{ "type": "URL", "indicator": "https://api.stripe.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://api.stripe.com", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #1067", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain stripe.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain stripe.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2806566308, "indicator": "https://api.stripe.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6a1bbf37e377ccaa110200e0", "name": "VirusTotal report\n for Papers_Please_APK_1_4_12.apk", "description": "[domain named \"homedepot.com\" has been banned by the internet service provider, Akama.net, for violating its rules on server transfer and deletion.. and the use of these terms.] #barcodes", "modified": "2026-05-31T05:26:32.684000", "created": "2026-05-31T04:55:19.811000", "tags": [ "as16625 akamai", "united", "as20940", "whitelisted", "united kingdom", "status", "servers", "a span", "name servers", "as3491 pccw", "date", "meta", "service", "path", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "server", "registrar", "csc corporate", "domains", "ferry road", "thumbprint", "algorithm", "full name", "v3 serial", "number", "issuer", "cus cndigicert", "ecc extended", "ca odigicert", "validity", "latlanta othe", "has permission", "file type", "sim provider", "mccmnc", "mobile", "iso country", "found", "t1417 input", "attack network", "info dropped", "loads", "persistence", "defense evasion", "malicious", "status valid", "issuer apple", "valid from", "valid", "serial number", "smv text", "ascii text", "cname", "key identifier", "x509v3 subject", "cus odigicert", "inc cndigicert", "global g3", "tls ecc", "organization", "dnssec", "domain name", "us registrant", "email", "contact", "macintosh disk", "image", "apple driver", "barcodes", "past barcode history 2023" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/64f04c6372d51323b3e9f6bdabf6f527513cbadf768b6e8a5301c1de1b168600_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1780202779&Signature=ZMlo%2Fyn5T4vPFNHF3XHVPIg82DVy8Q8bOKosyfxCm%2B0GKl64XZeMnYCqVW%2FZBPyZoGNk5dDbl6%2BDs0d76HzIX2YfSzuXsthugznxtiIV8X6rCxyXfC8q%2BTDTeEghlkBpNqLlmIBTljL%2BLG4nD7QUe5K%2F4%2Bhyg%2F7loJbK9LG2iybJRVImxSY7rB4HfbiDpjIav6y9%2BoTwehrf5FMM8D2DtgeoRL%2BMkzDYzyDS%2" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Taiwan", "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1417", "name": "Input Capture", "display_name": "T1417 - Input Capture" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 516, "URL": 285, "domain": 31, "email": 4, "hostname": 128, "FileHash-MD5": 6, "FileHash-SHA1": 19, "FileHash-SHA256": 16, "Mutex": 1 }, "indicator_count": 1006, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1bbf3891b8d5e7f5fda895", "name": "VirusTotal report\n for Papers_Please_APK_1_4_12.apk", "description": "[domain named \"homedepot.com\" has been banned by the internet service provider, Akama.net, for violating its rules on server transfer and deletion.. and the use of these terms.] #barcodes", "modified": "2026-05-31T05:26:32.273000", "created": "2026-05-31T04:55:20.446000", "tags": [ "as16625 akamai", "united", "as20940", "whitelisted", "united kingdom", "status", "servers", "a span", "name servers", "as3491 pccw", "date", "meta", "service", "path", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "server", "registrar", "csc corporate", "domains", "ferry road", "thumbprint", "algorithm", "full name", "v3 serial", "number", "issuer", "cus cndigicert", "ecc extended", "ca odigicert", "validity", "latlanta othe", "has permission", "file type", "sim provider", "mccmnc", "mobile", "iso country", "found", "t1417 input", "attack network", "info dropped", "loads", "persistence", "defense evasion", "malicious", "status valid", "issuer apple", "valid from", "valid", "serial number", "smv text", "ascii text", "cname", "key identifier", "x509v3 subject", "cus odigicert", "inc cndigicert", "global g3", "tls ecc", "organization", "dnssec", "domain