{ "type": "URL", "indicator": "https://bbstunnel.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://bbstunnel.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3949957723, "indicator": "https://bbstunnel.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6a056b0ac410b2fb62457071", "name": "Windows Sample of Windows - System32 Clone by disable_duck", "description": "", "modified": "2026-05-14T06:26:18.998000", "created": "2026-05-14T06:26:18.998000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98/summary", "https://www.virustotal.com/graph/embed/gfc33296181c74257ae503130940c083ee0c60fc5174e47118fc38f04ffb09584?theme=dark", "https://www.virustotal.com/ui/file_behaviours/2bc23a995bf4af9ba43ee21bd71c398444dd994b84d8fb7cb94b5429af4e60bf_Zenbox/html", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98/iocs", "https://www.virustotal.com/graph/embed/g8a2d0c1eca164cb0a1844db566d28208e0e5b5e03bfb4377a98265a5c0e47960?theme=dark", "https://www.virustotal.com/graph/embed/g03752e112d454511bb41e53c4ca610371d531e6bfe2444ed9fd093145aef08f0?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724181274&Signature=i8XiiJ%2BdCvj6ByL4c5tRY21ZEXdquVAdSRwC7OrdlnUHP75gU59aV17r7CtZaWH%2B1qhK94T1CSnRScW5Ez3t%2B9eCCNPcgPI2mOl1c1dBBiiIrj3r1rIzlDQyKFTQhaLjOzFcFzCL5OZ8XXk6ppN9iC6N5uEYJWHDOZs7bbsQYPwnmo2iwRhFDDUjSCQMKwOPrF34fDOoqnSlZCfe981ZRIr6HISZTbu1fhFFdpNgPTVw7D3Y384i4b6nkfzjkI8u", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724181174&Signature=XTu5xxPcqMp3JXhCztWWQOwupXutbdzYwP1MwmdMKWErO3M%2FWEjxgmoErtsmQnLlYNIXVLVgervCeRmzfUzT1wiVZpMuHQS7UFndYWF53GNwFdAzDd4kqU%2F09GvKe1Da4wgvN0HHvA4wdRUm6os0N9jjSFRIXKc6ALqq0eHL7LgDtV6fdx1g22MN2RLGfNkkzIpXSuUwD%2BeFPR0osNVszClRiFi5dLJIahlcjYcWeTpd%2FGvBQ2kLcv", "https://www.virustotal.com/graph/embed/gcf877329e4824f7ea96cf4dce8a5fe5f7b0ba40333ae46ba92da9a514c2e006b?theme=dark", "https://www.virustotal.com/graph/embed/g64431c9444084659a4360cb063de46ef275e7f87c38a4da8b67dde4541729147?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724263681&Signature=sRNF3CXtbsizlNdCMDBJqa0Oxx4P3yW1sAZJvHB1xF981vua%2Fxh6EAKeKpwFlRlflCybIOWHPyQC5awq%2BwJslkM%2FLI9Wv5HA4EipG36shGNh5ML2wkco57c9ITd8dKgOti67d9sVy2VQHcLt3o5UBMlOE%2BMhhf4AONsGvftAO7kQsz41rdwT4L%2BnBHntaiIqG6Rz438Lo%2FcyaTFgmNJ5NkbVgnEJvWhqhqGzFhk18O8wZt1Nh4", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724263684&Signature=xXQ9O6EGcEiatL%2FEjaTaOTH9kgTWN7ZCmaIM6wb2vcXjEmSqDd6c9XpfadCYK9uln%2FKAqjzkVCs9reZTrsl8p6w6MDIelJQ%2FdCUTriPH%2F%2FWy3yiRbT6VZGnVk9iNBOxIGDE%2Bz4UPbuLXaler%2B11uCyHouGQJhG1CvoCEC64JpsC89GsV9%2FaOyrduTZK3XJpvrRVMdoRTKEayIYHD59OSeCeLlAde2yETDvIOPoxT6Bp5FO1spfMq7S", "updated 08.21.24: https://www.virustotal.com/graph/embed/g64431c9444084659a4360cb063de46ef275e7f87c38a4da8b67dde4541729147?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/27f74e49d7263156339c0b950fdbd6c98f633254229085814689ba348ea4d85a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724426279&Signature=KWv3ie5iuSeNS%2Flc%2BGXXzfwbqKYxF4lfka5N2gHnA6gYz63eETZ8yzhfO64lV6HacEN9qfuNfVzdltiRLDV8hweWSZHPdZgx%2ByHGwEvpBI6Pk7PvgX8nKdcJso8%2B1iA3hgRF10wNbQKIZP3K%2BOMdzLLHN9JpuSJUVxxHVhORYlokSH6OaM6Yn6qzdNQcGhAH%2B3LXiSJZggxduc%2F2cGsNIj47o%2FCrC3B0GZzIicJar8MJFq" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1542.003", "name": "Bootkit", "display_name": "T1542.003 - Bootkit" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Education", "Government", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": "661858cf6ac4c024886515d7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1329, "FileHash-SHA1": 1302, "FileHash-SHA256": 9051, "domain": 1341, "hostname": 4941, "URL": 1903, "CVE": 3 }, "indicator_count": 19870, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ff110180abb3beb39c04bc", "name": "Microsoft security reporting portal CREATED 2 YEARS AGO MODIFIED 1 YEAR AGO by Arek-BTC [2024 and older]", "description": "", "modified": "2026-05-09T12:20:54.997000", "created": "2026-05-09T10:48:33.286000", "tags": [ "microsoft", "security", "reporting", "portal", "abuse", "privacy", "infringement", "trademark", "trademark infringement", "abuse report", "privacy report", "security report", "security reporting", "abuse reporting", "privacy reporting", "security reporting portal", "abuse reporting portal", "privacy reporting portal", "security reporting form", "abuse reporting form", "privacy reporting form", "security reporting website", "abuse reporting website", "privacy reporting website", "security reporting site", "abuse reporting site", "privacy reporting site", "security reporting page", "abuse reporting page", "privacy reporting page", "security reporting web page", "abuse reporting web page", "privacy reporting web page", "security reporting webform", "abuse reporting webform", "privacy reporting webform", "security reporting web form", "abuse reporting web form", "privacy reporting web form", "javascript" ], "references": [ "https://cert.microsoft.