{ "type": "URL", "indicator": "https://207.231.109.252/bin/support.client.exe", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://207.231.109.252/bin/support.client.exe", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4066964515, "indicator": "https://207.231.109.252/bin/support.client.exe", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "687a2cb559edf512d7f0646d", "name": "Old Miner, New Tricks.", "description": "The investigation into the Lcryx ransomware by the FortiCNAPP team reveals notable overlaps with the H2Miner crypto mining botnet, suggesting a collaborative effort or adaptation by threat actors to enhance financial gain. The Lcryx ransomware, particularly its new variant Lcrypt0rx, is identified as a VBScript-based ransomware first seen in November 2024, exhibiting anomalies indicating potential AI generation. Evidence includes function duplication, erroneous persistence mechanisms, flawed encryption logic, and malformed syntax. These indicators point to poorly optimized code generation and illogical behaviors within its execution.", "modified": "2025-08-17T10:03:51.060000", "created": "2025-07-18T11:15:01.770000", "tags": [ "fortiguard labs threat research", "lcrypt0rx", "h2miner", "fortinet", "kinsing", "fortigate", "fortimail", "disarm", "xor encryption", "h2miner threat", "ui interference", "cobalt strike", "cloud", "malware", "malicious", "powershell", "service" ], "references": [ "https://www.fortinet.com/blog/threat-research/old-miner-new-tricks" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 20, "FileHash-MD5": 23, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "CVE": 3, "domain": 12, "hostname": 1 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "289 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "681d440f844212eeadd78e42", "name": "URLHaus data - 08-05-2025", "description": "", "modified": "2025-06-07T23:03:28.311000", "created": "2025-05-08T23:53:51.458000", "tags": [ "32-bit", "arm", "elf", "Mozi", "mips", "mirai", "ClearFake", "bitbucket", "connectwise", "exe", "screenconnect", "censys", "CobaltStrike", "lnk", "xml-opendir", "hajime", "backdoor", "sshdkit", "apk", "opendir", "gafgyt", "sh", "ua-wget", "SocGholish", "botnetdomain", "moobot", "sshd", "SSHDoor", "ascii", "Encoded", "xworm", "powershell", "ps1", "encrypted", "GuLoader", "Kimsuky", "phemedrone", "CHE", "coper", "geofenced", "Octo", "ValleyRAT", "AmosStealer", "zip", "gcleaner", "LummaStealer", "rustystealer", "Amadey", "DarkVisionRAT", "rat", "RemcosRAT", "ClickFix", "FakeCaptcha", "HijackLoader", "IDATLoader", "Quakbot", "hta", "MetaStealer", "WsgiDAV" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "domain": 33, "hostname": 13 }, "indicator_count": 1046, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "359 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "672f70d470cdbab07d3bdb8f", "name": "URLHaus Recent URLs", "description": "", "modified": "2025-05-15T13:30:30.738000", "created": "2024-11-09T14:25:24.551000", "tags": [], "references": [ "https://urlhaus.abuse.ch/downloads/csv_recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 313720 }, "indicator_count": 313720, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "383 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.fortinet.com/blog/threat-research/old-miner-new-tricks", "https://urlhaus.abuse.ch/browse/", "https://urlhaus.abuse.ch/downloads/csv_recent/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 313415 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/207.231.109.252", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "687a2cb559edf512d7f0646d", "name": "Old Miner, New Tricks.", "description": "The investigation into the Lcryx ransomware by the FortiCNAPP team reveals notable overlaps with the H2Miner crypto mining botnet, suggesting a collaborative effort or adaptation by threat actors to enhance financial gain. The Lcryx ransomware, particularly its new variant Lcrypt0rx, is identified as a VBScript-based ransomware first seen in November 2024, exhibiting anomalies indicating potential AI generation. Evidence includes function duplication, erroneous persistence mechanisms, flawed encryption logic, and malformed syntax. These indicators point to poorly optimized code generation and illogical behaviors within its execution.", "modified": "2025-08-17T10:03:51.060000", "created": "2025-07-18T11:15:01.770000", "tags": [ "fortiguard labs threat research", "lcrypt0rx", "h2miner", "fortinet", "kinsing", "fortigate", "fortimail", "disarm", "xor encryption", "h2miner threat", "ui interference", "cobalt strike", "cloud", "malware", "malicious", "powershell", "service" ], "references": [ "https://www.fortinet.com/blog/threat-research/old-miner-new-tricks" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 20, "FileHash-MD5": 23, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "CVE": 3, "domain": 12, "hostname": 1 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "289 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "681d440f844212eeadd78e42", "name": "URLHaus data - 08-05-2025", "description": "", "modified": "2025-06-07T23:03:28.311000", "created": "2025-05-08T23:53:51.458000", "tags": [ "32-bit", "arm", "elf", "Mozi", "mips", "mirai", "ClearFake", "bitbucket", "connectwise", "exe", "screenconnect", "censys", "CobaltStrike", "lnk", "xml-opendir", "hajime", "backdoor", "sshdkit", "apk", "opendir", "gafgyt", "sh", "ua-wget", "SocGholish", "botnetdomain", "moobot", "sshd", "SSHDoor", "ascii", "Encoded", "xworm", "powershell", "ps1", "encrypted", "GuLoader", "Kimsuky", "phemedrone", "CHE", "coper", "geofenced", "Octo", "ValleyRAT", "AmosStealer", "zip", "gcleaner", "LummaStealer", "rustystealer", "Amadey", "DarkVisionRAT", "rat", "RemcosRAT", "ClickFix", "FakeCaptcha", "HijackLoader", "IDATLoader", "Quakbot", "hta", "MetaStealer", "WsgiDAV" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "domain": 33, "hostname": 13 }, "indicator_count": 1046, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "359 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "672f70d470cdbab07d3bdb8f", "name": "URLHaus Recent URLs", "description": "", "modified": "2025-05-15T13:30:30.738000", "created": "2024-11-09T14:25:24.551000", "tags": [], "references": [ "https://urlhaus.abuse.ch/downloads/csv_recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 313720 }, "indicator_count": 313720, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "383 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://207.231.109.252/bin/support.client.exe", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://207.231.109.252/bin/support.client.exe", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780432404.5884511 }