name", "us registrant", "email", "contact", "macintosh disk", "image", "apple driver", "barcodes", "past barcode history 2023" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/64f04c6372d51323b3e9f6bdabf6f527513cbadf768b6e8a5301c1de1b168600_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1780202779&Signature=ZMlo%2Fyn5T4vPFNHF3XHVPIg82DVy8Q8bOKosyfxCm%2B0GKl64XZeMnYCqVW%2FZBPyZoGNk5dDbl6%2BDs0d76HzIX2YfSzuXsthugznxtiIV8X6rCxyXfC8q%2BTDTeEghlkBpNqLlmIBTljL%2BLG4nD7QUe5K%2F4%2Bhyg%2F7loJbK9LG2iybJRVImxSY7rB4HfbiDpjIav6y9%2BoTwehrf5FMM8D2DtgeoRL%2BMkzDYzyDS%2" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Taiwan", "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1417", "name": "Input Capture", "display_name": "T1417 - Input Capture" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 516, "URL": 285, "domain": 31, "email": 4, "hostname": 128, "FileHash-MD5": 6, "FileHash-SHA1": 19, "FileHash-SHA256": 16, "Mutex": 1 }, "indicator_count": 1006, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689af6a1704fa2745bc8c2a3", "name": "Hijacked Twitter / X.com account. Phishing | Abnormal use", "description": "Hijacked phishing Twitter/ X.com.\nWin32/Unruy.C Activity\n#phishing #hijacked #intercoms #unruy #trojan #VTflood #malware #attack", "modified": "2025-09-11T08:02:36.759000", "created": "2025-08-12T08:09:05.642000", "tags": [ "log id", "gmtn", "secure", "tls web", "passive dns", "urls", "path", "self", "encrypt", "ca issuers", "false", "search", "read c", "united", "entries", "show", "showing", "msie", "windows nt", "wow64", "slcc2", "copy", "write", "suspicious", "malware", "unknown", "process32nextw", "shellexecuteexw", "medium process", "discovery t1057", "t1057", "discovery", "medium", "locally unique", "identifier", "veailmboprd", "next associated", "ipv4 add", "pulse pulses", "files", "asn as13335", "dns resolutions", "domains top", "smoke loader", "trojan", "body", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "show process", "programfiles", "command decode", "flag", "suricata ipv4", "mitre att", "show technique", "ck matrix", "date", "comspec", "model", "twitter", "august", "hybrid", "general", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1504, "FileHash-SHA256": 1232, "SSLCertFingerprint": 14, "domain": 245, "hostname": 526, "FileHash-MD5": 43, "FileHash-SHA1": 38 }, "indicator_count": 3602, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "263 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68451577ada8bb0aa0834edb", "name": "X - Business Social Media Account used to attack victim", "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T04:45:43.423000", "tags": [ "trojan", "ids detections", "yara detections", "alerts", "analysis date", "file score", "upxoepplace", "pulses none", "related tags", "none file", "markus", "april", "win32", "copy", "usvwu", "usvw", "high", "medium", "show", "uss c", "binary file", "yara", "write", "delphi", "enigma", "present mar", "aaaa", "united", "passive dns", "date", "present nov", "moved", "urls", "creation date", "entries", "body", "trojandropper", "susp", "msr jul", "next associated", "pulse pulses", "mtb jun", "backdoor", "content length", "html document", "ascii text", "search", "internalname", "entries pe", "showing", "filehash", "md5 add", "av detections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "encrypt", "june", "hybrid", "local", "path", "click", "twitter", "strings", "url https", "url http", "report spam", "created", "hours ago", "bad actor", "ck ids", "t1057", "discovery", "t1071", "amer", "ipv4", "indicator role", "title added", "active related", "pulses", "china", "hong kong", "russia", "type indicator", "role title", "added active", "related pulses", "pulses url", "filehashsha256", "url add", "http", "ip address", "related nids", "files location", "flag united", "domain", "hostname", "next", "filehashmd5", "protocol", "t1105", "tool transfer", "t1480" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 637, "FileHash-SHA1": 