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "66e9c5a4cc3b60c38e6381b8", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 10, "IPv4": 46, "FileHash-SHA256": 1684, "URL": 337, "SSLCertFingerprint": 4, "CIDR": 65, "IPv6": 8, "FileHash-SHA1": 149, "domain": 130, "FileHash-MD5": 169, "hostname": 152, "CVE": 3 }, "indicator_count": 2757, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d0cd9e2c14f8fefd2544b1", "name": "fp2e7a[.]wpc[.]phicdn[.]net", "description": "IOCs pumped into AV related but unclear re: where they sit atm", "modified": "2025-03-04T19:03:08.346000", "created": "2024-08-29T19:35:58.477000", "tags": [ "entity" ], "references": [ "https://www.virustotal.com/graph/embed/ga02a0148ee6040769b76ab5a05c260a49c5d7e0ae8194001a0a2fe244718057f?theme=dark", "https://www.virustotal.com/graph/embed/g06e5de3a872b4353970dc8a3603cc60836716d957e354e8e9c2bc13d476fd1b8?theme=dark", "https://malpedia.caad.fkie.fraunhofer.de/details/win.hijackloader" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Education", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1121, "FileHash-SHA256": 1425, "FileHash-MD5": 146, "FileHash-SHA1": 146, "URL": 188, "domain": 216 }, "indicator_count": 3242, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "453 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e9c5a4cc3b60c38e6381b8", "name": "Microsoft security reporting portal", "description": "130.0/11.5/12.3/13.4.6.7.8.1.2/14.9. 0/16.25/17..", "modified": "2024-12-17T14:35:36.786000", "created": "2024-09-17T18:08:36.835000", "tags": [ "microsoft", "security", "reporting", "portal", "abuse", "privacy", "infringement", "trademark", "trademark infringement", "abuse report", "privacy report", "security report", "security reporting", "abuse reporting", "privacy reporting", "security reporting portal", "abuse reporting portal", "privacy reporting portal", "security reporting form", "abuse reporting form", "privacy reporting form", "security reporting website", "abuse reporting website", "privacy reporting website", "security reporting site", "abuse reporting site", "privacy reporting site", "security reporting page", "abuse reporting page", "privacy reporting page", "security reporting web page", "abuse reporting web page", "privacy reporting web page", "security reporting webform", "abuse reporting webform", "privacy reporting webform", "security reporting web form", "abuse reporting web form", "privacy reporting web form", "javascript" ], "references": [ "https://cert.microsoft.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 10, "IPv4": 5, "FileHash-SHA256": 1674, "URL": 317, "SSLCertFingerprint": 4, "CIDR": 65, "IPv6": 8, "FileHash-SHA1": 139, "domain": 125, "FileHash-MD5": 159, "hostname": 50, "CVE": 1 }, "indicator_count": 2557, "is_author": false, "is_subscribing": null, "subscriber_count": 126, "modified_text": "531 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f1accda30d94af7e846357", "name": "Zendesk as VirusTotal \u00bb Ransom:Win32/CVE", "description": "*https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088 |||\n\n*In this situation a target received a VirusTotal / Zendesk drive by pop up message that site was unauthorized , fraud risk. The link has it all! Downloaders, install core, browser bar malware, ransomware, python script. Heavy attack. Desires deletion of device , accounts and contents.\n |||\nALF:HeraklezEval:Ransom:Win32/CVE , \nALF:Trojan:Win32/Cassini_6d4ebdc9 ,\nBackdoor:Win32/Zegost ,\nCVE-2023-22518 ,\nCVE-2023-4966 ,\nFakeAV.FOR ,\nMalware:AddsCopyToStartup ,\nNinite ,\nNoobyProtect ,\nTEL:Trojan:Win64/GoCLR ,\nTELPER:HSTR:CLEAN:Ninite ,\nTrojan:Win32/Cobaltstrike ,\nTrojan:Win32/Dridex ,\nTrojan:Win32/Fanop ,\nTrojan:Win32/Neconyd ,\nTrojan:Win32/Startpage ,\nTrojan:Win32/Zombie ,\nVirTool:Win32/Injector.gen!BQ ,\nVirTool:Win32/Obfuscator ,\nWin.Trojan.Generic-9935365-0 ,\nWorm:Win32/Autorun", "modified": "2024-10-23T17:03:27.463000", "created": "2024-09-23T18:00:45.146000", "tags": [ "as396982 google", "setup", "passive dns", "unknown", "ninite sep", "a td", "443 ma2592000", "accept", "gmt cache", "trojan", "status", "name servers", "urls", "creation date", "search", "emails", "servers", "as15169 google", "aaaa", "cname", "virtool", "cryp", "as19527 google", "win32", "related pulses", "file samples", "files matching", "date hash", "trojan features", "entries", "search otx", "telper", "worm", "copyright", "levelblue", "files domain", "files related", "pulses none", "accept accept", "as16625 akamai", "as20940", "asnone united", "nxdomain", "expiration date", "as21342", "as132147", "china", "as9808 china", "body", "all scoreblue", "backdoor", "alf features", "all search", "domain", "as15133 verizon", "as16552 tiggee", "url https", "http", "hostname", "ninite", "united states", "scan endpoints", "show", "showing", "next", "united", "as54113", "github pages", "formbook cnc", "checkin", "mtb aug", "a domains", "class", "twitter", "certificate", "record value", "pulse pulses", "overview ip", "address", "related nids", "files location", "div div", "github", "meta", "homepage", "form", "as36459", "g2 tls", "rsa sha256", "as29791", "dynamicloader", "medium", "yara