux making them remotely controlled bots that can be used for large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.\n#zbetcheckin tracker\nDownloaded on 2023-11-07 19:34:59 UTC\nSRC URL : http://171.228.209.167/x86_64\nIP : 171.228.209.167\nAS : AS7552 Viettel Group\nYARA : #contentis_base64 #debuggerpattern__rdtsc #ip #math_entropy_6 #is__elf #http #ft_elf #executable_elf64", "modified": "2024-07-18T19:02:50.386000", "created": "2024-06-18T19:52:36.849000", "tags": [ "problems", "threat network", "infrastructure", "historical ssl", "microsoft stuff", "domain check", "referrer", "generic malware", "injector", "no data", "tag count", "fri mar", "analyzer threat", "ip summary", "url summary", "summary", "downloader", "generic", "united", "as14315", "passive dns", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "urls", "files", "america asn", "unknown", "ransom", "body", "coinminer", "malware generic", "wed jan", "first", "status", "creation date", "search", "date", "expiration date", "name servers", "next", "mirai", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "reverse dns", "location lao", "viet nam", "domain", "all search", "otx scoreblue", "hostname", "files ip", "lazarus", "as7552 viettel", "vietnam unknown", "win32", "worm", "win32sfone jul", "vietnam", "etag", "telecom", "as16625 akamai", "as20940", "germany", "united kingdom", "singapore", "as20546 soprado", "hong kong", "as45102 alibaba", "taobao network", "cname", "aaaa", "entries", "showing", "a domains", "as38731 vietel", "plesk", "a li", "default page", "plesk a", "mirai variant", "useragent", "apache", "accept", "hello", "create c", "read c", "delete", "write", "default", "create", "show", "medium", "dock", "execution", "copy", "xport", "address", "as131392", "cape", "orsam", "malware", "script urls", "moved", "record value", "cisco umbrella", "site", "heur", "alexa top", "safe site", "million", "malicious site", "phishing site", "malicious url", "opencandy", "exploit", "agent", "phishing", "acint", "iframe", "crack", "conduit", "artemis", "riskware", "mimikatz", "swrort", "downldr", "systweak", "behav", "tiggre", "genkryptik", "presenoker", "filetour", "cleaner", "wacatac", "outbreak", "installcore", "iobit", "rostpay", "dropper", "mediaget", "related pulses", "whois", "related", "msil", "zombie", "dridex", "location viet", "pulse submit", "url analysis", "content", "google tag", "utc gcfezl5ynvb", "utc na", "utc google", "analytics na", "utc linkedin", "insight tag", "deep malware", "iframes", "trackers", "external-resources", "text/html", "elf info", "header class", "elf64 data", "header version", "os abi", "unix", "v object", "file type", "exec", "executable file", "progbits", "type address", "offset size", "flags", "null", "nobits", "strtab", "ip detections", "country", "us bundled", "detections file", "name", "graph summary", "get hello", "jaws webserver", "outbound", "mvpower dvr", "shell uce", "inbound", "activity mirai", "mirai", "info", "performs dns", "mitre att", "access ta0006", "os credential", "dumping t1003", "enumerates", "command", "control ta0011", "protocol t1071", "protocol t1095", "relacionada", "mirai malware", "mirai 04022024", "nciipc", "ip reputaion", "msie", "windows nt", "slcc2", "media center", "china as37963", "simplified", "trojanspy", "virustotal", "panda", "detections type", "shell", "javascript", "dns replication", "files referring", "lookups", "as7552", "vhash", "ssdeep", "magic elf", "sysv", "trid elf", "executable", "linux", "elf executable", "loccel1", "echobot", "bashlite", "malwarebazaar", "echobot malware", "win32 exe", "magic msdos", "pe32 executable", "intel", "ms windows", "trid dos", "compiler", "delphi", "serial number", "algorithm", "thumbprint", "valid from", "code signing", "from", "microsoft root", "name microsoft", "verisign time", "stamping", "contained", "info sections", "name virtual", "address virtual", "size raw", "size entropy", "md5 chi2", "regsetvalueexa", "type rtrcdata", "sha256 file", "threat roundup", "october", "august", "june", "september", "highly