{ "type": "URL", "indicator": "http://schema.org/SiteNavigationElement", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://schema.org/SiteNavigationElement", "type": "url", "type_title": "URL", "validation": [ { "source": "whitelist", "message": "Whitelisted domain schema.org", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain schema.org", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3778915796, "indicator": "http://schema.org/SiteNavigationElement", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6a1bbf37e377ccaa110200e0", "name": "VirusTotal report\n for Papers_Please_APK_1_4_12.apk", "description": "[domain named \"homedepot.com\" has been banned by the internet service provider, Akama.net, for violating its rules on server transfer and deletion.. and the use of these terms.] #barcodes", "modified": "2026-05-31T05:26:32.684000", "created": "2026-05-31T04:55:19.811000", "tags": [ "as16625 akamai", "united", "as20940", "whitelisted", "united kingdom", "status", "servers", "a span", "name servers", "as3491 pccw", "date", "meta", "service", "path", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "server", "registrar", "csc corporate", "domains", "ferry road", "thumbprint", "algorithm", "full name", "v3 serial", "number", "issuer", "cus cndigicert", "ecc extended", "ca odigicert", "validity", "latlanta othe", "has permission", "file type", "sim provider", "mccmnc", "mobile", "iso country", "found", "t1417 input", "attack network", "info dropped", "loads", "persistence", "defense evasion", "malicious", "status valid", "issuer apple", "valid from", "valid", "serial number", "smv text", "ascii text", "cname", "key identifier", "x509v3 subject", "cus odigicert", "inc cndigicert", "global g3", "tls ecc", "organization", "dnssec", "domain name", "us registrant", "email", "contact", "macintosh disk", "image", "apple driver", "barcodes", "past barcode history 2023" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/64f04c6372d51323b3e9f6bdabf6f527513cbadf768b6e8a5301c1de1b168600_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1780202779&Signature=ZMlo%2Fyn5T4vPFNHF3XHVPIg82DVy8Q8bOKosyfxCm%2B0GKl64XZeMnYCqVW%2FZBPyZoGNk5dDbl6%2BDs0d76HzIX2YfSzuXsthugznxtiIV8X6rCxyXfC8q%2BTDTeEghlkBpNqLlmIBTljL%2BLG4nD7QUe5K%2F4%2Bhyg%2F7loJbK9LG2iybJRVImxSY7rB4HfbiDpjIav6y9%2BoTwehrf5FMM8D2DtgeoRL%2BMkzDYzyDS%2" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Taiwan", "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1417", "name": "Input Capture", "display_name": "T1417 - Input Capture" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 516, "URL": 285, "domain": 31, "email": 4, "hostname": 128, "FileHash-MD5": 6, "FileHash-SHA1": 19, "FileHash-SHA256": 16, "Mutex": 1 }, "indicator_count": 1006, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1bbf3891b8d5e7f5fda895", "name": "VirusTotal report\n for Papers_Please_APK_1_4_12.apk", "description": "[domain named \"homedepot.com\" has been banned by the internet service provider, Akama.net, for violating its rules on server transfer and deletion.. and the use of these terms.] #barcodes", "modified": "2026-05-31T05:26:32.273000", "created": "2026-05-31T04:55:20.446000", "tags": [ "as16625 akamai", "united", "as20940", "whitelisted", "united kingdom", "status", "servers", "a span", "name servers", "as3491 pccw", "date", "meta", "service", "path", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "server", "registrar", "csc corporate", "domains", "ferry road", "thumbprint", "algorithm", "full name", "v3 serial", "number", "issuer", "cus cndigicert", "ecc extended", "ca odigicert", "validity", "latlanta othe", "has permission", "file type", "sim provider", "mccmnc", "mobile", "iso country", "found", "t1417 input", "attack network", "info dropped", "loads", "persistence", "defense evasion", "malicious", "status valid", "issuer apple", "valid from", "valid", "serial number", "smv text", "ascii text", "cname", "key identifier", "x509v3 subject", "cus odigicert", "inc cndigicert", "global g3", "tls ecc", "organization", "dnssec", "domain name", "us