detections", "dynamic", "filehash", "sha256", "february", "copy", "otx telemetry", "related tags", "a li", "span p", "dj ai", "dongjun jeong", "a h2", "writeups", "infosec journey", "script urls", "netherlands", "a nxdomain", "aaaa nxdomain", "cloudfront", "trojandropper", "china unknown", "msie", "chrome", "ipv4", "noobyprotect", "files", "peeringdb", "sign", "github copilot", "view", "notifications", "branches tags", "code issues", "pull", "write", "star", "code", "stars", "python", "shell", "footer", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "as62597 nsone", "dnssec", "win32mydoom sep", "windows nt", "wow64", "khtml", "gecko", "query", "jpn write", "e0e8e", "observed dns", "expiro", "defender", "malware", "possible", "suspicious", "activity dns", "mtb may", "sameorigin", "domain name", "error", "moved", "server", "mtb sep", "win32cve sep", "cloud provider", "reverse dns", "america asn", "dns resolutions", "domains top", "level", "unique tlds", "pulses", "default", "yara rule", "high", "cnc checkin", "cape", "powershell", "vmprotect", "local", "agent", "domainabuse", "su liao", "zhi pin", "application", "expiro malware", "anomalous file", "june", "fakedout threat", "analyzer paste", "iocs", "samples", "exploit", "germany unknown", "as14636", "russia unknown", "as9123 timeweb", "as45102 alibaba", "as43830", "read c", "write c", "process32nextw", "regsetvalueexa", "regdword", "installcore", "format", "delphi", "stack", "downloader", "urls http", "delete c", "tls handshake", "number", "failure", "delete", "ids detections", "fadok", "template", "slcc2", "media center", "contacted", "ollydbg", "internal", "simda", "brian sabey", "going dark", "stop", "as14061", "hostnames", "as48287 jsc", "as50340", "czechia unknown", "date" ], "references": [ "https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088", "GitHub - peeringdb/peeringdb-py: PeeringDB python client", "00-skillsetparadesarrollo.zendesk.com", "https://github.com/peeringdb/peeringdb-py", "From the lovely Cyber Folks .PL Cover" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Poland", "Australia", "Austria", "Canada", "Netherlands", "China" ], "malware_families": [ { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2023-4966", "display_name": "CVE-2023-4966", "target": null }, { "id": "FakeAV.FOR", "display_name": "FakeAV.FOR", "target": null }, { "id": "TELPER:HSTR:CLEAN:Ninite", "display_name": "TELPER:HSTR:CLEAN:Ninite", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Dridex", "display_name": "Trojan:Win32/Dridex", "target": "/malware/Trojan:Win32/Dridex" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Malware:AddsCopyToStartup", "display_name": "Malware:AddsCopyToStartup", "target": null }, { "id": "Trojan:Win32/Cobaltstrike", "display_name": "Trojan:Win32/Cobaltstrike", "target": "/malware/Trojan:Win32/Cobaltstrike" }, { "id": "ALF:Trojan:Win32/Cassini_6d4ebdc9", "display_name": "ALF:Trojan:Win32/Cassini_6d4ebdc9", "target": null }, { "id": "Trojan:Win32/Startpage", "display_name": "Trojan:Win32/Startpage", "target": "/malware/Trojan:Win32/Startpage" }, { "id": "Backdoor:Win32/Zegost", "display_name": "Backdoor:Win32/Zegost", "target": "/malware/Backdoor:Win32/Zegost" }, { "id": "Trojan:Win32/Fanop", "display_name": "Trojan:Win32/Fanop", "target": "/malware/Trojan:Win32/Fanop" }, { "id": "Trojan:Win32/Neconyd", "display_name": "Trojan:Win32/Neconyd", "target": "/malware/Trojan:Win32/Neconyd" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "Win.Trojan.Generic-9935365-0", "display_name": "Win.Trojan.Generic-9935365-0", "target": null }, { "id": "Ninite", "display_name": "Ninite", "target": null }, { "id": "NoobyProtect", "display_name": "NoobyProtect", "target": null }, { "id": "TEL:Trojan:Win64/GoCLR", "display_name": "TEL:Trojan:Win64/GoCLR", "target": null }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4891, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2436, "CVE": 3, "FileHash-MD5": 2510, "FileHash-SHA1": 2063, "FileHash-SHA256": 4054, "hostname": 1788, "URL": 1228, "email": 16 }, "indicator_count": 14098, "is_author": false, "is_subscribing": null, "subscriber_count": 244, "modified_text": "586 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "661858cf6ac4c024886515d7", "name": "Windows Sample of Windows - System32", "description": "An analysis of Malware Distribution and Threats stemming from an ongoing breach at the University of Alberta. Retrospective & In-Progress tracking, identification, and characterization among affected individuals/organizations/sectors affected by misuse of credentials.\n\nA deeper dive into malicious files on samples of System32 gathered from the UofA as well as from Sample W11 PC", "modified": "2024-09-27T22:03:43.303000", "created": "2024-04-11T21:40:31.045000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98/summary", "https://www.virustotal.com/graph/embed/gfc33296181c74257ae503130940c083ee0c60fc5174e47118fc38f04ffb09584?theme=dark", "https://www.virustotal.com/ui/file_behaviours/2bc23a995bf4af9ba43ee21bd71c398444dd994b84d8fb7cb94b5429af4e60bf_Zenbox/html", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98/iocs", "https://www.virustotal.com/graph/embed/g8a2d0c1eca164cb0a1844db566d28208e0e5b5e03bfb4377a98265a5c0e47960?theme=dark", "https://www.virustotal.com/graph/embed/g03752e112d454511bb41e53c4ca610371d531e6bfe2444ed9fd093145aef08f0?