{ "type": "URL", "indicator": "https://api.github.com/_private/browser/stats", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://api.github.com/_private/browser/stats", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #87", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #560", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain github.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain github.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2260884728, "indicator": "https://api.github.com/_private/browser/stats", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 17, "pulses": [ { "id": "6a0dad06d8bb37ada19229bc", "name": "Credit:Q.Vashti [Exposing_Malware_in20_Linnux] - clone >post today had related items", "description": "", "modified": "2026-05-20T12:45:58.360000", "created": "2026-05-20T12:45:58.360000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "684690d6dc730b0842d341a7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0dacb22ae45efab0266fc2", "name": "Credit:Q.Vashti [Exposing_Malware_in20_Linnux] - clone >post today had related items", "description": "", "modified": "2026-05-20T12:44:34.775000", "created": "2026-05-20T12:44:34.775000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "684690d6dc730b0842d341a7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0dacb2971f3103a0dddbcc", "name": "Credit:Q.Vashti [Exposing_Malware_in20_Linnux] - clone >post today had related items", "description": "", "modified": "2026-05-20T12:44:34.547000", "created": "2026-05-20T12:44:34.547000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "684690d6dc730b0842d341a7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ca67e6fcf22ecf04cdc133", "name": "CAPE Sandbox", "description": "0a32d6abea15f3bfe2a74763ba6c4ef5\nSHA1\td0a0ba4207f5432aad98b4a95b026000ed2cbd7c\nSHA256\tecbeaa13921dbad8028d29534c3878503f45a82a09cf27857fa4335bd1c9286d [VT] [MWDB] [Bazaar]\nSHA3-384\tef79fc72829f68826daed047da58341c5881407899b12a270156ddec9a5f6f9adf1837c00caac0f3361fb06efcf6540f\nCRC32\t28718AD3\nTLSH\tT14DA52212B6851CF9EC1791BDC3515A55EAB378820B31EEEF039481362F236E27E39B15\nSsdeep\t49152:CXpR7NUIWY4kBvOlmNaxoVAiWAYt7zCEzlAt2auIZuJ5bg/:SVh4kwM6oVABVh3Iq8\nYara\t\nvmdetect - Possibly employs anti-virtualization techniques - Author: nex", "modified": "2026-04-29T12:19:08.447000", "created": "2026-03-30T12:09:10.134000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 19, "FileHash-SHA256": 22, "URL": 38, "domain": 9, "hostname": 46 }, "indicator_count": 150, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bbb5859a562c3df21f4c2b", "name": "CAPE Sandbox", "description": "#floppydisk.", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:36:21.814000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 129, "FileHash-SHA1": 124, "FileHash-SHA256": 500, "hostname": 68, "URL": 37, "domain": 4 }, "indicator_count": 862, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6941e87912ebb7843300906d", "name": "Telus Github", "description": "Telus has a Github. They are one of Canada's 'big 3' ISPs. They are compromised.", "modified": "2026-01-15T23:03:27.378000", "created": "2025-12-16T23:17:13.020000", "tags": [ "type", "path", "secure", "date", "accept", "self", "httponly", "samesitelax", "expireswed", "updated", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "prefetch8 ansi", "ansi", "show process", "hash seen", "threat level", "pcap", "sha256", "pcap processing", "ck id", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "model", "strings", "contact", "hybrid analysis", "api key", "vetting process", "please note", "please", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "javascript", "static analyzer", "analyzer" ], "references": [ "http://hybrid-analysis.com/sample/f62e99ffe34a3f0c186ac31d151d22dd940884f79bbaafcc6061a2a9387f45a8/6941e0586df20223a505d490", "http://hybrid-analysis.com/sample/f62e99ffe34a3f0c186ac31d151d22dd940884f79bbaafcc6061a2a9387f45a8", "https://www.filescan.io/uploads/6941e02584afa5547b586bac/reports/a23ea43a-ad21-4306-9f47-1a8deaa129c0/ioc", "https://www.virustotal.com/gui/collection/5967f31c865dce02efd16cebad1e75bd838298965361912987dd932a513f9212/iocs", "https://www.virustotal.com/gui/collection/5967f31c865dce02efd16cebad1e75bd838298965361912987dd932a513f9212/summary", "https://app.threat.zone/submission/12b7b619-0e5a-4996-9bb5-493ef98f2803/url-analysis-report" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [ "Telecommunications", "Technology", "Healthcare", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 31, "FileHash-SHA256": 31, "SSLCertFingerprint": 11, "URL": 197, "domain": 27, "email": 2, "hostname": 101 }, "indicator_count": 432, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "135 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660afeb0c9812049de87dec1", "name": "hxxps://github[.]com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "description": "hxxps://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit\n\nSomething I figured worth looking into - present on several University of Alberta documents on devices sampled from several labs\n\nIOCs (04.01.24): parsed using IOC parser on IOCs (behavioral) derived