registrant", "email", "contact", "macintosh disk", "image", "apple driver", "barcodes", "past barcode history 2023" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/64f04c6372d51323b3e9f6bdabf6f527513cbadf768b6e8a5301c1de1b168600_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1780202779&Signature=ZMlo%2Fyn5T4vPFNHF3XHVPIg82DVy8Q8bOKosyfxCm%2B0GKl64XZeMnYCqVW%2FZBPyZoGNk5dDbl6%2BDs0d76HzIX2YfSzuXsthugznxtiIV8X6rCxyXfC8q%2BTDTeEghlkBpNqLlmIBTljL%2BLG4nD7QUe5K%2F4%2Bhyg%2F7loJbK9LG2iybJRVImxSY7rB4HfbiDpjIav6y9%2BoTwehrf5FMM8D2DtgeoRL%2BMkzDYzyDS%2" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Taiwan", "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1417", "name": "Input Capture", "display_name": "T1417 - Input Capture" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 516, "URL": 285, "domain": 31, "email": 4, "hostname": 128, "FileHash-MD5": 6, "FileHash-SHA1": 19, "FileHash-SHA256": 16, "Mutex": 1 }, "indicator_count": 1006, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c9da4518bcd6f23187c0a1", "name": "VirusTotal report\n for index.html", "description": "", "modified": "2026-04-29T02:07:22.447000", "created": "2026-03-30T02:04:53.450000", "tags": [ "performs dns", "united", "https", "tls version", "mitre attack", "network info", "processes extra", "found", "urls", "t1055 process", "meta", "phishing", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000210df42ad35bdcb3cc2e1bb5f7f4367ea957b48ec0692c2b05dc5278a226c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774836420&Signature=DoFKRwpPjBLhoe5y5%2Fr8Ce1KyPywsIH7x%2BVmuykNB9a%2BMXK7EjBP%2BgTUoUfzgw6QZ4VSy%2BTbgRra9Z%2B822E7Yge8Dk%2B0I8SsqqiEP6VtsSW%2BPvdqhwx6qtga%2F%2Fj6MwG62uj%2FuIYeo%2FfDnF0b%2F8ZtGy155ttQQVx%2B1%2FJxdC%2FDjpdN29JI2ODO7eCWbcjYIck4G2JlqIleXFqX7eoC5OR7Ug3v8TfLOnivbXNg9v" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 82, "domain": 5, "hostname": 18 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65463631b46319b3aa1d071f", "name": "Qausar RAT - aig.com |", "description": "Compilation of research identifilocates aig.com Defense Division of Workers Compensation. \nMalicious & invasive tactics remain. Target seem to have been removed from, revenge porn campaign targeted name no longer auto populates, registrant seems poised for campaign.\nTactics include phishing, tracking, geotracking, device location, monitoring, side loading apps and remote access. \n\nQausar Rat identified:\nAlso known by the names CinaRAT or Yggdrasil, Quasar RAT is a C#-based remote administration tool capable of gathering system information, a list of running applications, files, keystrokes, screenshots, and executing arbitrary shell commands.", "modified": "2023-12-04T11:01:36.202000", "created": "2023-11-04T12:16:49.600000", "tags": [ "general full", "url https", "reverse dns", "security tls", "protocol h2", "name value", "resource", "united", "asn16509", "amazon02", "main", "facebook", "http", "request chain", "november", "de page", "url history", "javascript", "meta", "page url", "redirected", "http redirect", "value", "mime type", "variables", "contexthub", "visitor object", "cq function", "sanitize object", "elqq", "domainpath name", "link", "property", "workers", "compensation", "login myaig", "liability", "contact", "a claim", "commercial auto", "login aig", "form", "cyber", "find", "team", "defense", "crime", "ransom", "energy", "cargo", "life", "media", "enterprise", "american international", "frankfurt", "germany", "october", "domains", "asn20940", "cisco", "umbrella rank", "domain", "de summary", "ssl certificate", "whois record", "whois whois", "malware", "network mooooda", "and china", "filter https", "dsp1", "keepaliveyes", "p11642963562", "quasar", "metro", "android", "djvu", "win32 exe", "win32 dll", "ms excel", "dao360", "spreadsheet", "files", "detections type", "name", "phishing", "tulach exploits", "falcon sandbox", "pattern match", "file", "script", "indicator", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "date", "unknown", "body", "error", "span", "class", "generator", "critical", "refresh", "open", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "suricata" ], "references": [ "aig.com", "https://urlscan.io", "https://www.slatergordon.com.au/blog/revenge-porn-laws", "https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html?m=1", "https://hybrid-analysis.com/sample/6f4fb33ffb44474e86928549ef3f1a51d0f3e9e8c8d7a08b71b2b59b5921d311", "remoteaccess.aig.com", "https://remote.goeaston.net", "window.location.search", "location.search", "https://s3.rexdl.com/android/game/Desktop-Dungeons-v11-Mod-www.Rexdl.com.apk", "ghb-unoadsrv-com.geodns.me.1.1.11cec3ef.roksit.net", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/" ], "public": 1, "adversary": "American International", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "American International", "display_name": "American International", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Reinsurance", "Travel" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 117, "FileHash-SHA256": 1962, "domain": 575, "hostname": 1623, "FileHash-MD5": 123, "URL": 3670, "CVE": 2 }, "indicator_count": 8072, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "910 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "ghb-unoadsrv-com.geodns.me.1.1.11cec3ef.roksit.net", "https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html?m=1", "location.search", "https://hybrid-analysis.com/sample/6f4fb33ffb44474e86928549ef3f1a51d0f3e9e8c8d7a08b71b2b59b5921d311", "https://s3.rexdl.com/android/game/Desktop-Dungeons-v11-Mod-www.Rexdl.com.apk", "remoteaccess.aig.com", "https://urlscan.io", "https://remote.goeaston.net", "https://www.slatergordon.com.au/blog/revenge-porn-laws", "https://vtbehaviour.commondatastorage.googleapis.com/64f04c6372d51323b3e9f6bdabf6f527513cbadf768b6e8a5301c1de1b168600_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1780202779&Signature=ZMlo%2Fyn5T4vPFNHF3XHVPIg82DVy8Q8bOKosyfxCm%2B0GKl64XZeMnYCqVW%2FZBPyZoGNk5dDbl6%2BDs0d76HzIX2YfSzuXsthugznxtiIV8X6rCxyXfC8q%2BTDTeEghlkBpNqLlmIBTljL%2BLG4nD7QUe5K%2F4%2Bhyg%2F7loJbK9LG2iybJRVImxSY7rB4HfbiDpjIav6y9%2BoTwehrf5FMM8D2DtgeoRL%2BMkzDYzyDS%2", "window.location.search", "aig.com", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/", "https://vtbehaviour.commondatastorage.googleapis.com/000210df42ad35bdcb3cc2e1bb5f7f4367ea957b48ec0692c2b05dc5278a226c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774836420&Signature=DoFKRwpPjBLhoe5y5%2Fr8Ce1KyPywsIH7x%2BVmuykNB9a%2BMXK7EjBP%2BgTUoUfzgw6QZ4VSy%2BTbgRra9Z%2B822E7Yge8Dk%2B0I8SsqqiEP6VtsSW%2BPvdqhwx6qtga%2F%2Fj6MwG62uj%2FuIYeo%2FfDnF0b%2F8ZtGy155ttQQVx%2B1%2FJxdC%2FDjpdN29JI2ODO7eCWbcjYIck4G2JlqIleXFqX7eoC5OR7Ug3v8TfLOnivbXNg9v" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "American International" ], "malware_families": [ "Quasar rat", "Ransomware", "American international" ], "industries": [ "Reinsurance", "Travel" ], "unique_indicators": 9317 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/schema.org", "whois": "http://whois.domaintools.com/schema.org", "domain": "schema.org", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6a1bbf37e377ccaa110200e0", "name": "VirusTotal report\n for Papers_Please_APK_1_4_12.apk", "description": "[domain named \"homedepot.com\" has been banned by the internet service provider, Akama.net, for violating its rules on server transfer and deletion.. and the use of these terms.] #barcodes", "modified": "2026-05-31T05:26:32.684000", "created": "2026-05-31T04:55:19.811000", "tags": [ "as16625 akamai", "united", "as20940", "whitelisted", "united kingdom", "status", "servers", "a span", "name servers", "as3491 pccw", "date", "meta", "service", "path", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "server", "registrar", "csc corporate", "domains", "ferry road", "thumbprint", "algorithm", "full name", "v3 serial", "number", "issuer", "cus cndigicert", "ecc extended", "ca odigicert", "validity", "latlanta othe", "has permission", "file type", "sim provider", "mccmnc", "mobile", "iso country", "found", "t1417 input", "attack network", "info dropped", "loads", "persistence", "defense