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724181274&Signature=i8XiiJ%2BdCvj6ByL4c5tRY21ZEXdquVAdSRwC7OrdlnUHP75gU59aV17r7CtZaWH%2B1qhK94T1CSnRScW5Ez3t%2B9eCCNPcgPI2mOl1c1dBBiiIrj3r1rIzlDQyKFTQhaLjOzFcFzCL5OZ8XXk6ppN9iC6N5uEYJWHDOZs7bbsQYPwnmo2iwRhFDDUjSCQMKwOPrF34fDOoqnSlZCfe981ZRIr6HISZTbu1fhFFdpNgPTVw7D3Y384i4b6nkfzjkI8u", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724181174&Signature=XTu5xxPcqMp3JXhCztWWQOwupXutbdzYwP1MwmdMKWErO3M%2FWEjxgmoErtsmQnLlYNIXVLVgervCeRmzfUzT1wiVZpMuHQS7UFndYWF53GNwFdAzDd4kqU%2F09GvKe1Da4wgvN0HHvA4wdRUm6os0N9jjSFRIXKc6ALqq0eHL7LgDtV6fdx1g22MN2RLGfNkkzIpXSuUwD%2BeFPR0osNVszClRiFi5dLJIahlcjYcWeTpd%2FGvBQ2kLcv", "https://www.virustotal.com/graph/embed/gcf877329e4824f7ea96cf4dce8a5fe5f7b0ba40333ae46ba92da9a514c2e006b?theme=dark", "https://www.virustotal.com/graph/embed/g64431c9444084659a4360cb063de46ef275e7f87c38a4da8b67dde4541729147?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724263681&Signature=sRNF3CXtbsizlNdCMDBJqa0Oxx4P3yW1sAZJvHB1xF981vua%2Fxh6EAKeKpwFlRlflCybIOWHPyQC5awq%2BwJslkM%2FLI9Wv5HA4EipG36shGNh5ML2wkco57c9ITd8dKgOti67d9sVy2VQHcLt3o5UBMlOE%2BMhhf4AONsGvftAO7kQsz41rdwT4L%2BnBHntaiIqG6Rz438Lo%2FcyaTFgmNJ5NkbVgnEJvWhqhqGzFhk18O8wZt1Nh4", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724263684&Signature=xXQ9O6EGcEiatL%2FEjaTaOTH9kgTWN7ZCmaIM6wb2vcXjEmSqDd6c9XpfadCYK9uln%2FKAqjzkVCs9reZTrsl8p6w6MDIelJQ%2FdCUTriPH%2F%2FWy3yiRbT6VZGnVk9iNBOxIGDE%2Bz4UPbuLXaler%2B11uCyHouGQJhG1CvoCEC64JpsC89GsV9%2FaOyrduTZK3XJpvrRVMdoRTKEayIYHD59OSeCeLlAde2yETDvIOPoxT6Bp5FO1spfMq7S", "updated 08.21.24: https://www.virustotal.com/graph/embed/g64431c9444084659a4360cb063de46ef275e7f87c38a4da8b67dde4541729147?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/27f74e49d7263156339c0b950fdbd6c98f633254229085814689ba348ea4d85a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724426279&Signature=KWv3ie5iuSeNS%2Flc%2BGXXzfwbqKYxF4lfka5N2gHnA6gYz63eETZ8yzhfO64lV6HacEN9qfuNfVzdltiRLDV8hweWSZHPdZgx%2ByHGwEvpBI6Pk7PvgX8nKdcJso8%2B1iA3hgRF10wNbQKIZP3K%2BOMdzLLHN9JpuSJUVxxHVhORYlokSH6OaM6Yn6qzdNQcGhAH%2B3LXiSJZggxduc%2F2cGsNIj47o%2FCrC3B0GZzIicJar8MJFq" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1542.003", "name": "Bootkit", "display_name": "T1542.003 - Bootkit" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Education", "Government", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1329, "FileHash-SHA1": 1302, "FileHash-SHA256": 9051, "domain": 1341, "hostname": 4941, "URL": 1903, "CVE": 3 }, "indicator_count": 19870, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://cert.microsoft.com", "GitHub - peeringdb/peeringdb-py: PeeringDB python client", "https://www.virustotal.com/ui/file_behaviours/2bc23a995bf4af9ba43ee21bd71c398444dd994b84d8fb7cb94b5429af4e60bf_Zenbox/html", "updated 08.21.24: https://www.virustotal.com/graph/embed/g64431c9444084659a4360cb063de46ef275e7f87c38a4da8b67dde4541729147?theme=dark", "https://www.virustotal.com/graph/embed/g06e5de3a872b4353970dc8a3603cc60836716d957e354e8e9c2bc13d476fd1b8?theme=dark", "https://www.virustotal.com/graph/embed/g03752e112d454511bb41e53c4ca610371d531e6bfe2444ed9fd093145aef08f0?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724263684&Signature=xXQ9O6EGcEiatL%2FEjaTaOTH9kgTWN7ZCmaIM6wb2vcXjEmSqDd6c9XpfadCYK9uln%2FKAqjzkVCs9reZTrsl8p6w6MDIelJQ%2FdCUTriPH%2F%2FWy3yiRbT6VZGnVk9iNBOxIGDE%2Bz4UPbuLXaler%2B11uCyHouGQJhG1CvoCEC64JpsC89GsV9%2FaOyrduTZK3XJpvrRVMdoRTKEayIYHD59OSeCeLlAde2yETDvIOPoxT6Bp5FO1spfMq7S", "https://www.virustotal.com/graph/embed/gfc33296181c74257ae503130940c083ee0c60fc5174e47118fc38f04ffb09584?theme=dark", "00-skillsetparadesarrollo.zendesk.com", "https://vtbehaviour.commondatastorage.googleapis.com/27f74e49d7263156339c0b950fdbd6c98f633254229085814689ba348ea4d85a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724426279&Signature=KWv3ie5iuSeNS%2Flc%2BGXXzfwbqKYxF4lfka5N2gHnA6gYz63eETZ8yzhfO64lV6HacEN9qfuNfVzdltiRLDV8hweWSZHPdZgx%2ByHGwEvpBI6Pk7PvgX8nKdcJso8%2B1iA3hgRF10wNbQKIZP3K%2BOMdzLLHN9JpuSJUVxxHVhORYlokSH6OaM6Yn6qzdNQcGhAH%2B3LXiSJZggxduc%2F2cGsNIj47o%2FCrC3B0GZzIicJar8MJFq", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724181174&Signature=XTu5xxPcqMp3JXhCztWWQOwupXutbdzYwP1MwmdMKWErO3M%2FWEjxgmoErtsmQnLlYNIXVLVgervCeRmzfUzT1wiVZpMuHQS7UFndYWF53GNwFdAzDd4kqU%2F09GvKe1Da4wgvN0HHvA4wdRUm6os0N9jjSFRIXKc6ALqq0eHL7LgDtV6fdx1g22MN2RLGfNkkzIpXSuUwD%2BeFPR0osNVszClRiFi5dLJIahlcjYcWeTpd%2FGvBQ2kLcv", "https://www.virustotal.com/graph/embed/ga02a0148ee6040769b76ab5a05c260a49c5d7e0ae8194001a0a2fe244718057f?theme=dark", "https://www.virustotal.com/graph/embed/g8a2d0c1eca164cb0a1844db566d28208e0e5b5e03bfb4377a98265a5c0e47960?