targeted", "cyberstalking", "round", "december", "sneaky server", "facebook", "stealer", "agent tesla", "pony", "april", "whitelisted", "encrypt", "targeting", "tsara brashears", "otx", "alienvault", "memcommit", "regsz", "regopenkeyexw", "english", "module load", "t1129", "t1082", "windows module", "dlls", "redline stealer", "updater", "v3 serial", "number", "subject public", "key info", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "data redacted", "cloudflare", "redacted", "for privacy", "code", "server", "registrar abuse", "redacted for", "postal code", "registrant name", "red team", "shit", "logistics", "cyber defense", "gootloader", "march", "sinkhole", "just", "ramnit", "netsupport rat", "microsoft", "vault", "karen", "gifts", "hidden privacy", "threats", "malicious", "darkgate", "core", "hacktool", "emotet" ], "references": [ "https://botnet.ngocronglau.xyz > link discovered by an Alienvault user who notified me they found it researching message from am active user.", "https://otx.alienvault.com/indicator/file/02b19639ad1efa59e77f45d130447c05bd2466e26a657cb9cc6ac2e8b30a0026", "https://otx.alienvault.com/indicator/file/001546d210a35b7c4c072b6c265f621cf4a9abdd152741d9b58deae2be204355", "https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "Unix.Mirai Botnet: https://otx.alienvault.com/indicator/hostname/botnet.ngocronglau.xyz", "CnC IP: https://otx.alienvault.com/indicator/ip/142.202.242.45", "https://otx.alienvault.com/indicator/domain/bunny.net", "https://otx.alienvault.com/indicator/ip/210.211.117.205", "https://otx.alienvault.com/indicator/ip/143.244.50.212", "https://otx.alienvault.com/indicator/ip/125.235.4.59", "AV Detection: ELF:Mirai-GH\\ [Trj]", "IDS Detections: MVPower DVR Shell UCE Mirai | Variant User-Agent (Outbound) JAWS Webserver Unauthenticated Shell Command Execution", "IDS Detections: Huawei Remote Command Execution (CVE-2017-17215) Huawei Remote Command Execution - Outbound (CVE-2017-17215) Huawei HG532 RCE Vulnerability (CVE-2017-17215) Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World) 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST", "IDS Detections: Mirai Variant User-Agent (Inbound) HackingTrio UA (Hello, World)", "IDS Detections: 401TRG Generic Webshell Request - POST with wget in body HTTP traffic on port 443 (POST) ...", "Alerts: dead_host network_icmp tcp_syn_scan nolookup_communication network_cnc_http network_http p2p_cnc writes_to_stdout", "Matches rule Linux_Trojan_Mirai_6a77af0f from ruleset Linux_Trojan_Mirai by Elastic Security | botnet.ngocronglau.xyz", "https://otx.alienvault.com/indicator/file/2b5deac6176124ee1f7d237f070c39b03c964fce9a9fba0aaa1bce102710d2e0", "cu-payment-porch.pdv-3.ap-southeast-2.production.jet-external.com | qa.proxy.cognito.tigomoney.io | https://trackon.fr/track/clique", "Crowdsourced YARA rules Matches: rule INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Crowdsourced YARA rules Matches: INDICATOR_EXE_Packed_MEW from ruleset indicator_packed by ditekSHen", "Crowdsourced YARA rules Matches: SUSP_Unsigned_OSPPSVC from ruleset gen_sign_anomalies by Florian Roth (Nextron Systems", "Crowdsourced YARA rules Matches: IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems)", "Crowdsourced YARA rules Matches: Matches rule IMPLANT_4_v3_AlternativeRule from ruleset apt_grizzlybear_uscert by Florian Roth (Nextron Systems", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "wallpapers-nature.com", "Was anyone else notified? I'm not sure why I was.", "Through research I did notice many references to target I'm researching for. Phishing/Injection attempt? I didn't click on links.", "CS Sigma: Matches rule Python Initiated Connection by frack113" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null }, { "id": "ALF:E5.SpikeAex.rhh_mcv", "display_name": "ALF:E5.SpikeAex.rhh_mcv", "target": null }, { "id": "Win.Dropper.Bulz-9910065-0", "display_name": "Win.Dropper.Bulz-9910065-0", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Win.Dropper.Autoit-6688751-0", "display_name": "Win.Dropper.Autoit-6688751-0", "target": null }, { "id": "ELF:Mirai-GH\\ [Trj]", "display_name": "ELF:Mirai-GH\\ [Trj]", "target": null }, { "id": "Win.Dropper.Dridex-9986041-0", "display_name": "Win.Dropper.Dridex-9986041-0", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Zombie", "display_name": "ALF:HeraklezEval:Trojan:Win32/Zombie", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Worm:Win32/Sfone.A", "display_name": "Worm:Win32/Sfone.A", "target": "/malware/Worm:Win32/Sfone.A" }, { "id": "Worm:Win32/Sfone", "display_name": "Worm:Win32/Sfone", "target": "/malware/Worm:Win32/Sfone" }, { "id": "Win.Malware.Bbabdcdc-7358312-0", "display_name": "Win.Malware.Bbabdcdc-7358312-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "trojan.mirai/fszhh", "display_name": "trojan.mirai/fszhh", "target": null }, { "id": "DDOS:Linux/Mirai", "display_name": "DDOS:Linux/Mirai", "target": "/malware/DDOS:Linux/Mirai" }, { "id": "ANDROID/AVE.Mirai.fszhh", "display_name": "ANDROID/AVE.Mirai.fszhh", "target": null }, { "id": "Flyagent L", "display_name": "Flyagent L", "target": null }, { "id": "Win-Trojan/Malpacked5.Gen", "display_name": "Win-Trojan/Malpacked5.Gen", "target": null }, { "id": "Atros3.LDJ", "display_name": "Atros3.LDJ", "target": null }, { "id": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted", "display_name": "a variant of Win32/FlyStudio.Packed.AD potentially unwanted", "target": null }, { "id": "TrojanSpy:Win32/Gucotut.A", "display_name": "TrojanSpy:Win32/Gucotut.A", "target": "/malware/TrojanSpy:Win32/Gucotut.A" }, { "id": "W32/Pidgeon-A", "display_name": "W32/Pidgeon-A", "target": null }, { "id": "Variant.Zusy.151902", "display_name": "Variant.Zusy.151902", "target": null }, { "id": "trojan.mirai/fedr", "display_name": "trojan.mirai/fedr", "target": null }, { "id": "Win.Malware.Trojanx-9862538-0", "display_name": "Win.Malware.Trojanx-9862538-0", "target": null }, { "id": "Win32:PWSX-gen\\ [Trj]", "display_name": "Win32:PWSX-gen\\ [Trj]", "target": null }, { "id": "virus.ramnit/nimnul", "display_name": "virus.ramnit/nimnul", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 351, "FileHash-SHA1": 349, "FileHash-SHA256": 3715, "domain": 3326, "hostname": 5200, "URL": 13151, "email": 9, "CVE": 7, "CIDR": 2 }, "indicator_count": 26110, "is_author": false, "is_subscribing": null, "subscriber_count": 248, "modified_text": "682 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681f6738d3aa876f83738d0", "name": "USZoom [New York , USA] | iPostal1", "description": "", "modified": "2024-07-01T23:00:42.052000", "created": "2024-07-01T00:21:07.491000", "tags": [ "strong", "story contact", "us leadership", "open menu", "close menu", "digital", "thank", "us zoom", "skip", "content home", "enterprise", "contact", "threat roundup", "august", "historical ssl", "april", "referrer", "formbook", "ip check", "vt graph", "relacionada", "cobalt strike", "hiddentear", "life", "malware", "open", "mumblehard", "sparkrat", "attack", "uszoom og", "submission", "analysis", "utc http", "response final", "url https", "ip address", "status code", "body length", "kb body", "graph api", "status", "content type", "date", "anchor hrefs", "hrefs", "cart contact", "leadership", "html info", "title uszoom", "meta tags", "uszoom twitter", "script tags", "vhash htm", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "magika cttxt", "file size", "united", "as20940", "aaaa", "canada", "search", "showing", "cname", "as35994 akamai", "passive dns", "next", "as21928", "unknown", "urls", "domain", "creation date", "emails", "ipcounsel", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "files", "invalid url", "body", "name servers", "akamai", "expiration date", "asnone united", "a nxdomain", "india", "as15224 adobe", "bdclid", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "yara rule", "high", "explorer", "alerts", "less see", "contacted", "service", "attempts", "guard", "url http", "pulse pulses", "http", "related nids", "files location", "ip