639, "FileHash-SHA256": 5380, "domain": 676, "hostname": 1120, "URL": 1031, "SSLCertFingerprint": 4 }, "indicator_count": 9487, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6843fe89793d0ef8e2afc34d", "name": "Deleted SocialMedia", "description": "Bad Actor Deleted SocialMedia account found in breach forum.", "modified": "2025-07-07T08:03:42.325000", "created": "2025-06-07T08:55:37.612000", "tags": [ "body", "secure", "self", "path", "date sat", "gmt contenttype", "connection", "accept", "gmt pragma", "deny", "maxage34214400", "learn", "spawns", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "ssl certificate", "found", "copy sha256", "copy md5", "copy sha1", "sha1", "sha256", "size", "type data", "ascii text", "pattern match", "mitre att", "show technique", "ck matrix", "file", "indicator", "show process", "encrypt", "june", "hybrid", "local" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1628, "domain": 58, "URL": 390, "hostname": 204, "FileHash-MD5": 84, "FileHash-SHA1": 88, "SSLCertFingerprint": 4 }, "indicator_count": 2456, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "681386d75c34469176686756", "name": "x.com/KulinskiArkadi", "description": "", "modified": "2025-05-31T14:01:10.044000", "created": "2025-05-01T14:36:07.422000", "tags": [ "script", "etag", "sharing", "cors", "mediatype", "mediasubtype", "contenttype", "header", "combination", "compression", "encrypt", "cookie", "critical", "twitter", "iframe", "insert", "info", "error", "suspicious", "find", "screen", "grok", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 471, "CIDR": 34, "FileHash-MD5": 9, "FileHash-SHA1": 5, "FileHash-SHA256": 1177, "domain": 214, "hostname": 430, "email": 2 }, "indicator_count": 2342, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/64f04c6372d51323b3e9f6bdabf6f527513cbadf768b6e8a5301c1de1b168600_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1780202779&Signature=ZMlo%2Fyn5T4vPFNHF3XHVPIg82DVy8Q8bOKosyfxCm%2B0GKl64XZeMnYCqVW%2FZBPyZoGNk5dDbl6%2BDs0d76HzIX2YfSzuXsthugznxtiIV8X6rCxyXfC8q%2BTDTeEghlkBpNqLlmIBTljL%2BLG4nD7QUe5K%2F4%2Bhyg%2F7loJbK9LG2iybJRVImxSY7rB4HfbiDpjIav6y9%2BoTwehrf5FMM8D2DtgeoRL%2BMkzDYzyDS%2" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 15860 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/stripe.com", "whois": "http://whois.domaintools.com/stripe.com", "domain": "stripe.com", "hostname": "api.stripe.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6a1bbf37e377ccaa110200e0", "name": "VirusTotal report\n for Papers_Please_APK_1_4_12.apk", "description": "[domain named \"homedepot.com\" has been banned by the internet service provider, Akama.net, for violating its rules on server transfer and deletion.. and the use of these terms.] #barcodes", "modified": "2026-05-31T05:26:32.684000", "created": "2026-05-31T04:55:19.811000", "tags": [ "as16625 akamai", "united", "as20940", "whitelisted", "united kingdom", "status", "servers", "a span", "name servers", "as3491 pccw", "date", "meta", "service", "path", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "server", "registrar", "csc corporate", "domains", "ferry road", "thumbprint", "algorithm", "full name", "v3 serial", "number", "issuer", "cus cndigicert", "ecc extended", "ca odigicert", "validity", "latlanta othe", "has permission", "file type", "sim provider", "mccmnc", "mobile", "iso country", "found", "t1417 input", "attack network", "info dropped", "loads", "persistence", "defense evasion", "malicious", "status valid", "issuer apple", "valid from", "valid", "serial number", "smv text", "ascii text", "cname", "key identifier", "x509v3 subject", "cus odigicert", "inc cndigicert", "global g3", "tls ecc", "organization", "dnssec", "domain name", "us registrant", "email", "contact", "macintosh disk", "image", "apple driver", "barcodes", "past barcode history 