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724263681&Signature=sRNF3CXtbsizlNdCMDBJqa0Oxx4P3yW1sAZJvHB1xF981vua%2Fxh6EAKeKpwFlRlflCybIOWHPyQC5awq%2BwJslkM%2FLI9Wv5HA4EipG36shGNh5ML2wkco57c9ITd8dKgOti67d9sVy2VQHcLt3o5UBMlOE%2BMhhf4AONsGvftAO7kQsz41rdwT4L%2BnBHntaiIqG6Rz438Lo%2FcyaTFgmNJ5NkbVgnEJvWhqhqGzFhk18O8wZt1Nh4", "From the lovely Cyber Folks .PL Cover", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724181274&Signature=i8XiiJ%2BdCvj6ByL4c5tRY21ZEXdquVAdSRwC7OrdlnUHP75gU59aV17r7CtZaWH%2B1qhK94T1CSnRScW5Ez3t%2B9eCCNPcgPI2mOl1c1dBBiiIrj3r1rIzlDQyKFTQhaLjOzFcFzCL5OZ8XXk6ppN9iC6N5uEYJWHDOZs7bbsQYPwnmo2iwRhFDDUjSCQMKwOPrF34fDOoqnSlZCfe981ZRIr6HISZTbu1fhFFdpNgPTVw7D3Y384i4b6nkfzjkI8u", "https://www.virustotal.com/graph/embed/g64431c9444084659a4360cb063de46ef275e7f87c38a4da8b67dde4541729147?theme=dark", "https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088", "https://github.com/peeringdb/peeringdb-py", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98/iocs", "https://www.virustotal.com/graph/embed/gcf877329e4824f7ea96cf4dce8a5fe5f7b0ba40333ae46ba92da9a514c2e006b?theme=dark", "https://malpedia.caad.fkie.fraunhofer.de/details/win.hijackloader", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98/summary" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojan:win32/zombie", "Win.trojan.generic-9935365-0", "Backdoor:win32/zegost", "Cve-2023-4966", "Trojan:win32/dridex", "Tel:trojan:win64/goclr", "Ninite", "Cve-2023-22518", "Alf:trojan:win32/cassini_6d4ebdc9", "Trojan:win32/neconyd", "Malware:addscopytostartup", "Telper:hstr:clean:ninite", "Trojan:win32/fanop", "Virtool:win32/injector.gen!bq", "Worm:win32/autorun", "Noobyprotect", "Trojan:win32/startpage", "Virtool:win32/obfuscator", "Alf:heraklezeval:ransom:win32/cve", "Trojan:win32/cobaltstrike", "Fakeav.for" ], "industries": [ "Healthcare", "Telecommunications", "Technology", "Education", "Government" ], "unique_indicators": 24625 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/bbstunnel.com", "whois": "http://whois.domaintools.com/bbstunnel.com", "domain": "bbstunnel.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6a056b0ac410b2fb62457071", "name": "Windows Sample of Windows - System32 Clone by disable_duck", "description": "", "modified": "2026-05-14T06:26:18.998000", "created": "2026-05-14T06:26:18.998000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98/summary", "https://www.virustotal.com/graph/embed/gfc33296181c74257ae503130940c083ee0c60fc5174e47118fc38f04ffb09584?theme=dark", "https://www.virustotal.com/ui/file_behaviours/2bc23a995bf4af9ba43ee21bd71c398444dd994b84d8fb7cb94b5429af4e60bf_Zenbox/html", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98/iocs", "https://www.virustotal.com/graph/embed/g8a2d0c1eca164cb0a1844db566d28208e0e5b5e03bfb4377a98265a5c0e47960?theme=dark", "https://www.virustotal.com/graph/embed/g03752e112d454511bb41e53c4ca610371d531e6bfe2444ed9fd093145aef08f0?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724181274&Signature=i8XiiJ%2BdCvj6ByL4c5tRY21ZEXdquVAdSRwC7OrdlnUHP75gU59aV17r7CtZaWH%2B1qhK94T1CSnRScW5Ez3t%2B9eCCNPcgPI2mOl1c1dBBiiIrj3r1rIzlDQyKFTQhaLjOzFcFzCL5OZ8XXk6ppN9iC6N5uEYJWHDOZs7bbsQYPwnmo2iwRhFDDUjSCQMKwOPrF34fDOoqnSlZCfe981ZRIr6HISZTbu1fhFFdpNgPTVw7D3Y384i4b6nkfzjkI8u", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724181174&Signature=XTu5xxPcqMp3JXhCztWWQOwupXutbdzYwP1MwmdMKWErO3M%2FWEjxgmoErtsmQnLlYNIXVLVgervCeRmzfUzT1wiVZpMuHQS7UFndYWF53GNwFdAzDd4kqU%2F09GvKe1Da4wgvN0HHvA4wdRUm6os0N9jjSFRIXKc6ALqq0eHL7LgDtV6fdx1g22MN2RLGfNkkzIpXSuUwD%2BeFPR0osNVszClRiFi5dLJIahlcjYcWeTpd%2FGvBQ2kLcv", "https://www.virustotal.com/graph/embed/gcf877329e4824f7ea96cf4dce8a5fe5f7b0ba40333ae46ba92da9a514c2e006b?theme=dark", "https://www.virustotal.com/graph/embed/g64431c9444084659a4360cb063de46ef275e7f87c38a4da8b67dde4541729147?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724263681&Signature=sRNF3CXtbsizlNdCMDBJqa0Oxx4P3yW1sAZJvHB1xF981vua%2Fxh6EAKeKpwFlRlflCybIOWHPyQC5awq%2BwJslkM%2FLI9Wv5HA4EipG36shGNh5ML2wkco57c9ITd8dKgOti67d9sVy2VQHcLt3o5UBMlOE%2BMhhf4AONsGvftAO7kQsz41rdwT4L%2BnBHntaiIqG6Rz438Lo%2FcyaTFgmNJ5NkbVgnEJvWhqhqGzFhk18O8wZt1Nh4", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724263684&Signature=xXQ9O6EGcEiatL%2FEjaTaOTH9kgTWN7ZCmaIM6wb2vcXjEmSqDd6c9XpfadCYK9uln%2FKAqjzkVCs9reZTrsl8p6w6MDIelJQ%2FdCUTriPH%2F%2FWy3yiRbT6VZGnVk9iNBOxIGDE%2Bz4UPbuLXaler%2B11uCyHouGQJhG1CvoCEC64JpsC89GsV9%2FaOyrduTZK3XJpvrRVMdoRTKEayIYHD59OSeCeLlAde2yETDvIOPoxT6Bp5FO1spfMq7S", "updated 08.21.24: https://www.virustotal.com/graph/embed/g64431c9444084659a4360cb063de46ef275e7f87c38a4da8b67dde4541729147?