{ "type": "URL", "indicator": "http://s.symcb.com/universal", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://s.symcb.com/universal", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #246", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain symcb.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2456578115, "indicator": "http://s.symcb.com/universal", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "6a068aad93e73083e6d0a325", "name": "Credit Q.Vashti [\"Ransom | ts-aia.ws.symantec.com | Custom Wheelchchair\"] Clone", "description": "", "modified": "2026-05-15T02:53:33.613000", "created": "2026-05-15T02:53:33.613000", "tags": [ "united", "status", "name servers", "germany", "present feb", "pattern", "passive dns", "urls", "creation date", "alfper", "date", "trojan", "virtool", "span", "body", "sameorigin", "date sun", "connection", "csc corporate", "domains", "markmonitor", "threat score", "av detection", "community score", "scan analysis", "malicious", "crowdstrike", "access falcon", "prevent free", "trial falcon", "timestamp input", "windows error", "file", "windows", "hwp support", "mitre att", "type", "mime", "logo analysis", "ob0001 defense", "evasion ob0006", "impact ob0008", "file system", "oc0001 memory", "system oc0008", "cname", "ttl value", "catalog tree", "analysis ob0001", "analysis ob0002", "ob0005 defense", "ob0013 file", "system oc0001", "memory oc0002", "process oc0003", "memory pattern", "get http", "resolved ips", "dns resolutions", "av info", "llmnr query", "entries", "response", "ms windows", "search", "intel", "pe32", "show", "write c", "copy", "write", "hupigon", "malware", "next" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": "685500d67d6f41d99a2551ae", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 401, "FileHash-SHA1": 406, "FileHash-SHA256": 1936, "URL": 173, "email": 2, "domain": 6, "hostname": 128 }, "indicator_count": 3052, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-24T13:20:48.450000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 108, "CIDR": 6 }, "indicator_count": 33118, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685556a7e31c87eb612ebecb", "name": "Spyware affecting vendor & victims of services", "description": "100/100 malicious. Strange backstory. Patterns.\nEither the vendor is hacked or they have social engineer victims and also compromised their systems. | Needs more investigation. \n\n| Spyware | Malware | Invasive\nAccesses potentially sensitive information from local browsers\n| Evasive |\nPossibly checks for the presence of a forensics/monitoring tool. ||\n\nYara detected UAC Bypass using CMSTP\n2.0\nConnects to many different private IPs (likely to spread or exploit)\n2.0\nConnects to many different private IPs via SMB (likely to spread or exploit)\n\n#ransom #evader # defense # spyware #rat #phishing #malicious #adversarial #trojan # malware #maldoc #voidtools #banker #exploit #botnet #targeting #cnc #crypto #self_delete", "modified": "2025-07-20T07:05:14.546000", "created": "2025-06-20T12:40:07.756000", "tags": [ "get http", "catalog tree", "analysis ob0001", "analysis ob0002", "ob0005 defense", "evasion ob0006", "impact ob0008", "ob0013 file", "system oc0001", "memory oc0002", "process oc0003", "access ta0001", "ta0004 defense", "evasion ta0005", "ta0007 lateral", "movement ta0008", "command", "control ta0011", "impact ta0040", "file details", "filename", "file type", "pe32", "intel", "ms windows", "file size", "sha1", "sha256", "mwdb", "parent pid", "full path", "command line", "k netsvcs", "bypass", "getvm", "imagepath", "stopvm", "getvhd", "getvolume", "accept", "gmt ifnonematch", "googleupdater", "host", "url data", "files", "ip address", "port", "tcp connections", "cname", "name response", "nxdomain", "country name", "passive dns", "urls", "pulse pulses", "http", "related nids", "files location", "canada flag", "canada hostname", "files domain", "windows error", "file", "windows", "hwp support", "mitre att", "logo analysis", "type", "mime", "av detection", "community score", "writes", "pe file", "openpgp public", "openpgp secret", "sample", "creates", "defender", "code", "persistence", "file info", "file name", "mb sha256", "submission path", "ssdeep", "associated urls", "anonymous", "falcon sandbox", "submissions", "timestamp input", "status", "mac catalina", "macosx error", "wubgbswiq22", "linux", "ubuntu", "linux error", "defense evasion", "access ta0006", "ta0009 command" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 194, "FileHash-SHA1": 182, "FileHash-SHA256": 1125, "URL": 155, "hostname": 118, "domain": 5 }, "indicator_count": 1779, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "317 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685500d67d6f41d99a2551ae", "name": "Ransom | ts-aia.ws.symantec.com | Custom Wheelchair Vendor", "description": "PUA.MSIL.Mediafwdownloader\n[458cb153172946c32fff4b10fad2d740.msi]\ntrojan.mimic/defendercontrol\n#ransom\n[279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9]\n#mimic\n#discovery\n#evasion\n#execution\n#persistence\n#ransomware\n#trojan\n#malware\n#jaffacakes118\n#mimic.exe #shadowy #quasi #attack \nSigma | UAC Bypass via ICMLuaUtil by Florian Roth (Nextron Systems), Elastic (idea) | Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel\n| CMSTP UAC Bypass via COM Object Access by Nik Seetharaman, Christian Burkard (Nextron Systems)\n| Shell Open Registry Keys Manipulation by Christian Burkard (Nextron Systems) | \nWin.Malware.Mikey-6856849-0 | *need access to otx features #glitching", "modified": "2025-07-20T06:03:58.975000", "created": "2025-06-20T06:33:57.521000", "tags": [ "united", "status", "name servers", "germany", "present feb", "pattern", "passive dns", "urls", "creation date", "alfper", "date", "trojan", "virtool", "span", "body", "sameorigin", "date sun", "connection", "csc corporate", "domains", "markmonitor", "threat score", "av detection", "community score", "scan analysis", "malicious", "crowdstrike", "access falcon", "prevent free", "trial falcon", "timestamp input", "windows error", "file", "windows", "hwp support", "mitre att", "type", "mime", "logo analysis", "ob0001 defense", "evasion ob0006", "impact ob0008", "file system", "oc0001 memory", "system oc0008", "cname", "ttl value", "catalog tree", "analysis ob0001", "analysis ob0002", "ob0005 defense", "ob0013 file", "system oc0001", "memory oc0002", "process oc0003", "memory pattern", "get http", "resolved ips", "dns resolutions", "av info", "llmnr query", "entries", "response", "ms windows", "search", "intel", "pe32", "show", "write c", "copy", "write", "hupigon", "malware", "next" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 401, "FileHash-SHA1": 406, "FileHash-SHA256": 1936, "URL": 173, "email": 2, "domain": 6, "hostname": 128 }, "indicator_count": 3052, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "317 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "681f8117bec95b5ddab4dbf8", "name": "JPK_VAT-7K_11_.xls cc3ff66548d49212ae9b4b28c5a01e9ee50ae2d090cdf1b7747dc8a44a5c7b13", "description": "MD5 5cf9af2bf416da11b4eedf86dd6748e6\nhttps://www.virustotal.com/gui/file/cc3ff66548d49212ae9b4b28c5a01e9ee50ae2d090cdf1b7747dc8a44a5c7b13/detection", "modified": "2025-05-14T21:04:23.336000", "created": "2025-05-10T16:38:47.697000", "tags": [ "use short", "name path", "command line", "detect use", "windows", "image id", "image detection", "spawns", "image", "setup engine", "investigate", "typ pliku", "ms windows", "nt2000", "ascii", "z zakoczeniami", "crlf", "pliki wzoru", "index", "name", "vba z", "adowanie boczne", "nadrzdny pid", "microsoft excel", "z operacjami", "sigma wykrya", "tworzy", "zapytanie", "t1055 wtrysk", "autor", "inquest labs", "vba project", "vbaproject" ], "references": [ "http://www.iform.pl/txtfile/makra.pdf", "http://crd.gov.pl/wzor/2016/08/05/3413/", "http://crd.gov.pl/xml/schematy/dziedzinowe/mf/2016/01/25/eD/DefinicjeTypy/", "http://crd.gov.pl/xml/schematy/dziedzinowe/mf/2016/07/29/eD/VATZD/", "Raport VirusTotal dla JPK_VAT-7K_11_.xls.html", "Office_Document_with_VBA_Project .yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 9, "URL": 416, "hostname": 121, "domain": 15, "FileHash-SHA256": 1024, "email": 1, "FileHash-MD5": 2, "FileHash-SHA1": 2, "YARA": 1 }, "indicator_count": 1591, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "384 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d45dab14a189645153e8a6", "name": "Reverse WHOIS results for vgt.pl ( GANG VGT)", "description": "", "modified": "2024-12-17T14:47:57", "created": "2024-09-01T12:27:23.777000", "tags": [ "ipv4 domain", "ipv4 url", "domain", "sha1", "sha256", "pehash", "vhash", "ssdeep" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1286, "FileHash-SHA1": 1286, "FileHash-SHA256": 2722, "URL": 4729, "domain": 1909, "hostname": 2082, "IPv4": 97, "CVE": 4, "YARA": 1 }, "indicator_count": 14116, "is_author": false, "is_subscribing": null, "subscriber_count": 127, "modified_text": "532 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667af85fe8fea6365adaa65d", "name": "Norton & Norton Lifelock Products", "description": "Just taking a pak at some Norton-Related Problems\n(03.11.24): https://www.virustotal.com/graph/embed/g8619c830b2c24d849472aef95a362ce113e12cd6d68849e7a83c7eca387a378a?theme=dark", "modified": "2024-09-29T20:01:29.028000", "created": "2024-06-25T17:03:27.155000", "tags": [ "entity", "please", "javascript", "xwwmwh4cg2hpw" ], "references": [ "https://www.virustotal.com/graph/embed/g8619c830b2c24d849472aef95a362ce113e12cd6d68849e7a83c7eca387a378a?theme=dark", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/summary", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/iocs", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/graph", "08.30.24: e1ec7ebd4046143153dd28dd2b5a54cf34edd137c6288f4e56c6449f0753a986 (VT)", "08.30.24: Report ID: \t 6a27e451-df79-4f90-a022-9aa15cb58cea (Filescanio)" ], "public": 1, "adversary": "Norton Norton Lifelock Telus", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 50, "FileHash-SHA1": 54, "FileHash-SHA256": 831, "URL": 1120, "domain": 181, "hostname": 261 }, "indicator_count": 2497, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66a4d15c60edc83ca6bfc97e", "name": "Fraud Services, Updates, Network Worm, SpyWare - Misc Attack", "description": "", "modified": "2024-08-26T10:04:37.360000", "created": "2024-07-27T10:52:12.501000", "tags": [ "united", "unknown", "a domains", "search", "creation date", "record value", "cyberlynk", "date", "expiration date", "title", "encrypt", "body", "as54113", "aaaa", "cname", "next", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "files", "type name", "android", "server", "registrar abuse", "dnssec", "domain name", "contact phone", "registrar url", "registrar whois", "registrar", "llc registry", "code", "key identifier", "subject key", "identifier", "x509v3 key", "first", "dns replication", "historical ssl", "no data", "tag count", "fakedout threat", "analyzer threat", "url summary", "ip summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "site", "malware", "safe site", "million", "alexa top", "malicious site", "phishing site", "suspected", "unsafe", "wacatac", "artemis", "iframe", "presenoker", "phishing", "opencandy", "downldr", "cleaner", "conduit", "riskware", "nircmd", "swrort", "tiggre", "agent", "filetour", "fusioncore", "unruy", "crack", "exploit", "cobalt strike", "xrat", "alexa", "acint", "systweak", "behav", "genkryptik", "blacknet rat", "stealer", "installpack", "azorult", "service", "runescape", "facebook", "bank", "download", "zbot", "xtrat", "installcore", "patcher", "adload", "win64", "class", "twitter", "accept", "malware site", "maltiverse", "ransomware", "phishingms", "anonymisation", "suppobox", "emotet", "revengerat", "downloader", "emailworm", "ramnit", "warbot", "citadel", "zeus", "simda", "keitaro", "virut", "team", "cultureneutral", "get na", "show", "delete c", "delete", "yara detections", "copy", "nivdort", "write", "trojanspy", "bayrob", "intel", "ms windows", "default", "pe32 executable", "document file", "v2 document", "pe32", "worm", "entries", "td td", "rufus", "mtb apr", "servers", "as39122", "span", "github pages", "passive dns", "formbook cnc", "checkin", "dridex", "request", "less see", "http request", "status", "name servers", "certificate", "urls", "div div", "header click", "meta", "homepage", "form", "date hash", "avast avg", "backdoor", "mtb jul", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "sha256", "sha1", "ascii text", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "null", "hybrid", "refresh", "general", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "suspicious", "windows nt", "apache", "path", "pragma", "footer", "as8068", "as8075", "as15169 google", "as16552 tiggee", "virtool", "related pulses", "file samples", "files matching", "showing", "domain", "as22612", "as397240", "as19527 google", "moved", "gmt server", "as20940", "as4230 claro", "trojan", "ninite", "as2914 ntt", "win32", "brazil unknown", "brazil", "invalid url", "trojandropper", "body html", "head title", "asnone united", "as23393" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "India" ], "malware_families": [ { "id": "Dridex", "display_name": "Dridex", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1034, "domain": 1210, "email": 13, "hostname": 1031, "FileHash-SHA1": 685, "FileHash-SHA256": 1036, "FileHash-MD5": 927, "CVE": 10 }, "indicator_count": 5946, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6656e6dbbe018a2dcb28a8e0", "name": "advancedstream.net - Acquired Apple iOS infrastructure, DNS,", "description": "Apple iOS service modifier.", "modified": "2024-06-28T08:01:11.978000", "created": "2024-05-29T08:27:07.009000", "tags": [ "reverse dns", "location united", "america flag", "lakewood", "united", "america asn", "dns resolutions", "domain", "domain status", "server", "algorithm", "key usage", "xcitium verdict", "cloud", "popularity", "rank position", "info", "date", "registrar abuse", "iana id", "contact phone", "dnssec", "registrar url", "registrar whois", "llc registry", "expiry date", "first", "law firm", "fort wayne", "co", "referrer", "historical ssl", "name verdict", "falcon sandbox", "sha256", "ascii text", "sha1", "size", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "span", "hybrid", "body", "footer", "contact", "local", "encrypt", "click", "facebook", "strings", "meta", "district", "generator", "code", "service", "bill", "nemtih", "sredrum", "co lp", "dynamicloader", "default", "medium", "show", "http request", "http", "delete", "ids detections", "yara detections", "copy", "powershell", "win64", "write", "malware", "download", "malware", "trojan", "windows", "shellexecuteexw", "search", "entries", "writeconsolew", "registry", "t1031", "modify existing", "dock", "win32" ], "references": [ "Reverse DNS: advancedstream.net Location: United States of America - Lakewood, Colorado United States of America", "ASN AS30170 isomedia inc. DNS Resolutions 1 Domain", "spamgateway.advancedstream.net", "smtpha.momentumtelecom.com", "cityoffortwayne.org | detect.cityoffortwayne.org | https://engage.cityoffortwayne.org/", "https://utilities.cityoffortwayne.org/wp-content/uploads/2023/05/2023-Biosolids-Info-Sheet.pdf", "podcast.hallco.org hmmm? Who could it be.", "IDS Detections: PE EXE or DLL Windows file download HTTP | SUSPICIOUS Dotted Quad Host MZ Response | Packed Executable Download", "IDS Detectionsa: Executable Download from dotted-quad Host | Terse alphanumeric executable downloader high likelihood of being hostile", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users", "Alerts: network_ip_exe network_questionable_http_path suricata_alert", "Alerts: dynamic_function_loading powershell_download powershell_request network_cnc_http network_http", "Alerts: dead_connect antivm_network_adapters", "https://otx.alienvault.com/indicator/file/a909dd4960d4da51de82e4dfff0a5aa60e35da6b2845680716ad832dc1d8b010", "http://www.leechburg.k12.pa.us/cms/lib09/PA01916522/Centricity/Domain/4/Mr.