{ "type": "URL", "indicator": "https://520.loveyty.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://520.loveyty.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3393917507, "indicator": "https://520.loveyty.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "69f307a09667829e1b243083", "name": "Credit Arek-BTC [8blxx.exe Trojan zdalnego dost\u0119pu exe id = \"42c1af80-cff3-505f-a3cb-35b7e345] Clone", "description": "", "modified": "2026-04-30T07:56:08.896000", "created": "2026-04-30T07:41:20.607000", "tags": [ "upx dump", "security", "license v2", "c4 f0", "c4 ec", "ec a5", "c2 c3", "detects", "roth", "program", "files", "xored keyword", "xor key", "sentinel labs", "filter", "norton", "win32", "kevin breen", "kevin", "remote access", "trojan", "metainf", "version", "versions", "settings", "mysettings", "keylogger", "sifre", "bandook rat", "remoteshell", "udpflood", "darkrat", "avenger", "greame", "keylog", "codekey", "ping", "activator", "nanocore", "keepalive", "miner", "inject", "attack", "killer", "predator pain", "unknown", "qrat", "shadowtech", "install", "virusrat", "aar", "alienvault labs", "cwsandbox", "felix bilstein", "cc bysa", "disclaimer", "disassembly", "malpedia", "number", "b801000000", "eb34", "eb0e", "test", "helper objects", "cache", "detailsendswith", "autorun keys", "modification id", "asep", "victor sergeev", "tim shelton", "empty", "homenet", "externalnet", "wang2", "imageendswith", "example", "imagestartswith", "sandbox author", "securityuserid", "windows upgrade", "k netsvcs", "defender", "update", "providers", "safe", "stream", "python", "folder file", "write id", "windows startup", "cyb3rward0g", "open threat", "research", "samplepath", "user", "userprofile", "matches rule", "snort", "rule set", "github", "text c", "file execution", "malware", "shell", "peexe c", "text", "text sha256", "registry", "xml c", "text xx", "appdatalocaldbg", "registry id", "run once", "singh", "details" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AAR", "display_name": "AAR", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": "676a09a5aa214e111c6789de", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "YARA": 50, "FileHash-MD5": 33, "FileHash-SHA1": 7, "FileHash-SHA256": 367, "domain": 44, "URL": 373, "hostname": 171, "IPv4": 11 }, "indicator_count": 1056, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "676a09a5aa214e111c6789de", "name": "8blxx.exe Trojan zdalnego dost\u0119pu exe id = \"42c1af80-cff3-505f-a3cb-35b7e34575e1\"", "description": "regu\u0142a RAT_AAR { meta: author = \"Kevin Breen \" date = \"01.04.2014\" description = \"Wykryto z\u0142o\u015bliwe oprogramowanie AAR RAT\" reference = \" http://malwareconfig.com/stats /AAR\" malware maltype = \"Trojan zdalnego dost\u0119pu\" filetype = \"exe\" id = \"42c1af80-cff3-505f-a3cb-35b7e34575e1\" strings: $a = \"Hashtable\" $b = \"get_IsDisposed\" $c = \"TripleDES\" $d = \"testmemory.", "modified": "2025-01-08T01:47:51.399000", "created": "2024-12-24T01:08:53.412000", "tags": [ "upx dump", "security", "license v2", "c4 f0", "c4 ec", "ec a5", "c2 c3", "detects", "roth", "program", "files", "xored keyword", "xor key", "sentinel labs", "filter", "norton", "win32", "kevin breen", "kevin", "remote access", "trojan", "metainf", "version", "versions", "settings", "mysettings", "keylogger", "sifre", "bandook rat", "remoteshell", "udpflood", "darkrat", "avenger", "greame", "keylog", "codekey", "ping", "activator", "nanocore", "keepalive", "miner", "inject", "attack", "killer", "predator pain", "unknown", "qrat", "shadowtech", "install", "virusrat", "aar", "alienvault labs", "cwsandbox", "felix bilstein", "cc bysa", "disclaimer", "disassembly", "malpedia", "number", "b801000000", "eb34", "eb0e", "test", "helper objects", "cache", "detailsendswith", "autorun keys", "modification id", "asep", "victor sergeev", "tim shelton", "empty", "homenet", "externalnet", "wang2", "imageendswith", "example", "imagestartswith", "sandbox