from: Tri.age Analysis: https://tria.ge/240401-v8bafsaf71/behavioral1 and Hybrid Analysis: http://www.hybrid-analysis.com/sample/e1a88d17a7c013cf623d01c2105e6233e2debb67a9c3fd0eb73b286091c82917/660af3e16e24fdbb100e03d9\n-IOCs submitted to URLscan.io\nUpdate: 09.27.24 -> Present in a word document on Uni Computers (All)", "modified": "2025-09-06T17:02:07.070000", "created": "2024-04-01T18:36:32.583000", "tags": [ "please", "javascript", "triage", "malware", "analysis", "report", "reported", "analyze", "sandbox", "download submit", "sha256", "sha1", "sha512", "prefetch1", "iocs", "suspicious use", "prefetch8", "ck v13", "monitor", "general", "config", "copy", "target", "score", "entity", "domain", "ipv6", "mitreatt", "macaddress", "filename" ], "references": [ "https://www.virustotal.com/gui/collection/78cac7a60cb9ea18ed98d5529491d4351d031634dfe7de0088a3054fba1e53be/iocs", "https://tria.ge/240401-v8bafsaf71/behavioral1", "https://www.virustotal.com/gui/collection/78cac7a60cb9ea18ed98d5529491d4351d031634dfe7de0088a3054fba1e53be/summary", "https://www.virustotal.com/graph/embed/g0e28b9d656774e73b987b563164f4c51556d897677ed4a78920d44a0715390e6?theme=dark", "http://www.hybrid-analysis.com/sample/e1a88d17a7c013cf623d01c2105e6233e2debb67a9c3fd0eb73b286091c82917/660af3e16e24fdbb100e03d9", "https://viz.greynoise.io/tags/georgia-tech-research-scanner?days=10", "https://www.virustotal.com/graph/embed/g4928995ad74946e184fceac08d1c9ec4b891ca72d6c84eb08fc776c915c99e60?theme=dark", "https://www.filescan.io/uploads/66f6fe25f71b9c224c13bdf7/reports/b95801f7-d70e-4cc6-b967-b1cc8ad56fc9/overview", "https://tria.ge/250807-vg754scn6t/behavioral1 - 08.07.25", "https://app.any.run/tasks/53605645-2825-4d09-95ff-183a59b25518 - 08.07.25" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 103, "FileHash-SHA1": 105, "FileHash-SHA256": 495, "URL": 613, "hostname": 109, "CVE": 4, "domain": 122, "email": 10 }, "indicator_count": 1561, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "266 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67df904daf96180003ff1e14", "name": "hxxps://github[.]com/Cn33liz/p0wnedShell - 07.15.25 (Un-Enriched)", "description": "Yara Rules Triggered:\n\n9b0e9dce190e3dcf83b697ba2a08c9031aa2de00a6d3a3db9c86e2a8b4bc7bc0\np0wnedShell\n\nMatches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL at https://github.com/InQuest/yara-rules-vt by InQuest Labs\nThis signature fires on the presence of Base64 encoded URI prefixes (http:// and https://) across any file. The simple presence of such strings is not inherently an indicator of malicious content, but is worth further investigation. - a moment ago\n View Ruleset\nMatches rule Hacktool_Strings_p0wnedShell from ruleset gen_p0wnshell at https://github.com/Neo23x0/signature-base by Florian Roth\nDetects strings found in Runspace Post Exploitation Toolkit - a moment ago\nMatches rule p0wnedPotato from ruleset gen_p0wnshell at https://github.com/Neo23x0/signature-base by Florian Roth (Nextron Systems)\np0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs - a moment ago", "modified": "2025-08-16T05:00:22.327000", "created": "2025-03-23T04:38:37.512000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "prefetch8 ansi", "date", "threat level", "show process", "sha256", "hash seen", "pcap processing", "command decode", "pcap", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "path", "model", "strings", "contact", "threat intelligence", "feed", "ioc", "change theme", "contact us", "intelligence", "threats api", "analyze api", "overview", "threats explore", "rate limits", "stixtaxii", "bulk export", "please", "javascript", "virus", "ransomware", "static", "indicator of compromise", "extraction", "emulation", "platform", "entity", "report phishing", "suspicious urls", "error", "sorry" ], "references": [ "https://hybrid-analysis.com/sample/c801e05a1ee3423572349377ea9bdc3846b62e949611679e81c3d6cddcde77e5/67dde11e816206bd720dc9a0", "https://pulsedive.com/indicator/?iid=68355616", "https://www.virustotal.com/gui/url/bc0fe9233e19654c54cc439e9f3e06491556867cde40e25c8589dbee265f3f2f/details", "https://www.filescan.io/uploads/67df8925a175d31773454fd7/reports/d000025d-8403-4b03-8f76-a3b74d9b821f/overview", "https://www.virustotal.com/graph/embed/ga577e541c45f4ef3b8c2ee0e464a4264caf5439148f941db8c2615f1b83baebe?theme=dark", "https://www.virustotal.com/gui/collection/f5259d2e7f82856773d9a0867206fe5b571627740209eb72652fd2c04b099a16", "https://www.virustotal.com/gui/collection/f5259d2e7f82856773d9a0867206fe5b571627740209eb72652fd2c04b099a16/iocs", "https://report.netcraft.com/submission/OAoeOZfDFap5UPDTF52Uy5Q754Z5Fctm?tab=urls", "https://app.threat.zone/submission/ef652ac5-bc19-43e4-a603-e2d2ccae55ff/static-scan-report/strings", "https://www.filescan.io/uploads/685b8c3dcf2af157111779ff/reports/69c49cb3-aef0-4a32-b382-6b38ec8187d0/overview", "https://app.any.run/tasks/2f11fff7-a2bc-4744-af91-279753100630", "https://app.threat.zone/submission/2514e91a-4ad4-4c54-bee3-276c86dcc970/overview", "https://polyswarm.network/scan/results/url/bc0fe9233e19654c54cc439e9f3e06491556867cde40e25c8589dbee265f3f2f", "https://tria.ge/250717-f744tavxcy/behavioral1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Education", "Technology", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 