%20Ritzel%20obituary.pdf", "https://ato.gov.au.69741db048f4bdd03a6dad409e702ab4.grantelgin.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:CoinminerX-gen\\ [Trj]", "display_name": "Win32:CoinminerX-gen\\ [Trj]", "target": null }, { "id": "Win.Malware.Tofsee-6958935-0", "display_name": "Win.Malware.Tofsee-6958935-0", "target": null }, { "id": "Trojan:Win32/SmokeLoader.YL", "display_name": "Trojan:Win32/SmokeLoader.YL", "target": "/malware/Trojan:Win32/SmokeLoader.YL" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Civil Society", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 338, "FileHash-SHA1": 77, "email": 2, "hostname": 497, "URL": 928, "FileHash-SHA256": 572, "FileHash-MD5": 76, "SSLCertFingerprint": 6 }, "indicator_count": 2496, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e3d1a94659d50264a78fd4", "name": "Phishing | TabExplorer attacks compromised networks and devices", "description": "", "modified": "2024-04-02T01:01:20.068000", "created": "2024-03-03T01:26:01.043000", "tags": [ "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "suricata udpv4", "date", "united", "windows nt", "win64", "hybrid", "general", "click", "strings", "contact", "url http", "url https", "scan endpoints", "all octoseek", "report spam", "hour ago", "whois record", "glasgow", "scan", "iocs", "next", "filehashsha256", "filehashmd5", "filehashsha1", "ipv4", "contacted", "execution", "pe resource", "communicating", "urls http", "referrer", "resolutions", "whois whois", "collections ip", "phishing", "attack", "loaded module", "remote procedure call", "search", "as15133 verizon", "passive dns", "urls", "creation date", "record value", "showing", "unknown", "as8075", "as15169 google", "as8068", "aaaa", "cname", "a domains", "meta", "entries", "gmt server", "ecacc saa83dd", "cobalt strike", "mozilla", "body", "brian sabey", "hallrender", "dynamicloader", "show", "alerts", "trojan", "copy", "dynamic", "medium", "reads", "write", "stealth network", "stealth_network", "script urls", "certificate", "rsa sha256", "exports data", "high", "yara rule", "yara detections", "njrat", "cape", "njrat malware", "sniffs", "guard", "write c", "delete c", "ms windows", "default", "intel", "openpgp public", "stream", "antivm_generic_disk", "antivm_generic_bios", "network_bind", "stealth_file spawns_dev_utility", "procmem_yara", "enumerates_physical_drives", "persistence_ads", "dynamic_function_loading", "reads_self", "suspicious_command_tools", "network", "rat" ], "references": [ "http://www.tabxexplorer.com [phishing]", "http://www.tabxexplorer.com/lenovo", "GET /lenovo HTTP/1.1 Host: www.tabxexplorer.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0", "identity_helper.exe", "cdn.easykeys.com", "hive21.ctcsoftware.com", "www.moxa.com", "msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com", "IDS Detections: Cobalt Strike Malleable C2 JQuery", "IDS Detections: Nullsoft Mozilla UA (NSISDL)", "IDS Detections: Observed Suspicious UA (NSISDL/1.2 (Mozilla))", "IDS Detections: SSL excessive fatal alerts (possible POODLE attack against server)", "IDS Detections: GENERIC Likely Malicious Fake IE Downloading .exe", "Tulach Malware: 114.114.114.114", "ns3.hallgrandsale.ru", "AgentTesla.KM: FileHash-MD5 e0801d62e8379b98177fd94a027e8b30", "AgentTesla.KM: FileHash-SHA1 0fa00a939ca8af08c90310b808d1d8fc70a518c3", "Yara Detection: Nullsoft_NSIS" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "ALF:Win32/GbdInf_305B1C9A.J!ibt", "display_name": "ALF:Win32/GbdInf_305B1C9A.J!ibt", "target": "/malware/ALF:Win32/GbdInf_305B1C9A.J!ibt" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HackTool:Win32/CobaltStrike.A", "display_name": "HackTool:Win32/CobaltStrike.A", "target": "/malware/HackTool:Win32/CobaltStrike.A" }, { "id": "HackTool:Win32/Atosev.A", "display_name": "HackTool:Win32/Atosev.A", "target": "/malware/HackTool:Win32/Atosev.A" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Win.Malware.Generickdz-9938530-0", "display_name": "Win.Malware.Generickdz-9938530-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Civil Society", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5551, "hostname": 1690, "domain": 929, "FileHash-SHA256": 2696, "FileHash-MD5": 405, "FileHash-SHA1": 315, "email": 4, "SSLCertFingerprint": 1 }, "indicator_count": 11591, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658cebdb940830a62e78a0db", "name": "Maui Ransomware | Virus Network", "description": "", "modified": "2024-01-27T03:00:49.486000", "created": "2023-12-28T03:30:35.847000", "tags": [ "write c", "read c", "process32nextw", "search", "regsetvalueexa", "show", "regdword", "png image", "showing", "entries", "loader", "write", "suspicious", "ghost rat", "webtoolbar", "nanocore rat", "persistence", "execution", "malware", "copy", "xport", "next", "unknown", "create c", "tlsv1", "united", "pupadware", "malware install", "default", "http header", "http requests", "stack_string", "allocates rwx", "network http", "injection process search", "dumped buffer", "antivm network adapters", "antisandbox", "foregroundwindows", "queries programs", "privilege luid check", "infostealer browser", "creates exe", "network icmp", "reads user agent", "modifies proxy wpad", "modifies certificates", "xor 0x20 xord javascript", "js", "stack string", "locates browser", "loader agent", "yara", "ids", "hallrender", "hijacker", "frigostInjector", "inject", "teams", "cp", "cyber", "monitoring", "cyber stalking", "brian sabey", "mark sabey", "load casino.com", "fallback playback intaller", "modify registry", "abuse", "revenge", "grayware", "installer", "win32 exe", "pe32", "intel", "ms windows", "windows control", "panel item", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "code signing", "assured id", "algorithm", "serial number", "issuer digicert", "name digicert", "thumbprint", "playtech plc", "original name", "internal name", "installer file", "version", "english us", "rticon english", "sections", "data english", "png png", "ico rtgroupicon", "struct", "et", "http method", "get http", "dns resolutions", "traffic", "get https", "get dns", "ip traffic", "hashes", "userprofile", "user", "file system", "files written", "files deleted", "files dropped", "urls", "contacted", "ip detections", "country", "files", "file type", "javascript", "shell", "kb file", "graph", "tsara brashears", "quasar", "relacionada", "emotet", "virus network", "maui ransomware", "agent tesla", "omnipoint", "cyberstalking", "lolkek", "attack", "core", "stealer", "remcos", "critical", "evilnum", "ursnif", "djvu", "asyncrat", "project", "redline stealer", "hacktool", "whois record", "ssl certificate", "pe resource", "collections", "communicating", "malicious", "apple", "family", "scoreblue" ], "references": [ "FILEHASH - MD5 3ce9d145f7e596bfdadd1d809cb78347", "Alerts", "Playtech Installer PUP/Adware", "Playtech Downloader Online Gaming Checkin" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Trojan.Playtech/CrossRider", "display_name": "Trojan.Playtech/CrossRider", "target": null }, { "id": "Redline Stealer", "display_name": "Redline Stealer", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Hacktool", "display_name": "Hacktool", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "EVILNUM", "display_name": "EVILNUM", "target": null }, { "id": "Djvu", "display_name": "Djvu", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 136, "FileHash-SHA1": 