2023" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/64f04c6372d51323b3e9f6bdabf6f527513cbadf768b6e8a5301c1de1b168600_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1780202779&Signature=ZMlo%2Fyn5T4vPFNHF3XHVPIg82DVy8Q8bOKosyfxCm%2B0GKl64XZeMnYCqVW%2FZBPyZoGNk5dDbl6%2BDs0d76HzIX2YfSzuXsthugznxtiIV8X6rCxyXfC8q%2BTDTeEghlkBpNqLlmIBTljL%2BLG4nD7QUe5K%2F4%2Bhyg%2F7loJbK9LG2iybJRVImxSY7rB4HfbiDpjIav6y9%2BoTwehrf5FMM8D2DtgeoRL%2BMkzDYzyDS%2" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Taiwan", "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1417", "name": "Input Capture", "display_name": "T1417 - Input Capture" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 516, "URL": 285, "domain": 31, "email": 4, "hostname": 128, "FileHash-MD5": 6, "FileHash-SHA1": 19, "FileHash-SHA256": 16, "Mutex": 1 }, "indicator_count": 1006, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1bbf3891b8d5e7f5fda895", "name": "VirusTotal report\n for Papers_Please_APK_1_4_12.apk", "description": "[domain named \"homedepot.com\" has been banned by the internet service provider, Akama.net, for violating its rules on server transfer and deletion.. and the use of these terms.] #barcodes", "modified": "2026-05-31T05:26:32.273000", "created": "2026-05-31T04:55:20.446000", "tags": [ "as16625 akamai", "united", "as20940", "whitelisted", "united kingdom", "status", "servers", "a span", "name servers", "as3491 pccw", "date", "meta", "service", "path", "registrar abuse", "iana id", "contact phone", "domain status", "registrar url", "registrar whois", "server", "registrar", "csc corporate", "domains", "ferry road", "thumbprint", "algorithm", "full name", "v3 serial", "number", "issuer", "cus cndigicert", "ecc extended", "ca odigicert", "validity", "latlanta othe", "has permission", "file type", "sim provider", "mccmnc", "mobile", "iso country", "found", "t1417 input", "attack network", "info dropped", "loads", "persistence", "defense evasion", "malicious", "status valid", "issuer apple", "valid from", "valid", "serial number", "smv text", "ascii text", "cname", "key identifier", "x509v3 subject", "cus odigicert", "inc cndigicert", "global g3", "tls ecc", "organization", "dnssec", "domain name", "us registrant", "email", "contact", "macintosh disk", "image", "apple driver", "barcodes", "past barcode history 2023" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/64f04c6372d51323b3e9f6bdabf6f527513cbadf768b6e8a5301c1de1b168600_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1780202779&Signature=ZMlo%2Fyn5T4vPFNHF3XHVPIg82DVy8Q8bOKosyfxCm%2B0GKl64XZeMnYCqVW%2FZBPyZoGNk5dDbl6%2BDs0d76HzIX2YfSzuXsthugznxtiIV8X6rCxyXfC8q%2BTDTeEghlkBpNqLlmIBTljL%2BLG4nD7QUe5K%2F4%2Bhyg%2F7loJbK9LG2iybJRVImxSY7rB4HfbiDpjIav6y9%2BoTwehrf5FMM8D2DtgeoRL%2BMkzDYzyDS%2" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Taiwan", "Korea, Republic of" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1417", "name": "Input Capture", "display_name": "T1417 - Input Capture" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 516, "URL": 285, "domain": 31, "email": 4, "hostname": 128, "FileHash-MD5": 6, "FileHash-SHA1": 19, "FileHash-SHA256": 16, "Mutex": 1 }, "indicator_count": 1006, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689af6a1704fa2745bc8c2a3", "name": "Hijacked Twitter / X.com account. Phishing | Abnormal use", "description": "Hijacked phishing Twitter/ X.com.\nWin32/Unruy.C Activity\n#phishing #hijacked #intercoms #unruy #trojan #VTflood #malware #attack", "modified": "2025-09-11T08:02:36.759000", "created": "2025-08-12T08:09:05.642000", "tags": [ "log id", "gmtn", "secure", "tls web", "passive dns", "urls", "path", "self", "encrypt", "ca issuers", "false", "search", "read c", "united", "entries", "show", "showing", "msie", "windows nt", "wow64", "slcc2", "copy", "write", "suspicious", "malware", "unknown", "process32nextw", "shellexecuteexw", "medium process", "discovery t1057", "t1057", "discovery", "medium", "locally unique", "identifier", "veailmboprd", "next associated", "ipv4 add", "pulse pulses", "files", "asn as13335", "dns resolutions", "domains top", "smoke