author", "securityuserid", "windows upgrade", "k netsvcs", "defender", "update", "providers", "safe", "stream", "python", "folder file", "write id", "windows startup", "cyb3rward0g", "open threat", "research", "samplepath", "user", "userprofile", "matches rule", "snort", "rule set", "github", "text c", "file execution", "malware", "shell", "peexe c", "text", "text sha256", "registry", "xml c", "text xx", "appdatalocaldbg", "registry id", "run once", "singh", "details" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AAR", "display_name": "AAR", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "YARA": 50, "FileHash-MD5": 16, "FileHash-SHA1": 7, "FileHash-SHA256": 367, "domain": 44, "URL": 373, "hostname": 171, "IPv4": 11 }, "indicator_count": 1039, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "510 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a0bc9f2837fed9426cdd", "name": "Apple Music.app (by @kailula)", "description": "", "modified": "2023-12-06T16:26:36.394000", "created": "2023-12-06T16:26:36.394000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1235, "domain": 324, "hostname": 1559, "URL": 2278, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570810b6b17147085608503", "name": "Apple Music.app", "description": "", "modified": "2023-12-06T14:11:23.015000", "created": "2023-12-06T14:11:23.015000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1235, "domain": 324, "hostname": 1559, "URL": 2278, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "909 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64e7ab22bbbb24b60b0ede98", "name": "Apple Music.app (by @kailula)", "description": "", "modified": "2023-08-24T19:10:26.385000", "created": "2023-08-24T19:10:26.385000", "tags": [ "whois", "whois record", "ssl certificate", "chinese", "ip check", "mac malware", "collection ii", "steg icons", "wired", "collection", "korlia", "trickbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6228c8698878b924d3b309b6", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2278, "hostname": 1559, "domain": 324, "FileHash-SHA256": 1235, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "1012 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63f16ce668c75c5ec1148e7b", "name": "http://vinyldevicepop.com", "description": "The Falcon Sandbox malware analysis service is available to download, view and download all the data on the Falcon website, including the full report on how to identify and identify the malware and tactics behind the attack.", "modified": "2023-03-21T00:02:57.765000", "created": "2023-02-19T00:27:18.058000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "localappdata", "unicode", "hash seen", "size", "runtime process", "sha256", "sha1", "temp", "entropy", "suspicious", "hybrid", "close", "click", "ransomware", "february", "general", "strings" ], "references": [ "https://hybrid-analysis.com/sample/a575cf06662eb0972d9d0e5286382ca909ac3d4db893153ac13242e626304b1f/63f0cc25c94909360712d453" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "hostname": 38, "domain": 10, "FileHash-SHA256": 62, "FileHash-MD5": 50, "FileHash-SHA1": 49 }, "indicator_count": 307, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63dc196ce1e419aca95e3a87", "name": "#039;http://147.75.3.myip.cloud.infn.it/' TS=100/100 is xip.io", "description": "", "modified": "2023-03-04T00:03:25.234000", "created": "2023-02-02T20:13:32.980000", "tags": [ "vxstream", "trojan", "apt", "runtime data", "ansi", "runtime process", "sha256", "unicode", "localappdata", "date", "entropy", "close", "click", "ransomware" ], "references": [ "https://hybrid-analysis.com/sample/172ffc5c288f7a241eac43d0d98143d91bc45fb17fce1c0788b4caf462a124d1/63dbfcceab5f780bd5536d3c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "hostname": 41, "domain": 9, "FileHash-SHA256": 84, "FileHash-MD5": 61, "FileHash-SHA1": 60 }, "indicator_count": 353, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1186 