219, "FileHash-SHA1": 203, "FileHash-SHA256": 530, "SSLCertFingerprint": 10, "email": 3, "hostname": 76, "URL": 164, "domain": 153 }, "indicator_count": 1358, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "288 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684690d6dc730b0842d341a7", "name": "Exposing_Malware_in20Linux-Based_Multi-Cloud_Environments_R1Final.pdf", "description": "Falcon Sandbox: \nRansomware/Banking\nDetected indicator that file is ransomware\ndetails\n\"5 | Exposing Malware in Linux-Based Multi-Cloud Environments Ransomware and cryptominers Ransomware The impact of a ransomware attack can range from being a nuisance (e.g., having to restore data from backups and clean up the network) to being devastating (e.g., having to pay large sums of money to regain access to key assets). Unfortunately, when talking about cloud environments, the results tend to be more on the devastating side. Recently, cybercriminals have started calculating the damage they might cause to the valuation of a company going through a financial event to make the potential impact of their attack clear and incentivize ransom payments.5 At the same time, they\\x2122ve been honing their tactics with increasingly sophisticated techniques to target victim organizations\u2026more: https://www.hybrid-analysis.com/sample/92c1ca86f4d025e72acb94ae3cbdd3c6435aaa1b5e3fc3dcb06f8501b5dd3bb7/62e7fdd19a99ce4fa32e6d64", "modified": "2025-07-09T07:03:10.726000", "created": "2025-06-09T07:44:22.507000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "326 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684225925f1a076ce3039b55", "name": "hxxps://github[.]com/CocoaPods - 06.05.25", "description": "Github CocoaPods", "modified": "2025-07-05T23:04:57.997000", "created": "2025-06-05T23:17:38.255000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "prefetch8 ansi", "ansi", "date", "threat level", "show process", "sha256", "hash seen", "pcap", "pcap processing", "command decode", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "june", "general", "path", "model", "strings", "contact", "community", "results", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "file", "service", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "please", "javascript", "url", "scanner", "reputation", "phishing", "fastly", "accept", "sectigo limited", "gmt file", "windows nt", "win64", "http2", "url get", "fingerprint", "ascii text", "write" ], "references": [ "https://www.hybrid-analysis.com/sample/2df0978d569e55b6c2176959734d9a6a776eab8c11e2742d7b0cde7a7fb72011/68422003376961f119095141", "https://metadefender.com/results/url/aHR0cHM6Ly9naXRodWIuY29tL0NvY29hUG9kcw==", "https://www.filescan.io/uploads/68421f7dfd02ed5e059acb43/reports/6eb07c34-b325-4107-8652-fe9503ca076e/overview", "https://www.virustotal.com/gui/file/9054fc526befddddb30e9df6dade3c405327951f2cd2add9cb27effd4e64ebc7?nocache=1", "https://urlquery.net/report/ae80c540-8c9b-48e4-a6e1-b18cb4426dbf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 182, "FileHash-SHA1": 267, "FileHash-SHA256": 187, "SSLCertFingerprint": 12, "URL": 297, "email": 4, "hostname": 80, "domain": 13 }, "indicator_count": 1042, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6761c6d68582c49eff306fe6", "name": "Likely malicious Google Analytics Alternative - App & Web Analytics - Matomo", "description": "The full text of the \"suspicious\"obfuscation using unescape has been published on the website tylabs.com, as well as the official release of a new version of PDF.", "modified": "2025-05-14T21:24:25.364000", "created": "2024-12-17T18:45:42.250000", "tags": [ "bitcoin address", "didier stevens", "didierstevens", "bitcoinaddress", "june", "copyright", "t1027", "unesc", "unescape", "flash define", "matomo", "string", "date", "sufeffxa0", "regexp", "please", "blob", "null", "tag manager", "link", "url https", "ipv4", "url http", "learn", "it for", "no credit", "cloud trial", "start", "contact", "matomo team", "help", "free", "easy", "tools" ], "references": [ "https://matomo.org https://matomo.www.gov.pl/analytics/js/container_68lYTZ79.js", "https://www.filescan.io/uploads/67619a0f99caec9a276f9efd/reports/92e63ab1-1ebd-41a7-90da-f842f0b90392/details" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 62, "YARA": 8, "domain": 83, "URL": 657, "email": 3, "hostname": 152, "IPv4": 15, "CIDR": 1, "FileHash-SHA1": 57, "FileHash-SHA256": 734 }, "indicator_count": 1772, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67dfbeec0e4cfd59cca3ac61", "name": "hxxps://github[.]com/imaya/zlib.js/tree/master - 03.22.25 (Un-Enriched)", "description": "hxxps://github[.]com/imaya/zlib.js/tree/master - 03.22.25", "modified": "2025-04-22T07:00:01.273000", "created": "2025-03-23T07:57:32.130000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "prefetch8 ansi", "date", "threat level", "show process", "hash seen", "sha256", "pcap processing", "pcap", "command decode", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "path", "model", "strings", "contact", "threat intelligence", "feed", "ioc", "change