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/27f74e49d7263156339c0b950fdbd6c98f633254229085814689ba348ea4d85a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724426279&Signature=KWv3ie5iuSeNS%2Flc%2BGXXzfwbqKYxF4lfka5N2gHnA6gYz63eETZ8yzhfO64lV6HacEN9qfuNfVzdltiRLDV8hweWSZHPdZgx%2ByHGwEvpBI6Pk7PvgX8nKdcJso8%2B1iA3hgRF10wNbQKIZP3K%2BOMdzLLHN9JpuSJUVxxHVhORYlokSH6OaM6Yn6qzdNQcGhAH%2B3LXiSJZggxduc%2F2cGsNIj47o%2FCrC3B0GZzIicJar8MJFq" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1542.003", "name": "Bootkit", "display_name": "T1542.003 - Bootkit" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Education", "Government", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": "661858cf6ac4c024886515d7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1329, "FileHash-SHA1": 1302, "FileHash-SHA256": 9051, "domain": 1341, "hostname": 4941, "URL": 1903, "CVE": 3 }, "indicator_count": 19870, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ff110180abb3beb39c04bc", "name": "Microsoft security reporting portal CREATED 2 YEARS AGO MODIFIED 1 YEAR AGO by Arek-BTC [2024 and older]", "description": "", "modified": "2026-05-09T12:20:54.997000", "created": "2026-05-09T10:48:33.286000", "tags": [ "microsoft", "security", "reporting", "portal", "abuse", "privacy", "infringement", "trademark", "trademark infringement", "abuse report", "privacy report", "security report", "security reporting", "abuse reporting", "privacy reporting", "security reporting portal", "abuse reporting portal", "privacy reporting portal", "security reporting form", "abuse reporting form", "privacy reporting form", "security reporting website", "abuse reporting website", "privacy reporting website", "security reporting site", "abuse reporting site", "privacy reporting site", "security reporting page", "abuse reporting page", "privacy reporting page", "security reporting web page", "abuse reporting web page", "privacy reporting web page", "security reporting webform", "abuse reporting webform", "privacy reporting webform", "security reporting web form", "abuse reporting web form", "privacy reporting web form", "javascript" ], "references": [ "https://cert.microsoft.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "66e9c5a4cc3b60c38e6381b8", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 10, "IPv4": 46, "FileHash-SHA256": 1684, "URL": 337, "SSLCertFingerprint": 4, "CIDR": 65, "IPv6": 8, "FileHash-SHA1": 149, "domain": 130, "FileHash-MD5": 169, "hostname": 152, "CVE": 3 }, "indicator_count": 2757, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d0cd9e2c14f8fefd2544b1", "name": "fp2e7a[.]wpc[.]phicdn[.]net", "description": "IOCs pumped into AV related but unclear re: where they sit atm", "modified": "2025-03-04T19:03:08.346000", "created": "2024-08-29T19:35:58.477000", "tags": [ "entity" ], "references": [ "https://www.virustotal.com/graph/embed/ga02a0148ee6040769b76ab5a05c260a49c5d7e0ae8194001a0a2fe244718057f?theme=dark", "https://www.virustotal.com/graph/embed/g06e5de3a872b4353970dc8a3603cc60836716d957e354e8e9c2bc13d476fd1b8?theme=dark", "https://malpedia.caad.fkie.fraunhofer.de/details/win.hijackloader" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Education", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1121, "FileHash-SHA256": 1425, "FileHash-MD5": 146, "FileHash-SHA1": 146, "URL": 188, "domain": 216 }, "indicator_count": 3242, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "453 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66e9c5a4cc3b60c38e6381b8", "name": "Microsoft security reporting portal", "description": "130.0/11.5/12.3/13.4.6.7.8.1.2/14.9. 0/16.25/17..", "modified": "2024-12-17T14:35:36.786000", "created": "2024-09-17T18:08:36.835000", "tags": [ "microsoft", "security", "reporting", "portal", "abuse", "privacy", "infringement", "trademark", "trademark infringement", "abuse report", "privacy report", "security report", "security reporting", "abuse reporting", "privacy reporting", "security reporting portal", "abuse reporting portal", "privacy reporting portal", "security reporting form", "abuse reporting form", "privacy reporting form", "security reporting website", "abuse reporting website", "privacy reporting website", "security reporting site", "abuse reporting site", "privacy reporting site", "security reporting page", "abuse reporting page", "privacy reporting page", "security reporting web page", "abuse reporting web page", "privacy reporting web page", "security reporting webform", "abuse reporting webform", "privacy reporting webform", "security reporting web form", "abuse reporting web form", "privacy reporting web form", "javascript" ], "references": [ "https://cert.microsoft.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 10, "IPv4": 5, "FileHash-SHA256": 1674, "URL": 317, "SSLCertFingerprint": 4, "CIDR": 65, "IPv6": 8, "FileHash-SHA1": 139, "domain": 125, "FileHash-MD5": 159, "hostname": 50, "CVE": 1 }, "indicator_count": 2557, "is_author": false, "is_subscribing": null, "subscriber_count": 126, "modified_text": "531 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f1accda30d94af7e846357", "name": "Zendesk as VirusTotal \u00bb Ransom:Win32/CVE", "description": "*https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088 |||\n\n*In this situation a target received a VirusTotal / Zendesk drive by pop up message that site was unauthorized , fraud risk. The link has it all! Downloaders, install core, browser bar malware, ransomware, python script. Heavy attack. Desires deletion of device , accounts and contents.