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63994429139dc965346ecad6", "name": "think of it like supply chain but using consumer infrastructure instead of corp data", "description": "[object Object", "modified": "2023-01-13T00:01:55.237000", "created": "2022-12-14T03:34:01.804000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "localappdata", "unicode", "hash seen", "size", "runtime process", "temp", "sha256", "sha1", "hybrid", "close", "click", "hosts", "ransomware", "general", "strings", "suspicious", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://hybrid-analysis.com/sample/5e5db92f90d6ccdd7dc1eca0c1a9cd6b54493e873d07c90f72da6478ac5f24cb", "https://hybrid-analysis.com/sample/5e5db92f90d6ccdd7dc1eca0c1a9cd6b54493e873d07c90f72da6478ac5f24cb/6398ed7852c7e131d0022430" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 576, "hostname": 282, "domain": 51, "FileHash-SHA256": 85, "FileHash-MD5": 51, "FileHash-SHA1": 50, "email": 2 }, "indicator_count": 1097, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6228c8698878b924d3b309b6", "name": "Apple Music.app", "description": "", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-09T15:31:53.378000", "tags": [ "whois", "whois record", "ssl certificate", "chinese", "ip check", "mac malware", "collection ii", "steg icons", "wired", "collection", "korlia", "trickbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2278, "hostname": 1559, "domain": 324, "FileHash-SHA256": 1235, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 408, "modified_text": "1516 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://hybrid-analysis.com/sample/172ffc5c288f7a241eac43d0d98143d91bc45fb17fce1c0788b4caf462a124d1/63dbfcceab5f780bd5536d3c", "https://hybrid-analysis.com/sample/5e5db92f90d6ccdd7dc1eca0c1a9cd6b54493e873d07c90f72da6478ac5f24cb/6398ed7852c7e131d0022430", "https://hybrid-analysis.com/sample/a575cf06662eb0972d9d0e5286382ca909ac3d4db893153ac13242e626304b1f/63f0cc25c94909360712d453", "https://hybrid-analysis.com/sample/5e5db92f90d6ccdd7dc1eca0c1a9cd6b54493e873d07c90f72da6478ac5f24cb" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Aar" ], "industries": [], "unique_indicators": 7736 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/loveyty.com", "whois": "http://whois.domaintools.com/loveyty.com", "domain": "loveyty.com", "hostname": "520.loveyty.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "69f307a09667829e1b243083", "name": "Credit Arek-BTC [8blxx.exe Trojan zdalnego dost\u0119pu exe id = \"42c1af80-cff3-505f-a3cb-35b7e345] Clone", "description": "", "modified": "2026-04-30T07:56:08.896000", "created": "2026-04-30T07:41:20.607000", "tags": [ "upx dump", "security", "license v2", "c4 f0", "c4 ec", "ec a5", "c2 c3", "detects", "roth", "program", "files", "xored keyword", "xor key", "sentinel labs", "filter", "norton", "win32", "kevin breen", "kevin", "remote access", "trojan", "metainf", "version", "versions", "settings", "mysettings", "keylogger", "sifre", "bandook rat", "remoteshell", "udpflood", "darkrat", "avenger", "greame", "keylog", "codekey", "ping", "activator", "nanocore", "keepalive", "miner", "inject", "attack", "killer", "predator pain", "unknown", "qrat", "shadowtech", "install", "virusrat", "aar", "alienvault labs", "cwsandbox", "felix bilstein", "cc bysa", "disclaimer", "disassembly", "malpedia", "number", "b801000000", "eb34", "eb0e", "test", "helper objects", "cache", "detailsendswith", "autorun keys", "modification id", "asep", "victor sergeev", "tim shelton", "empty", "homenet", "externalnet", "wang2", "imageendswith", "example", "imagestartswith", "sandbox author", "securityuserid", "windows upgrade", "k netsvcs", "defender", "update", "providers", "safe", "stream", "python", "folder file", "write id", "windows startup", "cyb3rward0g", "open threat", "research", "samplepath", "user", "userprofile", "matches rule", "snort", "rule set", "github", "text