theme", "contact us", "intelligence", "threats api", "analyze api", "overview", "threats explore", "rate limits", "stixtaxii", "bulk export", "please", "javascript", "virus", "ransomware", "static", "indicator of compromise", "extraction", "emulation", "platform", "entity" ], "references": [ "https://hybrid-analysis.com/sample/8ee2ed5f3080354e6c8974fbebdc448c8d289a3f05e3bfedefadd5e2a9084376/67dfb4135d3987c5750301fc", "https://pulsedive.com/indicator/?iid=68381634", "https://www.virustotal.com/gui/url/76078f83edcd46bd9b83a87a39731cbe45da33b30a7c4a628223a4959c97ce0f", "https://www.filescan.io/uploads/67dfbaf7a175d317734568e1/reports/83bd2446-c34b-4ce3-9de6-7f9685941d28/overview", "https://www.filescan.io/uploads/67dfbaf7a175d317734568e1/reports/83bd2446-c34b-4ce3-9de6-7f9685941d28/ioc", "https://www.virustotal.com/graph/embed/g8d4be90062df462fbc7be3ba1cca3ec26c9964a0684742ea8ca73e36810d5810?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Education", "Healthcare", "Government", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 91, "FileHash-SHA1": 91, "FileHash-SHA256": 190, "SSLCertFingerprint": 13, "domain": 75, "email": 4, "hostname": 47, "URL": 136 }, "indicator_count": 647, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "404 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66831f04ad169d3b685c9645", "name": "Win.exe , Bootstrapper.exe , pl.microsoft.com , microsoft.com/pki/certs/MicRooCerAut_2010", "description": "rule UPX { meta: author = \"kevoreilly\" description = \"UPX dump on OEP (original entry point)\" cape_options = \"bp0=$upx32+9,bp0=$upx64+11,action0=step2oep\" strings: $upx32 = {6A 00 39 C4 75 FA 83 EC ?? rule Windows_Generic_Threat_5c18a7f9 { meta: author = \"Elastic Security\" id = \"5c18a7f9-01af-468b-9a63-cfecbeb739d7\" fingerprint = \"68c9114ac342d527cf6f0cea96b63dfeb8e5d80060572fad2bbc7d287c752d4a\" creation_date = \"2024-01-21\" last_modified = \"2024-02-08\" threat_name = \"Windows.\ndca60557a1f47948d7158ba9f56ad8656bd0b343488264e23037fd66174e3cd5\nb4f7ace176d0eeba828e7c03f39befb30355223860d14e6ca4422fdb81778df7\nPr\u00f3bka Cuckoo-843b85c493b8a9048b2ab73a9d1a8.cab - polecenie Microsoft Office.\nResearchers have decoded a new set of data on how to store data in a safe and easy-to-use digital format, as well as the results of a series of tests on the subject.", "modified": "2024-10-14T20:36:07.924000", "created": "2024-07-01T21:26:27.623000", "tags": [ "no expiration", "filehashsha256", "hacktool", "expiration", "win32autokms no", "filehashmd5", "filehashsha1", "virus", "sha1", "win32", "trojan", "ransom", "pejzasz", "vhash", "imphash", "ssdeep", "hash", "skrt", "y pkmsauto", "crlf", "dodaj", "hostsettings", "v wczono", "t regdword", "powershell", "nowy", "pe32", "intel", "ms windows", "nazwa typ", "md5 nazwa", "procesu", "vs2013", "rticon neutral", "compiler", "submission", "file version", "chi2", "contained", "authentihash", "pehash", "uacme akagi", "cobalt strike", "detects", "roth", "sliver stagers", "highvol", "detects imphash", "zero", "virustotal", "detection rule", "license", "arnim rupp", "whasz", "github", "postpuj zgodnie", "przegld", "danie id", "github og", "url https", "error", "toast", "clientrender", "date", "promise", "65536", "client env", "alloy", "rangeerror", "staff", "upx dump", "security", "license v2", "e8 ff", "fc ff", "ff ff", "e8 f7", "c3 e8", "e8 db", "f0 c9", "c8 ff", "c9 c3", "c4 a8", "a7 ff", "f1 e8", "ec c7", "f0 c0", "c1 e9", "ec e8", "ff e8", "a3 a4", "db e2", "b0 e9", "e8 ba", "b9 f3", "e4 f8", "ff e9", "eb ed", "b6 b3", "b6 bb", "c8 f7", "c6 a8", "f6 c1", "b0 d7", "df e0", "c4 f0", "fc e8", "cf e5", "f8 ff", "f7 ff", "cc cc", "c3 b8", "b9 ff", "ff f3", "ab aa", "f7 f9", "b8 c7", "be ad", "ef be", "ad de", "e9 cd", "c4 f4", "fe ff", "d1 fa", "fa fc", "f3 a6", "fb ff", "fc c6", "fc eb", "e8 ed", "fb d1", "b6 f8", "c7 c7", "ec d0", "b6 d2", "ff e1", "c0 ac", "c1 e3", "c3 aa", "c2 c1", "d3 f7", "fc c7", "win32 cabinet", "selfextractor", "pecompact", "yarahub", "yara", "repository", "hub", "repo", "malware_onenote_delivery_jan23", "yara rule", "team", "sifalconteam", "yarahub entry", "rule details", "malpedia family", "rule matching", "content copy", "download rule", "malware", "cc by", "vbscript", "sub autoopen", "getobject", "batch" ], "references": [ "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23" ], "public": 1, "adversary": "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 361, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14732, "FileHash-MD5": 4316, "FileHash-SHA1": 3405, "YARA": 181, "URL": 4793, "domain": 1717, "hostname": 4354, "IPv4": 107, "IPv6": 845, "email": 26, "CVE": 13, "FilePath": 1 }, "indicator_count": 34490, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657095eda27e3f05cd61b6ce", "name": "9;v1.opengraph.11ty.dev - Fuked Farm - Now where did I put that needle in that haystack? or is the haystack the f...ing needle", "description": "", "modified": "2023-12-06T15:40:29.765000", "created": "2023-12-06T15:40:29.765000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2182, "FileHash-SHA256": 438, "hostname": 6002, "URL": 14454, "FileHash-MD5": 27, "FileHash-SHA1": 