88, "FileHash-SHA256": 424, "SSLCertFingerprint": 1, "URL": 149, "hostname": 241, "domain": 31, "email": 1, "CVE": 1 }, "indicator_count": 1072, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "858 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65551682899b039e02b8dc8a", "name": "Apple | iOS | Automated Attacks | Resource Hijacking | Google Tracker", "description": "Boot or Logon Autostart Execution\nCommand and Scripting Interpreter\nAutomated Collection\nWebToolbar \nAmazon rsa\nAmazon02\nAmazon S3\nPrivilege Abuse\nRetaliation", "modified": "2023-12-15T18:02:25.356000", "created": "2023-11-15T19:05:38.437000", "tags": [ "strong", "saal digital", "photo portal", "daten", "support", "saal", "bersicht", "informationen", "profis", "rabatte fr", "service", "heur", "malware", "cisco umbrella", "adware", "safe site", "malware site", "malicious site", "phishing site", "alexa top", "million", "tiggre", "presenoker", "agent", "opencandy", "conduit", "unsafe", "wacatac", "artemis", "phishing", "iframe", "installpack", "xrat", "fusioncore", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "genkryptik", "exploit", "filetour", "cleaner", "webtoolbar", "trojanspy", "get fdm", "ms windows", "pe32", "intel", "search", "show", "united", "entries", "systemdrive", "program files", "installer", "write", "delphi", "next", "june", "win32", "copy", "pixel", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "variables", "langpage string", "lang", "saalgroup", "creoletohtml", "chat", "reverse dns", "resource", "general full", "asn16509", "amazon02", "url https", "security tls", "protocol h2", "hash", "get h2", "main", "request chain", "http", "de redirected", "http redirect", "site", "malicious url", "blacklist https", "domain", "screenshot", "windows nt", "win64", "khtml", "gecko", "amazons3", "aes128gcm", "amazon rsa", "aes256", "date", "name verdict", "pattern match", "root ca", "script", "done adding", "catalog file", "file", "indicator", "authority", "class", "mitre att", "meta", "unknown", "error", "hybrid", "accept", "general", "local", "click", "strings", "generator", "critical", "refresh", "tools", "null", "body", "create c", "html document", "xport", "noname057", "generic malware", "generic", "dapato", "alexa", "installcore", "downloader", "dropper", "outbreak", "iobit", "mediaget", "azorult", "runescape", "facebook", "bank", "download", "live", "rms", "maltiverse", "cyber threat", "engineering", "services", "malicious host", "malicious", "team", "zeus", "nymaim", "zbot", "simda", "asyncrat", "cobalt strike", "ransomware", "matsnu", "cutwail", "citadel", "pykspa", "raccoon", "kronos", "ramnit", "redline stealer", "apple", "apple", "html info", "title saal", "meta tags", "trackers google", "tag manager", "gtm5wjlq2", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "hostname", "anonymizer", "firehol", "mail spammer", "team proxy", "kraken", "suppobox", "tofsee", "vawtrak", "hotmail", "netsky", "stealer", "blacknet rat", "remcos", "miner", "hacktool", "trojan", "detplock", "team phishing", "a nxdomain", "passive dns", "scan endpoints", "all octoseek", "pulse pulses", "urls", "files", "ip address", "all search", "otx octoseek", "files ip", "contacted", "whois record", "ssl certificate", "pe resource", "bundled", "attack", "parent", "historical ssl", "collections", "communicating", "emotet", "execution", "markmonitor inc", "vhash", "authentihash", "imphash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "archive", "valid", "serial number", "valid from", "valid usage", "code signing", "status status", "valid issuer", "assured id", "issuer issuer", "symantec sha256", "sections", "file type", "trid generic", "cil executable", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "sections name", "streams size", "entropy chi2", "guid", "blob", "namecheap", "ip detections", "country", "resolutions", "referrer", "whois whois", "threat roundup", "parent domain", "CVE-2023-22518", "CVE-2017-0143", "CVE-2017-0147", "CVE-2020-0601", "CVE-2017-8570", "CVE-2018-4893", "CVE-2017-11882", "CVE-2017-0199", "CVE-2014-3153", "W32.AIDetectNet.01", "trojan.adload/ursu", "targeting tsara brashears", "cybercrime", "privilege escalation", "defacement", "privilege abuse", "soc", "red team", "social engineering", "retaliation", "assault victim", "obsession" ], "references": [ "https://hybrid-analysis.com/sample/9e8ce8607b7f32f6f66c8126851a55818ff775ee060d2c448679e5eb1e22ba2a", "https://www.saal-digital.de/ordercockpit/?email=christ.robert@gmx.de&ordernumber=802109030129517", "\u2193 Interesting \u2193", "owa.telegrafix.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Phishing)", "christ.robert@gmx.de", "https://simtk.org/projects/sv_tests (Tsara Brashears project?)", "https://itunes.apple.com/de/app/saal-design-app/id1481631197?mt=8", "https://play.google.com/store/apps/details?id=com.saaldigital.designerapp.de&hl=de", "BEELab_web_1.0.2-prerelease.exe", "AfraidZad.exe", "https://mail.greycroft.com/owa/redir.aspx?SURL=a0oI1dvGGkFYUoACVEbN8REVrmfS6H0MhUvXdexgmertl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAcgBvAGQAdQBjAHQAaAB1AG4AdAAuAGMAbwBtAC8AdABlAGMAaAAvAGEAbgBpAG0AYQB0AGkAYwA.&URL=https://www.producthunt.com/tech/animatic", "greycroftpartners.com", "http://videotubeplayer.com/?groupds=1&clientId=201&productId=1407&tracking=w5JJ46MKQI493DMO1NDNTQ6K&publisher_id=", "trkpls3.com", "eg-monitoring.com", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/", "https://twitter.com/PORNO_SEXYBABES" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Italy", "Singapore", "France", "Germany", "Korea, Republic of" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 841, "FileHash-SHA1": 467, "FileHash-SHA256": 6370, "CVE": 9, "domain": 2160, "hostname": 3074, "email": 1, "URL": 6550, "SSLCertFingerprint": 1, "CIDR": 3 }, "indicator_count": 19476, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "900 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655516871038cbad9eae2bb7", "name": "Apple | iOS | Automated Attacks | Resource Hijacking | Google Tracker", "description": "Boot or Logon Autostart Execution\nCommand and Scripting Interpreter\nAutomated Collection\nWebToolbar \nAmazon rsa\nAmazon02\nAmazon S3\nPrivilege Abuse\nRetaliation", "modified": "2023-12-15T18:02:25.356000", "created": "2023-11-15T19:05:43.285000", "tags": [ "strong", "saal digital", "photo portal", "daten", "support", "saal", "bersicht", "informationen", "profis", "rabatte fr", "service", "heur", "malware", "cisco umbrella", "adware", "safe site", "malware site", "malicious site", "phishing site", "alexa top", "million", "tiggre", "presenoker", "agent", "opencandy", "conduit", "unsafe", "wacatac", "artemis", "phishing", "iframe", "installpack", "xrat", "fusioncore", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "genkryptik", "exploit", "filetour", "cleaner", "webtoolbar", "trojanspy", "get fdm", "ms windows", "pe32", "intel", "search", "show", "united", "entries", "systemdrive", "program files", "installer", "write", "delphi", "next", "june", "win32", "copy", "pixel", "search live", "api blog", "docs pricing", "november", "de indicators", "domains", "hashes", "copyright", "gmbh version", "follow", "value", "variables", "langpage string", "lang", "saalgroup", "creoletohtml", "chat", "reverse dns", "resource", "general full", "asn16509", "amazon02", "url https", "security tls", "protocol h2", "hash", "get h2", "main", "request chain", "http", "de redirected", "http redirect", "site", "malicious url", "blacklist https", "domain", "screenshot", "windows nt", "win64", "khtml", "gecko", "amazons3", "aes128gcm", "amazon rsa", "aes256", "date", "name verdict", "pattern match", "root ca", "script", "done adding", "catalog file", "file", "indicator", "authority", "class", "mitre