c", "file execution", "malware", "shell", "peexe c", "text", "text sha256", "registry", "xml c", "text xx", "appdatalocaldbg", "registry id", "run once", "singh", "details" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AAR", "display_name": "AAR", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": "676a09a5aa214e111c6789de", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "YARA": 50, "FileHash-MD5": 33, "FileHash-SHA1": 7, "FileHash-SHA256": 367, "domain": 44, "URL": 373, "hostname": 171, "IPv4": 11 }, "indicator_count": 1056, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "676a09a5aa214e111c6789de", "name": "8blxx.exe Trojan zdalnego dost\u0119pu exe id = \"42c1af80-cff3-505f-a3cb-35b7e34575e1\"", "description": "regu\u0142a RAT_AAR { meta: author = \"Kevin Breen \" date = \"01.04.2014\" description = \"Wykryto z\u0142o\u015bliwe oprogramowanie AAR RAT\" reference = \" http://malwareconfig.com/stats /AAR\" malware maltype = \"Trojan zdalnego dost\u0119pu\" filetype = \"exe\" id = \"42c1af80-cff3-505f-a3cb-35b7e34575e1\" strings: $a = \"Hashtable\" $b = \"get_IsDisposed\" $c = \"TripleDES\" $d = \"testmemory.", "modified": "2025-01-08T01:47:51.399000", "created": "2024-12-24T01:08:53.412000", "tags": [ "upx dump", "security", "license v2", "c4 f0", "c4 ec", "ec a5", "c2 c3", "detects", "roth", "program", "files", "xored keyword", "xor key", "sentinel labs", "filter", "norton", "win32", "kevin breen", "kevin", "remote access", "trojan", "metainf", "version", "versions", "settings", "mysettings", "keylogger", "sifre", "bandook rat", "remoteshell", "udpflood", "darkrat", "avenger", "greame", "keylog", "codekey", "ping", "activator", "nanocore", "keepalive", "miner", "inject", "attack", "killer", "predator pain", "unknown", "qrat", "shadowtech", "install", "virusrat", "aar", "alienvault labs", "cwsandbox", "felix bilstein", "cc bysa", "disclaimer", "disassembly", "malpedia", "number", "b801000000", "eb34", "eb0e", "test", "helper objects", "cache", "detailsendswith", "autorun keys", "modification id", "asep", "victor sergeev", "tim shelton", "empty", "homenet", "externalnet", "wang2", "imageendswith", "example", "imagestartswith", "sandbox author", "securityuserid", "windows upgrade", "k netsvcs", "defender", "update", "providers", "safe", "stream", "python", "folder file", "write id", "windows startup", "cyb3rward0g", "open threat", "research", "samplepath", "user", "userprofile", "matches rule", "snort", "rule set", "github", "text c", "file execution", "malware", "shell", "peexe c", "text", "text sha256", "registry", "xml c", "text xx", "appdatalocaldbg", "registry id", "run once", "singh", "details" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AAR", "display_name": "AAR", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "YARA": 50, "FileHash-MD5": 16, "FileHash-SHA1": 7, "FileHash-SHA256": 367, "domain": 44, "URL": 373, "hostname": 171, "IPv4": 11 }, "indicator_count": 1039, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "510 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a0bc9f2837fed9426cdd", "name": "Apple Music.app (by @kailula)", "description": "", "modified": "2023-12-06T16:26:36.394000", "created": "2023-12-06T16:26:36.394000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1235, "domain": 324, "hostname": 1559, "URL": 2278, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570810b6b17147085608503", "name": "Apple Music.app", "description": "", "modified": "2023-12-06T14:11:23.015000", "created": "2023-12-06T14:11:23.015000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1235, "domain": 324, "hostname": 1559, "URL": 2278, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "909 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64e7ab22bbbb24b60b0ede98", "name": "Apple Music.app (by @kailula)", "description": "", "modified": "2023-08-24T19:10:26.385000", "created": "2023-08-24T19:10:26.385000", "tags": [ "whois", "whois