23 }, "indicator_count": 23126, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707f99cdb1ac2e75738328", "name": "https://github.com/WSP-LAB/FUGIO", "description": "", "modified": "2023-12-06T14:05:13.366000", "created": "2023-12-06T14:05:13.366000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 156, "hostname": 31, "domain": 4, "URL": 22, "FileHash-MD5": 2 }, "indicator_count": 215, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63b8db30e94cd692710758e3", "name": "9;v1.opengraph.11ty.dev - Fuked Farm - Now where did I put that needle in that haystack? or is the haystack the f...ing needle", "description": "", "modified": "2023-01-07T02:55:08.704000", "created": "2023-01-07T02:38:40.067000", "tags": [ "trojan", "apt", "ansi", "dropped file", "runtime data", "pattern match", "site", "localappdata", "indicator", "msedge", "programfiles", "ck id", "path", "suspicious", "hybrid", "close", "click", "ransomware", "general", "local", "factory", "strings", "malicious", "github", "build software", "github fb" ], "references": [ "https://hybrid-analysis.com/sample/c4d970dc246c99371f246d342b15000e7bd3e59b3137293b43521b9fd9feff72/63b573f01bdd5b518e665082", "A look at some of the key words and phrases used to describe GitHub, the open-source software development platform, as well as its official website, in the third of a series of articles." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14454, "hostname": 6002, "domain": 2182, "FileHash-SHA256": 438, "FileHash-MD5": 27, "FileHash-SHA1": 23 }, "indicator_count": 23126, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1240 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621d2887ea4e51d3704ed7aa", "name": "https://github.com/WSP-LAB/FUGIO", "description": "", "modified": "2022-02-28T19:54:47.152000", "created": "2022-02-28T19:54:47.152000", "tags": [ "php object", "path", "secure", "samesitelax", "github", "submission", "uymikh0a", "httponly", "expirestue", "self", "accept" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 156, "hostname": 31, "domain": 4, "URL": 22, "FileHash-MD5": 2 }, "indicator_count": 215, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1552 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.filescan.io/uploads/68421f7dfd02ed5e059acb43/reports/6eb07c34-b325-4107-8652-fe9503ca076e/overview", "https://www.virustotal.com/gui/file/9054fc526befddddb30e9df6dade3c405327951f2cd2add9cb27effd4e64ebc7?nocache=1", "https://www.virustotal.com/graph/embed/g0e28b9d656774e73b987b563164f4c51556d897677ed4a78920d44a0715390e6?theme=dark", "https://polyswarm.network/scan/results/url/bc0fe9233e19654c54cc439e9f3e06491556867cde40e25c8589dbee265f3f2f", "https://app.any.run/tasks/2f11fff7-a2bc-4744-af91-279753100630", "https://tria.ge/240401-v8bafsaf71/behavioral1", "https://app.threat.zone/submission/2514e91a-4ad4-4c54-bee3-276c86dcc970/overview", "https://app.threat.zone/submission/ef652ac5-bc19-43e4-a603-e2d2ccae55ff/static-scan-report/strings", "https://www.virustotal.com/gui/collection/5967f31c865dce02efd16cebad1e75bd838298965361912987dd932a513f9212/iocs", "https://www.filescan.io/uploads/685b8c3dcf2af157111779ff/reports/69c49cb3-aef0-4a32-b382-6b38ec8187d0/overview", "https://tria.ge/250717-f744tavxcy/behavioral1", "https://www.virustotal.com/gui/collection/5967f31c865dce02efd16cebad1e75bd838298965361912987dd932a513f9212/summary", "https://www.filescan.io/uploads/6941e02584afa5547b586bac/reports/a23ea43a-ad21-4306-9f47-1a8deaa129c0/ioc", "https://metadefender.com/results/url/aHR0cHM6Ly9naXRodWIuY29tL0NvY29hUG9kcw==", "https://www.virustotal.com/gui/collection/f5259d2e7f82856773d9a0867206fe5b571627740209eb72652fd2c04b099a16", "https://www.virustotal.com/gui/collection/f5259d2e7f82856773d9a0867206fe5b571627740209eb72652fd2c04b099a16/iocs", "https://app.any.run/tasks/53605645-2825-4d09-95ff-183a59b25518 - 08.07.25", "A look at some of the key words and phrases used to describe GitHub, the open-source software development platform, as well as its official website, in the third of a series of articles.", "https://www.filescan.io/uploads/67dfbaf7a175d317734568e1/reports/83bd2446-c34b-4ce3-9de6-7f9685941d28/overview", "https://www.filescan.io/uploads/67dfbaf7a175d317734568e1/reports/83bd2446-c34b-4ce3-9de6-7f9685941d28/ioc", "https://viz.greynoise.io/tags/georgia-tech-research-scanner?days=10", "https://pulsedive.com/indicator/?iid=68355616", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23", "https://hybrid-analysis.com/sample/8ee2ed5f3080354e6c8974fbebdc448c8d289a3f05e3bfedefadd5e2a9084376/67dfb4135d3987c5750301fc", "https://www.virustotal.com/graph/embed/g8d4be90062df462fbc7be3ba1cca3ec26c9964a0684742ea8ca73e36810d5810?theme=dark", "http://www.hybrid-analysis.com/sample/e1a88d17a7c013cf623d01c2105e6233e2debb67a9c3fd0eb73b286091c82917/660af3e16e24fdbb100e03d9", "https://www.hybrid-analysis.com/sample/2df0978d569e55b6c2176959734d9a6a776eab8c11e2742d7b0cde7a7fb72011/68422003376961f119095141", "https://www.filescan.io/uploads/67619a0f99caec9a276f9efd/reports/92e63ab1-1ebd-41a7-90da-f842f0b90392/details", "https://www.virustotal.com/graph/embed/ga577e541c45f4ef3b8c2ee0e464a4264caf5439148f941db8c2615f1b83baebe?theme=dark