att", "meta", "unknown", "error", "hybrid", "accept", "general", "local", "click", "strings", "generator", "critical", "refresh", "tools", "null", "body", "create c", "html document", "xport", "noname057", "generic malware", "generic", "dapato", "alexa", "installcore", "downloader", "dropper", "outbreak", "iobit", "mediaget", "azorult", "runescape", "facebook", "bank", "download", "live", "rms", "maltiverse", "cyber threat", "engineering", "services", "malicious host", "malicious", "team", "zeus", "nymaim", "zbot", "simda", "asyncrat", "cobalt strike", "ransomware", "matsnu", "cutwail", "citadel", "pykspa", "raccoon", "kronos", "ramnit", "redline stealer", "apple", "apple", "html info", "title saal", "meta tags", "trackers google", "tag manager", "gtm5wjlq2", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "self", "tag count", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "hostname", "anonymizer", "firehol", "mail spammer", "team proxy", "kraken", "suppobox", "tofsee", "vawtrak", "hotmail", "netsky", "stealer", "blacknet rat", "remcos", "miner", "hacktool", "trojan", "detplock", "team phishing", "a nxdomain", "passive dns", "scan endpoints", "all octoseek", "pulse pulses", "urls", "files", "ip address", "all search", "otx octoseek", "files ip", "contacted", "whois record", "ssl certificate", "pe resource", "bundled", "attack", "parent", "historical ssl", "collections", "communicating", "emotet", "execution", "markmonitor inc", "vhash", "authentihash", "imphash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "archive", "valid", "serial number", "valid from", "valid usage", "code signing", "status status", "valid issuer", "assured id", "issuer issuer", "symantec sha256", "sections", "file type", "trid generic", "cil executable", "contained", "details module", "version id", "typelib id", "header target", "machine intel", "utc entry", "point", "sections name", "streams size", "entropy chi2", "guid", "blob", "namecheap", "ip detections", "country", "resolutions", "referrer", "whois whois", "threat roundup", "parent domain", "CVE-2023-22518", "CVE-2017-0143", "CVE-2017-0147", "CVE-2020-0601", "CVE-2017-8570", "CVE-2018-4893", "CVE-2017-11882", "CVE-2017-0199", "CVE-2014-3153", "W32.AIDetectNet.01", "trojan.adload/ursu", "targeting tsara brashears", "cybercrime", "privilege escalation", "defacement", "privilege abuse", "soc", "red team", "social engineering", "retaliation", "assault victim", "obsession" ], "references": [ "https://hybrid-analysis.com/sample/9e8ce8607b7f32f6f66c8126851a55818ff775ee060d2c448679e5eb1e22ba2a", "https://www.saal-digital.de/ordercockpit/?email=christ.robert@gmx.de&ordernumber=802109030129517", "\u2193 Interesting \u2193", "owa.telegrafix.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Phishing)", "christ.robert@gmx.de", "https://simtk.org/projects/sv_tests (Tsara Brashears project?)", "https://itunes.apple.com/de/app/saal-design-app/id1481631197?mt=8", "https://play.google.com/store/apps/details?id=com.saaldigital.designerapp.de&hl=de", "BEELab_web_1.0.2-prerelease.exe", "AfraidZad.exe", "https://mail.greycroft.com/owa/redir.aspx?SURL=a0oI1dvGGkFYUoACVEbN8REVrmfS6H0MhUvXdexgmertl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAcgBvAGQAdQBjAHQAaAB1AG4AdAAuAGMAbwBtAC8AdABlAGMAaAAvAGEAbgBpAG0AYQB0AGkAYwA.&URL=https://www.producthunt.com/tech/animatic", "greycroftpartners.com", "http://videotubeplayer.com/?groupds=1&clientId=201&productId=1407&tracking=w5JJ46MKQI493DMO1NDNTQ6K&publisher_id=", "trkpls3.com", "eg-monitoring.com", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/", "https://twitter.com/PORNO_SEXYBABES" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "Italy", "Singapore", "France", "Germany", "Korea, Republic of" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "RMS", "display_name": "RMS", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 83, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 841, "FileHash-SHA1": 467, "FileHash-SHA256": 6370, "CVE": 9, "domain": 2160, "hostname": 3074, "email": 1, "URL": 6550, "SSLCertFingerprint": 1, "CIDR": 3 }, "indicator_count": 19476, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "900 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "IDS Detections: Cobalt Strike Malleable C2 JQuery", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "08.30.24: Report ID: \t 6a27e451-df79-4f90-a022-9aa15cb58cea (Filescanio)", "https://simtk.org/projects/sv_tests (Tsara Brashears project?)", "T1110.001 (Brute Force: Password Guessing)", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/graph", "greycroftpartners.com", "http://www.leechburg.k12.pa.us/cms/lib09/PA01916522/Centricity/Domain/4/Mr.%20Ritzel%20obituary.pdf", "Playtech Downloader Online Gaming Checkin", "IDS Detectionsa: Executable Download from dotted-quad Host | Terse alphanumeric executable downloader high likelihood of being hostile", "AgentTesla.KM: FileHash-MD5 e0801d62e8379b98177fd94a027e8b30", "https://otx.alienvault.com/indicator/file/a909dd4960d4da51de82e4dfff0a5aa60e35da6b2845680716ad832dc1d8b010", "Obfuscation: XOR-based String Encryption (0x20)", "www.moxa.com", "Yara Detection: Nullsoft_NSIS", "http://www.tabxexplorer.com/lenovo", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/summary", "\u2193 Interesting \u2193", "hive21.ctcsoftware.com", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.", "christ.robert@gmx.de", "http://crd.gov.pl/wzor/2016/08/05/3413/", "IDS Detections: Observed Suspicious UA (NSISDL/1.2 (Mozilla))", "Alerts: network_ip_exe network_questionable_http_path suricata_alert", "identity_helper.exe", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/iocs", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "http://crd.gov.pl/xml/schematy/dziedzinowe/mf/2016/07/29/eD/VATZD/", "IDS Detections: GENERIC Likely Malicious Fake IE Downloading .exe", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "http://www.iform.pl/txtfile/makra.pdf", "Alerts", "trkpls3.com", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users", "Office_Document_with_VBA_Project .yar", "msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com", "http://www.tabxexplorer.com [phishing]", "https://ato.gov.au.69741db048f4bdd03a6dad409e702ab4.grantelgin.com/", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "Playtech Installer PUP/Adware", "https://twitter.com/PORNO_SEXYBABES", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "Reverse DNS: advancedstream.net Location: United States of America - Lakewood, Colorado United States of America", "08.30.24: e1ec7ebd4046143153dd28dd2b5a54cf34edd137c6288f4e56c6449f0753a986 (VT)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "https://play.google.com/store/apps/details?id=com.saaldigital.designerapp.de&hl=de", "eg-monitoring.com", "https://utilities.cityoffortwayne.org/wp-content/uploads/2023/05/2023-Biosolids-Info-Sheet.pdf", "AgentTesla.KM: FileHash-SHA1 0fa00a939ca8af08c90310b808d1d8fc70a518c3", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "https://www.saal-digital.de/ordercockpit/?email=christ.robert@gmx.de&ordernumber=802109030129517", "spamgateway.advancedstream.net", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "ASN AS30170 isomedia inc. DNS Resolutions 1 Domain", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "smtpha.momentumtelecom.com", "FILEHASH - MD5 3ce9d145f7e596bfdadd1d809cb78347", "https://hybrid-analysis.com/sample/9e8ce8607b7f32f6f66c8126851a55818ff775ee060d2c448679e5eb1e22ba2a", "Alerts: dynamic_function_loading powershell_download powershell_request network_cnc_http network_http", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "IDS Detections: PE EXE or DLL Windows file download HTTP | SUSPICIOUS Dotted Quad Host MZ Response | Packed Executable Download", "http://videotubeplayer.com/?groupds=1&clientId=201&productId=1407&tracking=w5JJ46MKQI493DMO1NDNTQ6K&publisher_id=", "podcast.hallco.org hmmm? Who could it be.