record", "ssl certificate", "chinese", "ip check", "mac malware", "collection ii", "steg icons", "wired", "collection", "korlia", "trickbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6228c8698878b924d3b309b6", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2278, "hostname": 1559, "domain": 324, "FileHash-SHA256": 1235, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "1012 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63f16ce668c75c5ec1148e7b", "name": "http://vinyldevicepop.com", "description": "The Falcon Sandbox malware analysis service is available to download, view and download all the data on the Falcon website, including the full report on how to identify and identify the malware and tactics behind the attack.", "modified": "2023-03-21T00:02:57.765000", "created": "2023-02-19T00:27:18.058000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "localappdata", "unicode", "hash seen", "size", "runtime process", "sha256", "sha1", "temp", "entropy", "suspicious", "hybrid", "close", "click", "ransomware", "february", "general", "strings" ], "references": [ "https://hybrid-analysis.com/sample/a575cf06662eb0972d9d0e5286382ca909ac3d4db893153ac13242e626304b1f/63f0cc25c94909360712d453" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "hostname": 38, "domain": 10, "FileHash-SHA256": 62, "FileHash-MD5": 50, "FileHash-SHA1": 49 }, "indicator_count": 307, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63dc196ce1e419aca95e3a87", "name": "#039;http://147.75.3.myip.cloud.infn.it/' TS=100/100 is xip.io", "description": "", "modified": "2023-03-04T00:03:25.234000", "created": "2023-02-02T20:13:32.980000", "tags": [ "vxstream", "trojan", "apt", "runtime data", "ansi", "runtime process", "sha256", "unicode", "localappdata", "date", "entropy", "close", "click", "ransomware" ], "references": [ "https://hybrid-analysis.com/sample/172ffc5c288f7a241eac43d0d98143d91bc45fb17fce1c0788b4caf462a124d1/63dbfcceab5f780bd5536d3c" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "hostname": 41, "domain": 9, "FileHash-SHA256": 84, "FileHash-MD5": 61, "FileHash-SHA1": 60 }, "indicator_count": 353, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1186 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63994429139dc965346ecad6", "name": "think of it like supply chain but using consumer infrastructure instead of corp data", "description": "[object Object", "modified": "2023-01-13T00:01:55.237000", "created": "2022-12-14T03:34:01.804000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "localappdata", "unicode", "hash seen", "size", "runtime process", "temp", "sha256", "sha1", "hybrid", "close", "click", "hosts", "ransomware", "general", "strings", "suspicious", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://hybrid-analysis.com/sample/5e5db92f90d6ccdd7dc1eca0c1a9cd6b54493e873d07c90f72da6478ac5f24cb", "https://hybrid-analysis.com/sample/5e5db92f90d6ccdd7dc1eca0c1a9cd6b54493e873d07c90f72da6478ac5f24cb/6398ed7852c7e131d0022430" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 576, "hostname": 282, "domain": 51, "FileHash-SHA256": 85, "FileHash-MD5": 51, "FileHash-SHA1": 50, "email": 2 }, "indicator_count": 1097, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6228c8698878b924d3b309b6", "name": "Apple Music.app", "description": "", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-09T15:31:53.378000", "tags": [ "whois", "whois record", "ssl certificate", "chinese", "ip check", "mac malware", "collection ii", "steg icons", "wired", "collection", "korlia", "trickbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2278, "hostname": 1559, "domain": 324, "FileHash-SHA256": 1235, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 408, "modified_text": "1516 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://520.loveyty.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://520.loveyty.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780414077.9957793 }