", "http://hybrid-analysis.com/sample/f62e99ffe34a3f0c186ac31d151d22dd940884f79bbaafcc6061a2a9387f45a8/6941e0586df20223a505d490", "http://hybrid-analysis.com/sample/f62e99ffe34a3f0c186ac31d151d22dd940884f79bbaafcc6061a2a9387f45a8", "https://www.filescan.io/uploads/66f6fe25f71b9c224c13bdf7/reports/b95801f7-d70e-4cc6-b967-b1cc8ad56fc9/overview", "https://www.filescan.io/uploads/67df8925a175d31773454fd7/reports/d000025d-8403-4b03-8f76-a3b74d9b821f/overview", "https://www.virustotal.com/gui/url/76078f83edcd46bd9b83a87a39731cbe45da33b30a7c4a628223a4959c97ce0f", "https://app.threat.zone/submission/12b7b619-0e5a-4996-9bb5-493ef98f2803/url-analysis-report", "https://pulsedive.com/indicator/?iid=68381634", "https://www.virustotal.com/gui/url/bc0fe9233e19654c54cc439e9f3e06491556867cde40e25c8589dbee265f3f2f/details", "https://urlquery.net/report/ae80c540-8c9b-48e4-a6e1-b18cb4426dbf", "https://tria.ge/250807-vg754scn6t/behavioral1 - 08.07.25", "https://report.netcraft.com/submission/OAoeOZfDFap5UPDTF52Uy5Q754Z5Fctm?tab=urls", "https://matomo.org https://matomo.www.gov.pl/analytics/js/container_68lYTZ79.js", "https://www.virustotal.com/gui/collection/78cac7a60cb9ea18ed98d5529491d4351d031634dfe7de0088a3054fba1e53be/iocs", "https://hybrid-analysis.com/sample/c801e05a1ee3423572349377ea9bdc3846b62e949611679e81c3d6cddcde77e5/67dde11e816206bd720dc9a0", "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "https://hybrid-analysis.com/sample/c4d970dc246c99371f246d342b15000e7bd3e59b3137293b43521b9fd9feff72/63b573f01bdd5b518e665082", "https://www.virustotal.com/graph/embed/g4928995ad74946e184fceac08d1c9ec4b891ca72d6c84eb08fc776c915c99e60?theme=dark", "https://www.virustotal.com/gui/collection/78cac7a60cb9ea18ed98d5529491d4351d031634dfe7de0088a3054fba1e53be/summary" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri" ], "malware_families": [ "Cobalt strike" ], "industries": [ "Education", "Government", "Technology", "Healthcare", "Telecommunications" ], "unique_indicators": 60806 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/github.com", "whois": "http://whois.domaintools.com/github.com", "domain": "github.com", "hostname": "api.github.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 17, "pulses": [ { "id": "6a0dad06d8bb37ada19229bc", "name": "Credit:Q.Vashti [Exposing_Malware_in20_Linnux] - clone >post today had related items", "description": "", "modified": "2026-05-20T12:45:58.360000", "created": "2026-05-20T12:45:58.360000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "684690d6dc730b0842d341a7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0dacb22ae45efab0266fc2", "name": "Credit:Q.Vashti [Exposing_Malware_in20_Linnux] - clone >post today had related items", "description": "", "modified": "2026-05-20T12:44:34.775000", "created": "2026-05-20T12:44:34.775000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "684690d6dc730b0842d341a7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0dacb2971f3103a0dddbcc", "name": "Credit:Q.Vashti [Exposing_Malware_in20_Linnux] - clone >post today had related items", "description": "", "modified": "2026-05-20T12:44:34.547000", "created": "2026-05-20T12:44:34.547000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "684690d6dc730b0842d341a7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ca67e6fcf22ecf04cdc133", "name": "CAPE Sandbox", "description": "0a32d6abea15f3bfe2a74763ba6c4ef5\nSHA1\td0a0ba4207f5432aad98b4a95b026000ed2cbd7c\nSHA256\tecbeaa13921dbad8028d29534c3878503f45a82a09cf27857fa4335bd1c9286d [VT] [MWDB] [Bazaar]\nSHA3-384\tef79fc72829f68826daed047da58341c5881407899b12a270156ddec9a5f6f9adf1837c00caac0f3361fb06efcf6540f\nCRC32\t28718AD3\nTLSH\tT14DA52212B6851CF9EC1791BDC3515A55EAB378820B31EEEF039481362F236E27E39B15\nSsdeep\t49152:CXpR7NUIWY4kBvOlmNaxoVAiWAYt7zCEzlAt2auIZuJ5bg/:SVh4kwM6oVABVh3Iq8\nYara\t\nvmdetect - Possibly employs anti-virtualization techniques - Author: nex", "modified": "2026-04-29T12:19:08.447000", "created": "2026-03-30T12:09:10.134000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 19, "FileHash-SHA256": 22, "URL": 38, "domain": 9, "hostname": 46 }, "indicator_count": 150, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bbb5859a562c3df21f4c2b", "name": "CAPE Sandbox", "description": "#floppydisk.", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:36:21.814000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 129, "FileHash-SHA1": 124, "FileHash-SHA256": 500, "hostname": 68, "URL": 37, "domain": 4 }, "indicator_count": 862, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6941e87912ebb7843300906d", "name": "Telus Github", "description": "Telus has a Github. They are one of Canada's 'big 3' ISPs. They are compromised.", "modified": "2026-01-15T23:03:27.378000", "created": "2025-12-16T23:17:13.020000", "tags": [ "type", "path", "secure", "date", "accept", "self", "httponly", "samesitelax", "expireswed", "updated", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "prefetch8 ansi", "ansi", "show process", "hash seen", "threat level", "pcap", "sha256", "pcap processing", "ck id", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "model", "strings", "contact", "hybrid analysis", "api