evasion", "malicious", "status valid", "issuer apple", "valid from", "valid", "serial number", "smv text", "ascii text", "cname", "key identifier", "x509v3 subject", "cus odigicert", "inc cndigicert", "global g3", "tls ecc", "organization", "dnssec", "domain name", "us registrant", "email", "contact", "macintosh disk", "image", "apple driver", "barcodes", "past barcode history 2023" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/64f04c6372d51323b3e9f6bdabf6f527513cbadf768b6e8a5301c1de1b168600_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1780202779&Signature=ZMlo%2Fyn5T4vPFNHF3XHVPIg82DVy8Q8bOKosyfxCm%2B0GKl64XZeMnYCqVW%2FZBPyZoGNk5dDbl6%2BDs0d76HzIX2YfSzuXsthugznxtiIV8X6rCxyXfC8q%2BTDTeEghlkBpNqLlmIBTljL%2BLG4nD7QUe5K%2F4%2Bhyg%2F7loJbK9LG2iybJRVImxSY7rB4HfbiDpjIav6y9%2BoTwehrf5FMM8D2DtgeoRL%2BMkzDYzyDS%2" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Taiwan", "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1417", "name": "Input Capture", "display_name": "T1417 - Input Capture" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 516, "URL": 285, "domain": 31, "email": 4, "hostname": 128, "FileHash-MD5": 6, "FileHash-SHA1": 19, "FileHash-SHA256": 16, "Mutex": 1 }, "indicator_count": 1006, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1bbf3891b8d5e7f5fda895", "name": "VirusTotal report\n for Papers_Please_APK_1_4_12.apk", "description": "[domain named \"homedepot.com\" has been banned by the internet service provider, Akama.net, for violating its rules on server transfer and deletion.. and the use of these terms.] #barcodes", "modified": "2026-05-31T05:26:32.273000", "created": "2026-05-31T04:55:20.446000", "tags": [ "as16625 akamai", "united", "as20940", "whitelisted", "united kingdom", "status", "servers", "a span", "name servers", "as3491 pccw", "date", "meta", "service", "path", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "server", "registrar", "csc corporate", "domains", "ferry road", "thumbprint", "algorithm", "full name", "v3 serial", "number", "issuer", "cus cndigicert", "ecc extended", "ca odigicert", "validity", "latlanta othe", "has permission", "file type", "sim provider", "mccmnc", "mobile", "iso country", "found", "t1417 input", "attack network", "info dropped", "loads", "persistence", "defense evasion", "malicious", "status valid", "issuer apple", "valid from", "valid", "serial number", "smv text", "ascii text", "cname", "key identifier", "x509v3 subject", "cus odigicert", "inc cndigicert", "global g3", "tls ecc", "organization", "dnssec", "domain name", "us registrant", "email", "contact", "macintosh disk", "image", "apple driver", "barcodes", "past barcode history 2023" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/64f04c6372d51323b3e9f6bdabf6f527513cbadf768b6e8a5301c1de1b168600_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1780202779&Signature=ZMlo%2Fyn5T4vPFNHF3XHVPIg82DVy8Q8bOKosyfxCm%2B0GKl64XZeMnYCqVW%2FZBPyZoGNk5dDbl6%2BDs0d76HzIX2YfSzuXsthugznxtiIV8X6rCxyXfC8q%2BTDTeEghlkBpNqLlmIBTljL%2BLG4nD7QUe5K%2F4%2Bhyg%2F7loJbK9LG2iybJRVImxSY7rB4HfbiDpjIav6y9%2BoTwehrf5FMM8D2DtgeoRL%2BMkzDYzyDS%2" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Taiwan", "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1417", "name": "Input Capture", "display_name": "T1417 - Input Capture" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 516, "URL": 285, "domain": 31, "email": 4, "hostname": 128, "FileHash-MD5": 6, "FileHash-SHA1": 19, "FileHash-SHA256": 16, "Mutex": 1 }, "indicator_count": 1006, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c9da4518bcd6f23187c0a1", "name": "VirusTotal report\n for index.html", "description": "", "modified": "2026-04-29T02:07:22.447000", "created": "2026-03-30T02:04:53.450000", "tags": [ "performs dns", "united", "https", "tls version", "mitre attack", "network info", "processes extra", "found", "urls", "t1055 