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "https://itunes.apple.com/de/app/saal-design-app/id1481631197?mt=8", "https://www.virustotal.com/graph/embed/g8619c830b2c24d849472aef95a362ce113e12cd6d68849e7a83c7eca387a378a?theme=dark", "Tulach Malware: 114.114.114.114", "cityoffortwayne.org | detect.cityoffortwayne.org | https://engage.cityoffortwayne.org/", "AfraidZad.exe", "http://crd.gov.pl/xml/schematy/dziedzinowe/mf/2016/01/25/eD/DefinicjeTypy/", "Raport VirusTotal dla JPK_VAT-7K_11_.xls.html", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "IDS Detections: SSL excessive fatal alerts (possible POODLE attack against server)", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "owa.telegrafix.com", "cdn.easykeys.com", "https://mail.greycroft.com/owa/redir.aspx?SURL=a0oI1dvGGkFYUoACVEbN8REVrmfS6H0MhUvXdexgmertl7bBVhrTCGgAdAB0AHAAcwA6AC8ALwB3AHcAdwAuAHAAcgBvAGQAdQBjAHQAaAB1AG4AdAAuAGMAbwBtAC8AdABlAGMAaAAvAGEAbgBpAG0AYQB0AGkAYwA.&URL=https://www.producthunt.com/tech/animatic", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/", "ns3.hallgrandsale.ru", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "BEELab_web_1.0.2-prerelease.exe", "IDS Detections: Nullsoft Mozilla UA (NSISDL)", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "Alerts: dead_connect antivm_network_adapters", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ (Phishing)", "GET /lenovo HTTP/1.1 Host: www.tabxexplorer.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "Norton Norton Lifelock Telus" ], "malware_families": [ "Alf:win32/gbdinf_305b1c9a.j!ibt", "Dridex", "Maui ransomware", "Remcos", "Win32:coinminerx-gen\\ [trj]", "Trojan.playtech/crossrider", "Redline stealer", "Lolkek", "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf", "Generic", "Trojan:win32/zombie.a", "Win.malware.generickdz-9938530-0", "Rms", "Malware family: stealthworker / gobrut", "Quasar rat", "Alf:trojan:msil/agenttesla.km", "Alf:jasyp:trojandownloader:win32/smallagent!atmn", "Hacktool", "Emotet", "Agent tesla", "Evilnum", "Hacktool:win32/cobaltstrike.a", "Asyncrat", "Maltiverse", "Sabey", "Ascii", "Ghost rat", "Djvu", "Alf:heraklezeval:trojan:win32/clipbanker", "Cobalt strike", "Win.malware.tofsee-6958935-0", "Trojan:win32/smokeloader.yl", "Webtoolbar", "Tulach", "Win32:malware-gen", "Hallrender", "Hacktool:win32/atosev.a", "Nanocore rat", "Trojanspy" ], "industries": [ "Technology", "Telecommunications", "Civil society" ], "unique_indicators": 82615 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/symcb.com", "whois": "http://whois.domaintools.com/symcb.com", "domain": "symcb.com", "hostname": "s.symcb.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "6a068aad93e73083e6d0a325", "name": "Credit Q.Vashti [\"Ransom | ts-aia.ws.symantec.com | Custom Wheelchchair\"] Clone", "description": "", "modified": "2026-05-15T02:53:33.613000", "created": "2026-05-15T02:53:33.613000", "tags": [ "united", "status", "name servers", "germany", "present feb", "pattern", "passive dns", "urls", "creation date", "alfper", "date", "trojan", "virtool", "span", "body", "sameorigin", "date sun", "connection", "csc corporate", "domains", "markmonitor", "threat score", "av detection", "community score", "scan analysis", "malicious", "crowdstrike", "access falcon", "prevent free", "trial falcon", "timestamp input", "windows error", "file", "windows", "hwp support", "mitre att", "type", "mime", "logo analysis", "ob0001 defense", "evasion ob0006", "impact ob0008", "file system", "oc0001 memory", "system oc0008", "cname", "ttl value", "catalog tree", "analysis ob0001", "analysis ob0002", "ob0005 defense", "ob0013 file", "system oc0001", "memory oc0002", "process oc0003", "memory pattern", "get http", "resolved ips", "dns resolutions", "av info", "llmnr query", "entries", "response", "ms windows", "search", "intel", "pe32", "show", "write c", "copy", "write", "hupigon", "malware", "next" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": "685500d67d6f41d99a2551ae", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 401, "FileHash-SHA1": 406, "FileHash-SHA256": 1936, "URL": 173, "email": 2, "domain": 6, "hostname": 128 }, "indicator_count": 3052, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-24T13:20:48.450000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 108, "CIDR": 6 }, "indicator_count": 33118, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "39 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685556a7e31c87eb612ebecb", "name": "Spyware affecting vendor & victims of services", "description": "100/100 malicious. Strange backstory. Patterns.\nEither the vendor is hacked or they have social engineer victims and also compromised their systems. | Needs more investigation. \n\n| Spyware | Malware | Invasive\nAccesses potentially sensitive information from local browsers\n| Evasive |\nPossibly checks for the presence of a forensics/monitoring tool. ||\n\nYara detected UAC Bypass using CMSTP\n2.0\nConnects to many different private IPs (likely to spread or exploit)\n2.0\nConnects to many different private IPs via SMB (likely to spread or exploit)\n\n#ransom #evader # defense # spyware #rat #phishing #malicious #adversarial #trojan # malware #maldoc #voidtools #banker #exploit #botnet #targeting #cnc #crypto #self_delete", "modified": "2025-07-20T07:05:14.546000", "created": "2025-06-20T12:40:07.756000", "tags": [ "get http", "catalog tree", "analysis ob0001", "analysis ob0002", "ob0005 defense", "evasion ob0006", "impact ob0008", "ob0013 file", "system oc0001", "memory oc0002", "process oc0003", "access ta0001", "ta0004 defense", "evasion ta0005", "ta0007 lateral", "movement ta0008", "command", "control ta0011", "impact ta0040", "file details", "filename", "file type", "pe32", "intel", "ms windows", "file size", "sha1", "sha256", "mwdb", "parent pid", "full path", "command line", "k netsvcs", "bypass", "getvm", "imagepath", "stopvm", "getvhd", "getvolume", "accept", "gmt ifnonematch", "googleupdater", "host", "url data", "files", "ip address", "port", "tcp connections", "cname", "name response", "nxdomain", "country name", "passive dns", "urls", "pulse pulses", "http", "related nids", "files location", "canada flag", "canada hostname", "files domain", "windows error", "file", "windows", "hwp support", "mitre att", "logo analysis", "type", "mime", "av detection", "community score", "writes", "pe file", "openpgp public", "openpgp secret", "sample", "creates", "defender", "code", "persistence", "file info", "file name", "mb sha256", "submission path", "ssdeep", "associated urls", "anonymous", "falcon sandbox", "submissions", "timestamp input", "status", "mac catalina", "macosx error", "wubgbswiq22", "linux", "ubuntu", "linux error", "defense evasion", "access ta0006", "ta0009 command" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 194, "FileHash-SHA1": 182, "FileHash-SHA256": 1125, "URL": 155, "hostname": 118, "domain": 5 }, "indicator_count": 1779, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "317 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685500d67d6f41d99a2551ae", "name": "Ransom | ts-aia.ws.symantec.com | Custom Wheelchair Vendor", "description": "PUA.MSIL.Mediafwdownloader\n[458cb153172946c32fff4b10fad2d740.msi]\ntrojan.mimic/defendercontrol\n#ransom\n[279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9]\n#mimic\n#discovery\n#evasion\n#execution\n#persistence\n#ransomware\n#trojan\n#malware\n#jaffacakes118\n#mimic.exe #shadowy #quasi #attack \nSigma | UAC Bypass via ICMLuaUtil by Florian Roth (Nextron Systems), Elastic (idea) | Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel\n| CMSTP UAC Bypass via COM Object Access by Nik Seetharaman, Christian Burkard (Nextron Systems)\n| Shell Open Registry Keys Manipulation by Christian Burkard (Nextron