key", "vetting process", "please note", "please", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "javascript", "static analyzer", "analyzer" ], "references": [ "http://hybrid-analysis.com/sample/f62e99ffe34a3f0c186ac31d151d22dd940884f79bbaafcc6061a2a9387f45a8/6941e0586df20223a505d490", "http://hybrid-analysis.com/sample/f62e99ffe34a3f0c186ac31d151d22dd940884f79bbaafcc6061a2a9387f45a8", "https://www.filescan.io/uploads/6941e02584afa5547b586bac/reports/a23ea43a-ad21-4306-9f47-1a8deaa129c0/ioc", "https://www.virustotal.com/gui/collection/5967f31c865dce02efd16cebad1e75bd838298965361912987dd932a513f9212/iocs", "https://www.virustotal.com/gui/collection/5967f31c865dce02efd16cebad1e75bd838298965361912987dd932a513f9212/summary", "https://app.threat.zone/submission/12b7b619-0e5a-4996-9bb5-493ef98f2803/url-analysis-report" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [ "Telecommunications", "Technology", "Healthcare", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 31, "FileHash-SHA256": 31, "SSLCertFingerprint": 11, "URL": 197, "domain": 27, "email": 2, "hostname": 101 }, "indicator_count": 432, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "135 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660afeb0c9812049de87dec1", "name": "hxxps://github[.]com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "description": "hxxps://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit\n\nSomething I figured worth looking into - present on several University of Alberta documents on devices sampled from several labs\n\nIOCs (04.01.24): parsed using IOC parser on IOCs (behavioral) derived from: Tri.age Analysis: https://tria.ge/240401-v8bafsaf71/behavioral1 and Hybrid Analysis: http://www.hybrid-analysis.com/sample/e1a88d17a7c013cf623d01c2105e6233e2debb67a9c3fd0eb73b286091c82917/660af3e16e24fdbb100e03d9\n-IOCs submitted to URLscan.io\nUpdate: 09.27.24 -> Present in a word document on Uni Computers (All)", "modified": "2025-09-06T17:02:07.070000", "created": "2024-04-01T18:36:32.583000", "tags": [ "please", "javascript", "triage", "malware", "analysis", "report", "reported", "analyze", "sandbox", "download submit", "sha256", "sha1", "sha512", "prefetch1", "iocs", "suspicious use", "prefetch8", "ck v13", "monitor", "general", "config", "copy", "target", "score", "entity", "domain", "ipv6", "mitreatt", "macaddress", "filename" ], "references": [ "https://www.virustotal.com/gui/collection/78cac7a60cb9ea18ed98d5529491d4351d031634dfe7de0088a3054fba1e53be/iocs", "https://tria.ge/240401-v8bafsaf71/behavioral1", "https://www.virustotal.com/gui/collection/78cac7a60cb9ea18ed98d5529491d4351d031634dfe7de0088a3054fba1e53be/summary", "https://www.virustotal.com/graph/embed/g0e28b9d656774e73b987b563164f4c51556d897677ed4a78920d44a0715390e6?theme=dark", "http://www.hybrid-analysis.com/sample/e1a88d17a7c013cf623d01c2105e6233e2debb67a9c3fd0eb73b286091c82917/660af3e16e24fdbb100e03d9", "https://viz.greynoise.io/tags/georgia-tech-research-scanner?days=10", "https://www.virustotal.com/graph/embed/g4928995ad74946e184fceac08d1c9ec4b891ca72d6c84eb08fc776c915c99e60?theme=dark", "https://www.filescan.io/uploads/66f6fe25f71b9c224c13bdf7/reports/b95801f7-d70e-4cc6-b967-b1cc8ad56fc9/overview", "https://tria.ge/250807-vg754scn6t/behavioral1 - 08.07.25", "https://app.any.run/tasks/53605645-2825-4d09-95ff-183a59b25518 - 08.07.25" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 103, "FileHash-SHA1": 105, "FileHash-SHA256": 495, "URL": 613, "hostname": 109, "CVE": 4, "domain": 122, "email": 10 }, "indicator_count": 1561, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "266 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67df904daf96180003ff1e14", "name": "hxxps://github[.]com/Cn33liz/p0wnedShell - 07.15.25 (Un-Enriched)", "description": "Yara Rules Triggered:\n\n9b0e9dce190e3dcf83b697ba2a08c9031aa2de00a6d3a3db9c86e2a8b4bc7bc0\np0wnedShell\n\nMatches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL at https://github.com/InQuest/yara-rules-vt by InQuest Labs\nThis signature fires on the presence of Base64 encoded URI prefixes (http:// and https://) across any file. The simple presence of such strings is not inherently an indicator of malicious content, but is worth further investigation. - a moment ago\n View Ruleset\nMatches rule Hacktool_Strings_p0wnedShell from ruleset gen_p0wnshell at https://github.com/Neo23x0/signature-base by Florian Roth\nDetects strings found in Runspace Post Exploitation Toolkit - a moment ago\nMatches rule p0wnedPotato from ruleset gen_p0wnshell at https://github.com/Neo23x0/signature-base by Florian Roth (Nextron Systems)\np0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs - a moment ago", "modified": "2025-08-16T05:00:22.327000", "created": "2025-03-23T04:38:37.512000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "prefetch8 ansi", "date", "threat level", "show process", "sha256", "hash seen", "pcap processing", "command decode", "pcap", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "path", "model", "strings", "contact", "threat intelligence", "feed", "ioc", "change theme", "contact us", "intelligence", "threats api", "analyze api", "overview", "threats