\n |||\nALF:HeraklezEval:Ransom:Win32/CVE , \nALF:Trojan:Win32/Cassini_6d4ebdc9 ,\nBackdoor:Win32/Zegost ,\nCVE-2023-22518 ,\nCVE-2023-4966 ,\nFakeAV.FOR ,\nMalware:AddsCopyToStartup ,\nNinite ,\nNoobyProtect ,\nTEL:Trojan:Win64/GoCLR ,\nTELPER:HSTR:CLEAN:Ninite ,\nTrojan:Win32/Cobaltstrike ,\nTrojan:Win32/Dridex ,\nTrojan:Win32/Fanop ,\nTrojan:Win32/Neconyd ,\nTrojan:Win32/Startpage ,\nTrojan:Win32/Zombie ,\nVirTool:Win32/Injector.gen!BQ ,\nVirTool:Win32/Obfuscator ,\nWin.Trojan.Generic-9935365-0 ,\nWorm:Win32/Autorun", "modified": "2024-10-23T17:03:27.463000", "created": "2024-09-23T18:00:45.146000", "tags": [ "as396982 google", "setup", "passive dns", "unknown", "ninite sep", "a td", "443 ma2592000", "accept", "gmt cache", "trojan", "status", "name servers", "urls", "creation date", "search", "emails", "servers", "as15169 google", "aaaa", "cname", "virtool", "cryp", "as19527 google", "win32", "related pulses", "file samples", "files matching", "date hash", "trojan features", "entries", "search otx", "telper", "worm", "copyright", "levelblue", "files domain", "files related", "pulses none", "accept accept", "as16625 akamai", "as20940", "asnone united", "nxdomain", "expiration date", "as21342", "as132147", "china", "as9808 china", "body", "all scoreblue", "backdoor", "alf features", "all search", "domain", "as15133 verizon", "as16552 tiggee", "url https", "http", "hostname", "ninite", "united states", "scan endpoints", "show", "showing", "next", "united", "as54113", "github pages", "formbook cnc", "checkin", "mtb aug", "a domains", "class", "twitter", "certificate", "record value", "pulse pulses", "overview ip", "address", "related nids", "files location", "div div", "github", "meta", "homepage", "form", "as36459", "g2 tls", "rsa sha256", "as29791", "dynamicloader", "medium", "yara detections", "dynamic", "filehash", "sha256", "february", "copy", "otx telemetry", "related tags", "a li", "span p", "dj ai", "dongjun jeong", "a h2", "writeups", "infosec journey", "script urls", "netherlands", "a nxdomain", "aaaa nxdomain", "cloudfront", "trojandropper", "china unknown", "msie", "chrome", "ipv4", "noobyprotect", "files", "peeringdb", "sign", "github copilot", "view", "notifications", "branches tags", "code issues", "pull", "write", "star", "code", "stars", "python", "shell", "footer", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "as62597 nsone", "dnssec", "win32mydoom sep", "windows nt", "wow64", "khtml", "gecko", "query", "jpn write", "e0e8e", "observed dns", "expiro", "defender", "malware", "possible", "suspicious", "activity dns", "mtb may", "sameorigin", "domain name", "error", "moved", "server", "mtb sep", "win32cve sep", "cloud provider", "reverse dns", "america asn", "dns resolutions", "domains top", "level", "unique tlds", "pulses", "default", "yara rule", "high", "cnc checkin", "cape", "powershell", "vmprotect", "local", "agent", "domainabuse", "su liao", "zhi pin", "application", "expiro malware", "anomalous file", "june", "fakedout threat", "analyzer paste", "iocs", "samples", "exploit", "germany unknown", "as14636", "russia unknown", "as9123 timeweb", "as45102 alibaba", "as43830", "read c", "write c", "process32nextw", "regsetvalueexa", "regdword", "installcore", "format", "delphi", "stack", "downloader", "urls http", "delete c", "tls handshake", "number", "failure", "delete", "ids detections", "fadok", "template", "slcc2", "media center", "contacted", "ollydbg", "internal", "simda", "brian sabey", "going dark", "stop", "as14061", "hostnames", "as48287 jsc", "as50340", "czechia unknown", "date" ], "references": [ "https://virustotal.zendesk.com/frontendevents/dl?client=1B752747-5778-429A-A0E0-83861AF69088", "GitHub - peeringdb/peeringdb-py: PeeringDB python client", "00-skillsetparadesarrollo.zendesk.com", "https://github.com/peeringdb/peeringdb-py", "From the lovely Cyber Folks .PL Cover" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Poland", "Australia", "Austria", "Canada", "Netherlands", "China" ], "malware_families": [ { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "CVE-2023-4966", "display_name": "CVE-2023-4966", "target": null }, { "id": "FakeAV.FOR", "display_name": "FakeAV.FOR", "target": null }, { "id": "TELPER:HSTR:CLEAN:Ninite", "display_name": "TELPER:HSTR:CLEAN:Ninite", "target": null }, { "id": "VirTool:Win32/Obfuscator", "display_name": "VirTool:Win32/Obfuscator", "target": "/malware/VirTool:Win32/Obfuscator" }, { "id": "Trojan:Win32/Dridex", "display_name": "Trojan:Win32/Dridex", "target": "/malware/Trojan:Win32/Dridex" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Malware:AddsCopyToStartup", "display_name": "Malware:AddsCopyToStartup", "target": null }, { "id": "Trojan:Win32/Cobaltstrike", "display_name": "Trojan:Win32/Cobaltstrike", "target": "/malware/Trojan:Win32/Cobaltstrike" }, { "id": "ALF:Trojan:Win32/Cassini_6d4ebdc9", "display_name": "ALF:Trojan:Win32/Cassini_6d4ebdc9", "target": null }, { "id": "Trojan:Win32/Startpage", "display_name": "Trojan:Win32/Startpage", "target": "/malware/Trojan:Win32/Startpage" }, { "id": "Backdoor:Win32/Zegost", "display_name": "Backdoor:Win32/Zegost", "target": "/malware/Backdoor:Win32/Zegost" }, { "id": "Trojan:Win32/Fanop", "display_name": "Trojan:Win32/Fanop", "target": "/malware/Trojan:Win32/Fanop" }, { "id": "Trojan:Win32/Neconyd", "display_name": "Trojan:Win32/Neconyd", "target": "/malware/Trojan:Win32/Neconyd" }, { "id": "Trojan:Win32/Zombie", "display_name": "Trojan:Win32/Zombie", "target": "/malware/Trojan:Win32/Zombie" }, { "id": "Win.Trojan.Generic-9935365-0", "display_name": "Win.Trojan.Generic-9935365-0", "target": null }, { "id": "Ninite", "display_name": "Ninite", "target": null }, { "id": "NoobyProtect", "display_name": "NoobyProtect", "target": null }, { "id": "TEL:Trojan:Win64/GoCLR", "display_name": "TEL:Trojan:Win64/GoCLR", "target": null }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4891, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2436, "CVE": 3, "FileHash-MD5": 2510, "FileHash-SHA1": 2063, "FileHash-SHA256": 4054, "hostname": 1788, "URL": 1228, "email": 16 }, "indicator_count": 14098, "is_author": false, "is_subscribing": null, "subscriber_count": 244, "modified_text": "586 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "661858cf6ac4c024886515d7", "name": "Windows Sample of Windows - System32", "description": "An analysis of Malware Distribution and Threats stemming from an ongoing breach at the University of Alberta. Retrospective & In-Progress tracking, identification, and characterization among affected individuals/organizations/sectors affected by misuse of credentials.\n\nA deeper dive into malicious files on samples of System32 gathered from the UofA as well as from Sample W11 PC", "modified": "2024-09-27T22:03:43.303000", "created": "2024-04-11T21:40:31.045000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98/summary", "https://www.virustotal.com/graph/embed/gfc33296181c74257ae503130940c083ee0c60fc5174e47118fc38f04ffb09584?theme=dark", "https://www.virustotal.com/ui/file_behaviours/2bc23a995bf4af9ba43ee21bd71c398444dd994b84d8fb7cb94b5429af4e60bf_Zenbox/html", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98/iocs", "https://www.virustotal.com/graph/embed/g8a2d0c1eca164cb0a1844db566d28208e0e5b5e03bfb4377a98265a5c0e47960?theme=dark", "https://www.virustotal.com/graph/embed/g03752e112d454511bb41e53c4ca610371d531e6bfe2444ed9fd093145aef08f0?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724181274&Signature=i8XiiJ%2BdCvj6ByL4c5tRY21ZEXdquVAdSRwC7OrdlnUHP75gU59aV17r7CtZaWH%2B1qhK94T1CSnRScW5Ez3t%2B9eCCNPcgPI2mOl1c1dBBiiIrj3r1rIzlDQyKFTQhaLjOzFcFzCL5OZ8XXk6ppN9iC6N5uEYJWHDOZs7bbsQYPwnmo2iwRhFDDUjSCQMKwOPrF34fDOoqnSlZCfe981ZRIr6HISZTbu1fhFFdpNgPTVw7D3Y384i4b6nkfzjkI8u", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724181174&Signature=XTu5xxPcqMp3JXhCztWWQOwupXutbdzYwP1MwmdMKWErO3M%2FWEjxgmoErtsmQnLlYNIXVLVgervCeRmzfUzT1wiVZpMuHQS7UFndYWF53GNwFdAzDd4kqU%2F09GvKe1Da4wgvN0HHvA4wdRUm6os0N9jjSFRIXKc6ALqq0eHL7LgDtV6fdx1g22MN2RLGfNkkzIpXSuUwD%2BeFPR0osNVszClRiFi5dLJIahlcjYcWeTpd%2FGvBQ2kLcv", "https://www.virustotal.com/graph/embed/gcf877329e4824f7ea96cf4dce8a5fe5f7b0ba40333ae46ba92da9a514c2e006b?theme=dark", "https://www.virustotal.com/graph/embed/g64431c9444084659a4360cb063de46ef275e7f87c38a4da8b67dde4541729147?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724263681&Signature=sRNF3CXtbsizlNdCMDBJqa0Oxx4P3yW1sAZJvHB1xF981vua%2Fxh6EAKeKpwFlRlflCybIOWHPyQC5awq%2BwJslkM%2FLI9Wv5HA4EipG36shGNh5ML2wkco57c9ITd8dKgOti67d9sVy2VQHcLt3o5UBMlOE%2BMhhf4AONsGvftAO7kQsz41rdwT4L%2BnBHntaiIqG6Rz438Lo%2FcyaTFgmNJ5NkbVgnEJvWhqhqGzFhk18O8wZt1Nh4", "https://vtbehaviour.commondatastorage.googleapis.com/b9af69ac821a649f211c99e3edf32a76a213e9450b5e972a6cdda5758af530dd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724263684&Signature=xXQ9O6EGcEiatL%2FEjaTaOTH9kgTWN7ZCmaIM6wb2vcXjEmSqDd6c9XpfadCYK9uln%2FKAqjzkVCs9reZTrsl8p6w6MDIelJQ%2FdCUTriPH%2F%2FWy3yiRbT6VZGnVk9iNBOxIGDE%2Bz4UPbuLXaler%2B11uCyHouGQJhG1CvoCEC64JpsC89GsV9%2FaOyrduTZK3XJpvrRVMdoRTKEayIYHD59OSeCeLlAde2yETDvIOPoxT6Bp5FO1spfMq7S", "updated 08.21.24: https://www.virustotal.com/graph/embed/g64431c9444084659a4360cb063de46ef275e7f87c38a4da8b67dde4541729147?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/27f74e49d7263156339c0b950fdbd6c98f633254229085814689ba348ea4d85a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1724426279&Signature=KWv3ie5iuSeNS%2Flc%2BGXXzfwbqKYxF4lfka5N2gHnA6gYz63eETZ8yzhfO64lV6HacEN9qfuNfVzdltiRLDV8hweWSZHPdZgx%2ByHGwEvpBI6Pk7PvgX8nKdcJso8%2B1iA3hgRF10wNbQKIZP3K%2BOMdzLLHN9JpuSJUVxxHVhORYlokSH6OaM6Yn6qzdNQcGhAH%2B3LXiSJZggxduc%2F2cGsNIj47o%2FCrC3B0GZzIicJar8MJFq" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1542.003", "name": "Bootkit", "display_name": "T1542.003 - Bootkit" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Education", "Government", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1329, "FileHash-SHA1": 1302, "FileHash-SHA256": 9051, "domain": 1341, "hostname": 4941, "URL": 1903, "CVE": 3 }, "indicator_count": 19870, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://bbstunnel.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://bbstunnel.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780338735.7814136 }