Systems) | \nWin.Malware.Mikey-6856849-0 | *need access to otx features #glitching", "modified": "2025-07-20T06:03:58.975000", "created": "2025-06-20T06:33:57.521000", "tags": [ "united", "status", "name servers", "germany", "present feb", "pattern", "passive dns", "urls", "creation date", "alfper", "date", "trojan", "virtool", "span", "body", "sameorigin", "date sun", "connection", "csc corporate", "domains", "markmonitor", "threat score", "av detection", "community score", "scan analysis", "malicious", "crowdstrike", "access falcon", "prevent free", "trial falcon", "timestamp input", "windows error", "file", "windows", "hwp support", "mitre att", "type", "mime", "logo analysis", "ob0001 defense", "evasion ob0006", "impact ob0008", "file system", "oc0001 memory", "system oc0008", "cname", "ttl value", "catalog tree", "analysis ob0001", "analysis ob0002", "ob0005 defense", "ob0013 file", "system oc0001", "memory oc0002", "process oc0003", "memory pattern", "get http", "resolved ips", "dns resolutions", "av info", "llmnr query", "entries", "response", "ms windows", "search", "intel", "pe32", "show", "write c", "copy", "write", "hupigon", "malware", "next" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 401, "FileHash-SHA1": 406, "FileHash-SHA256": 1936, "URL": 173, "email": 2, "domain": 6, "hostname": 128 }, "indicator_count": 3052, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "317 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "681f8117bec95b5ddab4dbf8", "name": "JPK_VAT-7K_11_.xls cc3ff66548d49212ae9b4b28c5a01e9ee50ae2d090cdf1b7747dc8a44a5c7b13", "description": "MD5 5cf9af2bf416da11b4eedf86dd6748e6\nhttps://www.virustotal.com/gui/file/cc3ff66548d49212ae9b4b28c5a01e9ee50ae2d090cdf1b7747dc8a44a5c7b13/detection", "modified": "2025-05-14T21:04:23.336000", "created": "2025-05-10T16:38:47.697000", "tags": [ "use short", "name path", "command line", "detect use", "windows", "image id", "image detection", "spawns", "image", "setup engine", "investigate", "typ pliku", "ms windows", "nt2000", "ascii", "z zakoczeniami", "crlf", "pliki wzoru", "index", "name", "vba z", "adowanie boczne", "nadrzdny pid", "microsoft excel", "z operacjami", "sigma wykrya", "tworzy", "zapytanie", "t1055 wtrysk", "autor", "inquest labs", "vba project", "vbaproject" ], "references": [ "http://www.iform.pl/txtfile/makra.pdf", "http://crd.gov.pl/wzor/2016/08/05/3413/", "http://crd.gov.pl/xml/schematy/dziedzinowe/mf/2016/01/25/eD/DefinicjeTypy/", "http://crd.gov.pl/xml/schematy/dziedzinowe/mf/2016/07/29/eD/VATZD/", "Raport VirusTotal dla JPK_VAT-7K_11_.xls.html", "Office_Document_with_VBA_Project .yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 9, "URL": 416, "hostname": 121, "domain": 15, "FileHash-SHA256": 1024, "email": 1, "FileHash-MD5": 2, "FileHash-SHA1": 2, "YARA": 1 }, "indicator_count": 1591, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "384 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d45dab14a189645153e8a6", "name": "Reverse WHOIS results for vgt.pl ( GANG VGT)", "description": "", "modified": "2024-12-17T14:47:57", "created": "2024-09-01T12:27:23.777000", "tags": [ "ipv4 domain", "ipv4 url", "domain", "sha1", "sha256", "pehash", "vhash", "ssdeep" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1286, "FileHash-SHA1": 1286, "FileHash-SHA256": 2722, "URL": 4729, "domain": 1909, "hostname": 2082, "IPv4": 97, "CVE": 4, "YARA": 1 }, "indicator_count": 14116, "is_author": false, "is_subscribing": null, "subscriber_count": 127, "modified_text": "532 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667af85fe8fea6365adaa65d", "name": "Norton & Norton Lifelock Products", "description": "Just taking a pak at some Norton-Related Problems\n(03.11.24): https://www.virustotal.com/graph/embed/g8619c830b2c24d849472aef95a362ce113e12cd6d68849e7a83c7eca387a378a?theme=dark", "modified": "2024-09-29T20:01:29.028000", "created": "2024-06-25T17:03:27.155000", "tags": [ "entity", "please", "javascript", "xwwmwh4cg2hpw" ], "references": [ "https://www.virustotal.com/graph/embed/g8619c830b2c24d849472aef95a362ce113e12cd6d68849e7a83c7eca387a378a?theme=dark", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/summary", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/iocs", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/graph", "08.30.24: e1ec7ebd4046143153dd28dd2b5a54cf34edd137c6288f4e56c6449f0753a986 (VT)", "08.30.24: Report ID: \t 6a27e451-df79-4f90-a022-9aa15cb58cea (Filescanio)" ], "public": 1, "adversary": "Norton Norton Lifelock Telus", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 50, "FileHash-SHA1": 54, "FileHash-SHA256": 831, "URL": 1120, "domain": 181, "hostname": 261 }, "indicator_count": 2497, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66a4d15c60edc83ca6bfc97e", "name": "Fraud Services, Updates, Network Worm, SpyWare - Misc Attack", "description": "", "modified": "2024-08-26T10:04:37.360000", "created": "2024-07-27T10:52:12.501000", "tags": [ "united", "unknown", "a domains", "search", "creation date", "record value", "cyberlynk", "date", "expiration date", "title", "encrypt", "body", "as54113", "aaaa", "cname", "next", "algorithm", "data", "v3 serial", "number", "cus olet", "encrypt cnr3", "validity", "subject public", "key info", "key algorithm", "files", "type name", "android", "server", "registrar abuse", "dnssec", "domain name", "contact phone", "registrar url", "registrar whois", "registrar", "llc registry", "code", "key identifier", "subject key", "identifier", "x509v3 key", "first", "dns replication", "historical ssl", "no data", "tag count", "fakedout threat", "analyzer threat", "url summary", "ip summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "site", "malware", "safe site", "million", "alexa top", "malicious site", "phishing site", "suspected", "unsafe", "wacatac", "artemis", "iframe", "presenoker", "phishing", "opencandy", "downldr", "cleaner", "conduit", "riskware", "nircmd", "swrort", "tiggre", "agent", "filetour", "fusioncore", "unruy", "crack", "exploit", "cobalt strike", "xrat", "alexa", "acint", "systweak", "behav", "genkryptik", "blacknet rat", "stealer", "installpack", "azorult", "service", "runescape", "facebook", "bank", "download", "zbot", "xtrat", "installcore", "patcher", "adload", "win64", "class", "twitter", "accept", "malware site", "maltiverse", "ransomware", "phishingms", "anonymisation", "suppobox", "emotet", "revengerat", "downloader", "emailworm", "ramnit", "warbot", "citadel", "zeus", "simda", "keitaro", "virut", "team", "cultureneutral", "get na", "show", "delete c", "delete", "yara detections", "copy", "nivdort", "write", "trojanspy", "bayrob", "intel", "ms windows", "default", "pe32 executable", "document file", "v2 document", "pe32", "worm", "entries", "td td", "rufus", "mtb apr", "servers", "as39122", "span", "github pages", "passive dns", "formbook cnc", "checkin", "dridex", "request", "less see", "http request", "status", "name servers", "certificate", "urls", "div div", "header click", "meta", "homepage", "form", "date hash", "avast avg", "backdoor", "mtb jul", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "sha256", "sha1", "ascii text", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "pattern match", "null", "hybrid", "refresh", "general", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "suspicious", "windows nt", "apache", "path", "pragma", "footer", "as8068", "as8075", "as15169 google", "as16552 tiggee", "virtool", "related pulses", "file samples", "files matching", "showing", "domain", "as22612", "as397240", "as19527 google", "moved", "gmt server", "as20940", "as4230 claro", "trojan", "ninite", "as2914 ntt", "win32", "brazil unknown", "brazil", "invalid url", "trojandropper", "body html", "head title", "asnone united", "as23393" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Brazil", "India" ], "malware_families": [ { "id": "Dridex", "display_name": "Dridex", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1034, "domain": 1210, "email": 13, "hostname": 1031, "FileHash-SHA1": 685, "FileHash-SHA256": 1036, "FileHash-MD5": 927, "CVE": 10 }, "indicator_count": 5946, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6656e6dbbe018a2dcb28a8e0", "name": "advancedstream.net - Acquired Apple iOS infrastructure, DNS,", "description": "Apple iOS service modifier.", "modified": "2024-06-28T08:01:11.978000", "created": "2024-05-29T08:27:07.009000", "tags": [ "reverse dns", "location united", "america flag", "lakewood", "united", "america asn", "dns resolutions", "domain", "domain status", "server", "algorithm", "key usage", "xcitium verdict", "cloud", "popularity", "rank position", "info", "date", "registrar abuse", "iana id", "contact phone", "dnssec", "registrar url", "registrar whois", "llc registry", "expiry date", "first", "law firm", "fort wayne", "co", "referrer", "historical ssl", "name verdict", "falcon sandbox", "sha256", "ascii text", "sha1", "size", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "span", "hybrid", "body", "footer", "contact", "local", "encrypt", "click", "facebook", "strings", "meta", "district", "generator", "code", "service", "bill", "nemtih", "sredrum", "co lp", "dynamicloader", "default", "medium", "show", "http request", "http", "delete", "ids detections", "yara detections", "copy", "powershell", "win64", "write", "malware", "download", "malware", "trojan", "windows", "shellexecuteexw", "search", "entries", "writeconsolew", "registry", "t1031", "modify existing", "dock", "win32" ], "references": [ "Reverse DNS: advancedstream.net Location: United States of America - Lakewood, Colorado United States of America", "ASN AS30170 isomedia inc. DNS Resolutions 1 Domain", "spamgateway.advancedstream.net", "smtpha.momentumtelecom.com", "cityoffortwayne.org | detect.cityoffortwayne.org | https://engage.cityoffortwayne.org/", "https://utilities.cityoffortwayne.org/wp-content/uploads/2023/05/2023-Biosolids-Info-Sheet.pdf", "podcast.hallco.org hmmm? Who could it be.", "IDS Detections: PE EXE or DLL Windows file download HTTP | SUSPICIOUS Dotted Quad Host MZ Response | Packed Executable Download", "IDS Detectionsa: Executable Download from dotted-quad Host | Terse alphanumeric executable downloader high likelihood of being hostile", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users", "Alerts: network_ip_exe network_questionable_http_path suricata_alert", "Alerts: dynamic_function_loading powershell_download powershell_request network_cnc_http network_http", "Alerts: dead_connect antivm_network_adapters", "https://otx.alienvault.com/indicator/file/a909dd4960d4da51de82e4dfff0a5aa60e35da6b2845680716ad832dc1d8b010", "http://www.leechburg.k12.pa.us/cms/lib09/PA01916522/Centricity/Domain/4/Mr.%20Ritzel%20obituary.pdf", "https://ato.gov.au.69741db048f4bdd03a6dad409e702ab4.grantelgin.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!atmn", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win32:CoinminerX-gen\\ [Trj]", "display_name": "Win32:CoinminerX-gen\\ [Trj]", "target": null }, { "id": "Win.Malware.Tofsee-6958935-0", "display_name": "Win.Malware.Tofsee-6958935-0", "target": null }, { "id": "Trojan:Win32/SmokeLoader.YL", "display_name": "Trojan:Win32/SmokeLoader.YL", "target": "/malware/Trojan:Win32/SmokeLoader.YL" } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Civil Society", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 338, "FileHash-SHA1": 77, "email": 2, "hostname": 497, "URL": 928, "FileHash-SHA256": 572, "FileHash-MD5": 76, "SSLCertFingerprint": 6 }, "indicator_count": 2496, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e3d1a94659d50264a78fd4", "name": "Phishing | TabExplorer attacks compromised networks and devices", "description": "", "modified": "2024-04-02T01:01:20.068000", "created": "2024-03-03T01:26:01.043000", "tags": [ "command decode", "suricata ipv4", "mitre att", "ck id", "show technique", "ck matrix", "suricata udpv4", "date", "united", "windows nt", "win64", "hybrid", "general", "click", "strings", "contact", "url http", "url https", "scan endpoints", "all octoseek", "report spam", "hour ago", "whois record", "glasgow", "scan", "iocs", "next", "filehashsha256", "filehashmd5", "filehashsha1", "ipv4", "contacted", "execution", "pe resource", "communicating", "urls http", "referrer", "resolutions", "whois whois", "collections ip", "phishing", "attack", "loaded module", "remote procedure call", "search", "as15133 verizon", "passive dns", "urls", "creation date", "record value", "showing", "unknown", "as8075", "as15169 google", "as8068", "aaaa", "cname", "a domains", "meta", "entries", "gmt server", "ecacc saa83dd", "cobalt strike", "mozilla", "body", "brian sabey", "hallrender", "dynamicloader", "show", "alerts", "trojan", "copy", "dynamic", "medium", "reads", "write", "stealth network", "stealth_network", "script urls", "certificate", "rsa sha256", "exports data", "high", "yara rule", "yara detections", "njrat", "cape", "njrat malware", "sniffs", "guard", "write c", "delete c", "ms windows", "default", "intel", "openpgp public", "stream", "antivm_generic_disk", "antivm_generic_bios", "network_bind", "stealth_file spawns_dev_utility", "procmem_yara", "enumerates_physical_drives", "persistence_ads", "dynamic_function_loading", "reads_self", "suspicious_command_tools", "network", "rat" ], "references": [ "http://www.tabxexplorer.com [phishing]", "http://www.tabxexplorer.com/lenovo", "GET /lenovo HTTP/1.1 Host: www.tabxexplorer.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0", "identity_helper.exe", "cdn.easykeys.com", "hive21.ctcsoftware.com", "www.moxa.com", "msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com", "IDS Detections: Cobalt Strike Malleable C2 JQuery", "IDS Detections: Nullsoft Mozilla UA (NSISDL)", "IDS Detections: Observed Suspicious UA (NSISDL/1.2 (Mozilla))", "IDS Detections: SSL excessive fatal alerts (possible POODLE attack against server)", "IDS Detections: GENERIC Likely Malicious Fake IE Downloading .exe", "Tulach Malware: 114.114.114.114", "ns3.hallgrandsale.ru", "AgentTesla.KM: FileHash-MD5 e0801d62e8379b98177fd94a027e8b30", "AgentTesla.KM: FileHash-SHA1 0fa00a939ca8af08c90310b808d1d8fc70a518c3", "Yara Detection: Nullsoft_NSIS" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "ALF:Trojan:MSIL/AgentTesla.KM", "display_name": "ALF:Trojan:MSIL/AgentTesla.KM", "target": null }, { "id": "ALF:Win32/GbdInf_305B1C9A.J!ibt", "display_name": "ALF:Win32/GbdInf_305B1C9A.J!ibt", "target": "/malware/ALF:Win32/GbdInf_305B1C9A.J!ibt" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HackTool:Win32/CobaltStrike.A", "display_name": "HackTool:Win32/CobaltStrike.A", "target": "/malware/HackTool:Win32/CobaltStrike.A" }, { "id": "HackTool:Win32/Atosev.A", "display_name": "HackTool:Win32/Atosev.A", "target": "/malware/HackTool:Win32/Atosev.A" }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Win.Malware.Generickdz-9938530-0", "display_name": "Win.Malware.Generickdz-9938530-0", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1029", "name": "Scheduled Transfer", "display_name": "T1029 - Scheduled Transfer" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [ "Civil Society", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5551, "hostname": 1690, "domain": 929, "FileHash-SHA256": 2696, "FileHash-MD5": 405, "FileHash-SHA1": 315, "email": 4, "SSLCertFingerprint": 1 }, "indicator_count": 11591, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "792 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://s.symcb.com/universal", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://s.symcb.com/universal", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780458975.2418132 }