explore", "rate limits", "stixtaxii", "bulk export", "please", "javascript", "virus", "ransomware", "static", "indicator of compromise", "extraction", "emulation", "platform", "entity", "report phishing", "suspicious urls", "error", "sorry" ], "references": [ "https://hybrid-analysis.com/sample/c801e05a1ee3423572349377ea9bdc3846b62e949611679e81c3d6cddcde77e5/67dde11e816206bd720dc9a0", "https://pulsedive.com/indicator/?iid=68355616", "https://www.virustotal.com/gui/url/bc0fe9233e19654c54cc439e9f3e06491556867cde40e25c8589dbee265f3f2f/details", "https://www.filescan.io/uploads/67df8925a175d31773454fd7/reports/d000025d-8403-4b03-8f76-a3b74d9b821f/overview", "https://www.virustotal.com/graph/embed/ga577e541c45f4ef3b8c2ee0e464a4264caf5439148f941db8c2615f1b83baebe?theme=dark", "https://www.virustotal.com/gui/collection/f5259d2e7f82856773d9a0867206fe5b571627740209eb72652fd2c04b099a16", "https://www.virustotal.com/gui/collection/f5259d2e7f82856773d9a0867206fe5b571627740209eb72652fd2c04b099a16/iocs", "https://report.netcraft.com/submission/OAoeOZfDFap5UPDTF52Uy5Q754Z5Fctm?tab=urls", "https://app.threat.zone/submission/ef652ac5-bc19-43e4-a603-e2d2ccae55ff/static-scan-report/strings", "https://www.filescan.io/uploads/685b8c3dcf2af157111779ff/reports/69c49cb3-aef0-4a32-b382-6b38ec8187d0/overview", "https://app.any.run/tasks/2f11fff7-a2bc-4744-af91-279753100630", "https://app.threat.zone/submission/2514e91a-4ad4-4c54-bee3-276c86dcc970/overview", "https://polyswarm.network/scan/results/url/bc0fe9233e19654c54cc439e9f3e06491556867cde40e25c8589dbee265f3f2f", "https://tria.ge/250717-f744tavxcy/behavioral1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Education", "Technology", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 219, "FileHash-SHA1": 203, "FileHash-SHA256": 530, "SSLCertFingerprint": 10, "email": 3, "hostname": 76, "URL": 164, "domain": 153 }, "indicator_count": 1358, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "288 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684690d6dc730b0842d341a7", "name": "Exposing_Malware_in20Linux-Based_Multi-Cloud_Environments_R1Final.pdf", "description": "Falcon Sandbox: \nRansomware/Banking\nDetected indicator that file is ransomware\ndetails\n\"5 | Exposing Malware in Linux-Based Multi-Cloud Environments Ransomware and cryptominers Ransomware The impact of a ransomware attack can range from being a nuisance (e.g., having to restore data from backups and clean up the network) to being devastating (e.g., having to pay large sums of money to regain access to key assets). Unfortunately, when talking about cloud environments, the results tend to be more on the devastating side. Recently, cybercriminals have started calculating the damage they might cause to the valuation of a company going through a financial event to make the potential impact of their attack clear and incentivize ransom payments.5 At the same time, they\\x2122ve been honing their tactics with increasingly sophisticated techniques to target victim organizations\u2026more: https://www.hybrid-analysis.com/sample/92c1ca86f4d025e72acb94ae3cbdd3c6435aaa1b5e3fc3dcb06f8501b5dd3bb7/62e7fdd19a99ce4fa32e6d64", "modified": "2025-07-09T07:03:10.726000", "created": "2025-06-09T07:44:22.507000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "326 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684225925f1a076ce3039b55", "name": "hxxps://github[.]com/CocoaPods - 06.05.25", "description": "Github CocoaPods", "modified": "2025-07-05T23:04:57.997000", "created": "2025-06-05T23:17:38.255000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "prefetch8 ansi", "ansi", "date", "threat level", "show process", "sha256", "hash seen", "pcap", "pcap processing", "command decode", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "june", "general", "path", "model", "strings", "contact", "community", "results", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "file", "service", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "please", "javascript", "url", "scanner", "reputation", "phishing", "fastly", "accept", "sectigo limited", "gmt file", "windows nt", "win64", "http2", "url get", "fingerprint", "ascii text", "write" ], "references": [ "https://www.hybrid-analysis.com/sample/2df0978d569e55b6c2176959734d9a6a776eab8c11e2742d7b0cde7a7fb72011/68422003376961f119095141", "https://metadefender.com/results/url/aHR0cHM6Ly9naXRodWIuY29tL0NvY29hUG9kcw==", "https://www.filescan.io/uploads/68421f7dfd02ed5e059acb43/reports/6eb07c34-b325-4107-8652-fe9503ca076e/overview", "https://www.virustotal.com/gui/file/9054fc526befddddb30e9df6dade3c405327951f2cd2add9cb27effd4e64ebc7?nocache=1", "https://urlquery.net/report/ae80c540-8c9b-48e4-a6e1-b18cb4426dbf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 182, "FileHash-SHA1": 267, "FileHash-SHA256": 187, "SSLCertFingerprint": 12, "URL": 297, "email": 4, "hostname": 80, "domain": 13 }, "indicator_count": 1042, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://api.github.com/_private/browser/stats", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://api.github.com/_private/browser/stats", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780223537.036641 }