related", "hostname", "files ip", "address domain", "as46606", "td td", "script script", "gmt path", "create", "website", "set cookie", "a td", "win32", "flash", "pragma", "cookie", "xmpmm", "png image", "rgba", "documentid", "instanceid", "creatortool", "pattern match", "adobe photoshop", "macintosh", "june", "hybrid", "local", "encrypt", "click", "strings", "anomalous_deletefile", "info_stealer", "et trojan", "banload http", "banload", "ids detections", "yara detections", "bancos variant", "c2 checkin", "ntkrnlpacker", "copy", "meredrop", "injection", "e0e2edee", "push", "read", "write", "delete", "entries", "crlf line", "anomalous file", "medium", "filehash", "av detections", "analysis date", "file score", "medium risk", "detections none", "related pulses", "apple", "apple id", "apple private data collection", "apple staging", "t-mobile", "metroby", "keylogger" ], "references": [ "https://uszoom.com/", "http://www.dead-speak.com/ElectronicVoicePhenomena_EVP.htm", "Malicious Score: 10", "Yara Detections: DotNET_Reactor", "Alerts: procmem_yara antisandbox_sleep persistence_autorun cape_detected_threat infostealer_cookies recon_fingerprint", "Alerts: stealth_hidden_extension stealth_hiddenreg antidebug_guardpages dead_connect", "Alerts: encrypted_ioc http_request powershell_download powershell_request dynamic_function_loading cape_extracted_content", "Alerts: dropper injection_rwx network_dns_doh_tls network_http", "DotNET_Reactor: System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography", "DotNET_Reactor: System.Security.Cryptography ICryptoTransform", "High Priority Check-ins: Banload HTTP Checkin Detected (envia.php) Win32.Meredrop Checkin Bancos Variant C2 Checkin 1", "High Priority Alerts: spawns_dev_util modify_proxy infostealer_cookies", "Yara Detections: NTKrnlPacker, NTkrnlSecureSuite01015NTkrnlSoftware, NTkrnlSecureSuiteNTkrnlteam", "https://otx.alienvault.com/indicator/file/01accdb2c75f7b75e5f9744461fe927e6e1378e3bc1f943d02b0aa441bf65317", "https://www.hybrid-analysis.com/sample/79cab9c299164fb9a6d8f009adc2529ee79feeb0b4ad383eedee0c36bbe041ec/665b7ebee6b33f252d0e64ec", "Yara Detections stack_string , Armadillov1xxv2xx", "https://otx.alienvault.com/indicator/file/4d1dbf5ccc25a7f5fa24bd48d92987ff6d4dba35", "apple.finder-idevice.com | nr-data.net | https://appleid.com-dispositivo-perdido.com/ |" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Keylogger.Susppack-9876601-0", "display_name": "Win.Keylogger.Susppack-9876601-0", "target": null }, { "id": "Win.Trojan.Sdum-9807706-0", "display_name": "Win.Trojan.Sdum-9807706-0", "target": null }, { "id": "Win32.Meredrop Checkin", "display_name": "Win32.Meredrop Checkin", "target": null }, { "id": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "display_name": "#Lowfi:HSTR:TrojanSpy:Win32/Bancos", "target": null }, { "id": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "display_name": "Pdf.Phishing.TtraffRobotInstall-7605656-0", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048.002", "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", "display_name": "T1048.002 - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1416", "name": "URI Hijacking", "display_name": "T1416 - URI Hijacking" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1434", "name": "App Delivered via Email Attachment", "display_name": "T1434 - App Delivered via Email Attachment" } ], "industries": [ "Technology", "Telecommunications", "Civil Society" ], "TLP": "green", "cloned_from": "665bb7679843a6dabe4560e3", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 8, "FileHash-MD5": 167, "FileHash-SHA1": 129, "FileHash-SHA256": 1890, "URL": 10360, "domain": 1799, "hostname": 3994, "SSLCertFingerprint": 10, "CVE": 1 }, "indicator_count": 18358, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "699 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://api.getsignals.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://api.getsignals.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780311754.9309027 }