process", "meta", "phishing", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000210df42ad35bdcb3cc2e1bb5f7f4367ea957b48ec0692c2b05dc5278a226c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774836420&Signature=DoFKRwpPjBLhoe5y5%2Fr8Ce1KyPywsIH7x%2BVmuykNB9a%2BMXK7EjBP%2BgTUoUfzgw6QZ4VSy%2BTbgRra9Z%2B822E7Yge8Dk%2B0I8SsqqiEP6VtsSW%2BPvdqhwx6qtga%2F%2Fj6MwG62uj%2FuIYeo%2FfDnF0b%2F8ZtGy155ttQQVx%2B1%2FJxdC%2FDjpdN29JI2ODO7eCWbcjYIck4G2JlqIleXFqX7eoC5OR7Ug3v8TfLOnivbXNg9v" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 82, "domain": 5, "hostname": 18 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65463631b46319b3aa1d071f", "name": "Qausar RAT - aig.com |", "description": "Compilation of research identifilocates aig.com Defense Division of Workers Compensation. \nMalicious & invasive tactics remain. Target seem to have been removed from, revenge porn campaign targeted name no longer auto populates, registrant seems poised for campaign.\nTactics include phishing, tracking, geotracking, device location, monitoring, side loading apps and remote access. \n\nQausar Rat identified:\nAlso known by the names CinaRAT or Yggdrasil, Quasar RAT is a C#-based remote administration tool capable of gathering system information, a list of running applications, files, keystrokes, screenshots, and executing arbitrary shell commands.", "modified": "2023-12-04T11:01:36.202000", "created": "2023-11-04T12:16:49.600000", "tags": [ "general full", "url https", "reverse dns", "security tls", "protocol h2", "name value", "resource", "united", "asn16509", "amazon02", "main", "facebook", "http", "request chain", "november", "de page", "url history", "javascript", "meta", "page url", "redirected", "http redirect", "value", "mime type", "variables", "contexthub", "visitor object", "cq function", "sanitize object", "elqq", "domainpath name", "link", "property", "workers", "compensation", "login myaig", "liability", "contact", "a claim", "commercial auto", "login aig", "form", "cyber", "find", "team", "defense", "crime", "ransom", "energy", "cargo", "life", "media", "enterprise", "american international", "frankfurt", "germany", "october", "domains", "asn20940", "cisco", "umbrella rank", "domain", "de summary", "ssl certificate", "whois record", "whois whois", "malware", "network mooooda", "and china", "filter https", "dsp1", "keepaliveyes", "p11642963562", "quasar", "metro", "android", "djvu", "win32 exe", "win32 dll", "ms excel", "dao360", "spreadsheet", "files", "detections type", "name", "phishing", "tulach exploits", "falcon sandbox", "pattern match", "file", "script", "indicator", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "date", "unknown", "body", "error", "span", "class", "generator", "critical", "refresh", "open", "hybrid", "general", "local", "click", "strings", "tools", "look", "verify", "restart", "suricata" ], "references": [ "aig.com", "https://urlscan.io", "https://www.slatergordon.com.au/blog/revenge-porn-laws", "https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html?m=1", "https://hybrid-analysis.com/sample/6f4fb33ffb44474e86928549ef3f1a51d0f3e9e8c8d7a08b71b2b59b5921d311", "remoteaccess.aig.com", "https://remote.goeaston.net", "window.location.search", "location.search", "https://s3.rexdl.com/android/game/Desktop-Dungeons-v11-Mod-www.Rexdl.com.apk", "ghb-unoadsrv-com.geodns.me.1.1.11cec3ef.roksit.net", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "http://m.pornsexer.xxx.3.1.adiosfil.roksit.net/" ], "public": 1, "adversary": "American International", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [ { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "American International", "display_name": "American International", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [ "Reinsurance", "Travel" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 117, "FileHash-SHA256": 1962, "domain": 575, "hostname": 1623, "FileHash-MD5": 123, "URL": 3670, "CVE": 2 }, "indicator_count": 8072, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "910 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://schema.org/SiteNavigationElement", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://schema.org/SiteNavigationElement", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780319869.4157875 }