loader", "trojan", "body", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "show process", "programfiles", "command decode", "flag", "suricata ipv4", "mitre att", "show technique", "ck matrix", "date", "comspec", "model", "twitter", "august", "hybrid", "general", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1504, "FileHash-SHA256": 1232, "SSLCertFingerprint": 14, "domain": 245, "hostname": 526, "FileHash-MD5": 43, "FileHash-SHA1": 38 }, "indicator_count": 3602, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "263 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68451577ada8bb0aa0834edb", "name": "X - Business Social Media Account used to attack victim", "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T04:45:43.423000", "tags": [ "trojan", "ids detections", "yara detections", "alerts", "analysis date", "file score", "upxoepplace", "pulses none", "related tags", "none file", "markus", "april", "win32", "copy", "usvwu", "usvw", "high", "medium", "show", "uss c", "binary file", "yara", "write", "delphi", "enigma", "present mar", "aaaa", "united", "passive dns", "date", "present nov", "moved", "urls", "creation date", "entries", "body", "trojandropper", "susp", "msr jul", "next associated", "pulse pulses", "mtb jun", "backdoor", "content length", "html document", "ascii text", "search", "internalname", "entries pe", "showing", "filehash", "md5 add", "av detections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "encrypt", "june", "hybrid", "local", "path", "click", "twitter", "strings", "url https", "url http", "report spam", "created", "hours ago", "bad actor", "ck ids", "t1057", "discovery", "t1071", "amer", "ipv4", "indicator role", "title added", "active related", "pulses", "china", "hong kong", "russia", "type indicator", "role title", "added active", "related pulses", "pulses url", "filehashsha256", "url add", "http", "ip address", "related nids", "files location", "flag united", "domain", "hostname", "next", "filehashmd5", "protocol", "t1105", "tool transfer", "t1480" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 637, "FileHash-SHA1": 639, "FileHash-SHA256": 5380, "domain": 676, "hostname": 1120, "URL": 1031, "SSLCertFingerprint": 4 }, "indicator_count": 9487, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6843fe89793d0ef8e2afc34d", "name": "Deleted SocialMedia", "description": "Bad Actor Deleted SocialMedia account found in breach forum.", "modified": "2025-07-07T08:03:42.325000", "created": "2025-06-07T08:55:37.612000", "tags": [ "body", "secure", "self", "path", "date sat", "gmt contenttype", "connection", "accept", "gmt pragma", "deny", "maxage34214400", "learn", "spawns", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "ssl certificate", "found", "copy sha256", "copy md5", "copy sha1", "sha1", "sha256", "size", "type data", "ascii text", "pattern match", "mitre att", "show technique", "ck matrix", "file", "indicator", "show process", "encrypt", "june", "hybrid", "local" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1628, "domain": 58, "URL": 390, "hostname": 204, "FileHash-MD5": 84, "FileHash-SHA1": 88, "SSLCertFingerprint": 4 }, "indicator_count": 2456, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "681386d75c34469176686756", "name": "x.com/KulinskiArkadi", "description": "", "modified": "2025-05-31T14:01:10.044000", "created": "2025-05-01T14:36:07.422000", "tags": [ "script", "etag", "sharing", "cors", "mediatype", "mediasubtype", "contenttype", "header", "combination", "compression", "encrypt", "cookie", "critical", "twitter", "iframe", "insert", "info", "error", "suspicious", "find", "screen", "grok", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 471, "CIDR": 34, "FileHash-MD5": 9, "FileHash-SHA1": 5, "FileHash-SHA256": 1177, "domain": 214, "hostname": 430, "email": 2 }, "indicator_count": 2342, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://api.stripe.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://api.stripe.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780309040.5353029 }