{ "type": "URL", "indicator": "https://bitfrozen.org", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://bitfrozen.org", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4106918240, "indicator": "https://bitfrozen.org", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "692d02f096f3ec8b5b507496", "name": "Google Drive: Share Files Online with Secure Cloud Storage | Google Workspace", "description": "nJRAT | Corrupted Google Drive sent to targets former device. Years long social engineering may have been involved. All\nIoC\u2019s Appears to involve years of social engineering. Google\ndrive service in question is a storage service based in Vietnam. | \n\nBotnet / Check-ins / Spyware / Cams. [Anon Sec Botnet subdomain name pulsed. Close directly related to zalo.me\nand tbtteams.com]\nRequires further research.\n\nThis pulse is a bit confusing due where and who it originated from.", "modified": "2025-12-31T02:01:50.101000", "created": "2025-12-01T02:52:32.483000", "tags": [ "business", "enterprise", "drive", "english", "google drive", "try drive", "business small", "workspace", "sign", "strong", "find", "life", "tools", "protect", "cloud", "simple", "android", "indonesia", "video", "mb download", "shared may", "shared", "learn", "drive drive", "name date", "javascript", "dynamicloader", "medium", "minimal headers", "high", "observed get", "get http", "united", "yara rule", "http", "write", "guard", "malware", "read c", "ms windows", "intel", "png image", "rgba", "pe32", "get na", "explorer", "music", "virlock", "media", "ho chi", "minh city", "viet nam", "storage company", "limited", "google", "address as", "luutruso", "cloudflar", "domain", "asn15169", "asn56153", "asn13335", "cisco", "umbrella rank", "apex domain", "url https", "kb stylesheet", "kb font", "kb image", "image", "kb script", "november", "resource path", "size", "type mimetype", "primary request", "redirect chain", "kb document", "urls", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "t1590 gather", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "domain address", "rsdsq jfu", "ollydbg ollydbg", "wireshark", "external", "binary file", "mitre att", "ck matrix", "aaaa", "cong ty", "co phan", "code", "province hcm", "files", "ip address", "request", "flag", "country", "contacted hosts", "process details", "link initial", "t1480 execution", "domains", "moved", "gmt content", "all ipv4", "url analysis", "location viet", "title", "error", "problem", "url add", "related nids", "files location", "flag united", "development att", "name server", "markmonitor", "localappdata", "programfiles", "edge", "hyundai", "social engineering", ".mil", "hackers", "phishing eml", "summary", "cisco umbrella", "google safe", "browsing", "current dns", "a record", "ip information", "ipasns ip", "detail domain", "domain tree", "links apex", "transfer", "b script", "b stylesheet", "frame b830", "b document", "value", "december", "degurafregistry", "gat object", "jsl object", "gapijstiming", "iframe function", "domainpath name", "nid value", "source level", "files domain", "files related", "tags", "related tags", "virustotal", "foundry", "pulse otx", "dark", "vietnam", "present aug", "present nov", "present jul", "present sep", "unknown aaaa", "search", "name servers", "present oct", "trojan", "data upload", "extraction", "se https", "include review", "exclude sugges", "find s", "failed", "typ don", "faith", "study", "romeo\u2019s", "juliettes", "femme fatales", "strategy", "honey pot", "honey traps", "spy", "helix", "anons", "passive dns", "pulse pulses", "files ip", "address", "location united", "asn as400519", "whois registrar", "ms defender", "files matching", "number", "sample analysis", "hide samples", "date hash", "cameras", "cams", "spycam", "botnet", "vietnam", "company limited", "dnssec", "status", "india unknown", "present may", "espionage", "hostname add", "generic", "cnc activity", "backdoor", "ipv4", "anonsecbotnet", "iptv" ], "references": [ "drive.google.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "zalo.me | href | Binary File | ATT&CK ID T1566.002", "https://account.helix.com/activate/start", "anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022", "https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]", "Terse Unencrypted Request for Google - Likely Connectivity Check", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6", "cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com", "https://hyundaibariavungtau3s.com/vehicle/stargazer", "https://hyundaibariavungtau3s.com/vehicle/ioniq-5", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade", "https://hyundaibariavungtau3s.com/vehicle/hyundai-custin", "https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/", "https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com", "https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com", "http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/", "http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466", "https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam", "feedback-pa.clients6.google.com/v1/survey/trigger/", "https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg", "anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Virus.Virlock-6804475-0", "display_name": "Win.Virus.Virlock-6804475-0", "target": null }, { "id": "Win.Malware.Bzub-6727003-0", "display_name": "Win.Malware.Bzub-6727003-0", "target": null }, { "id": "Win.Trojan.Generic-9801687-0", "display_name": "Win.Trojan.Generic-9801687-0", "target": null }, { "id": "NID", "display_name": "NID", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Dropper.njRAT-10015886-0", "display_name": "Win.Dropper.njRAT-10015886-0", "target": null }, { "id": "Win.Packed.Generic-9795615-0", "display_name": "Win.Packed.Generic-9795615-0", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ GC!", "display_name": "Backdoor:MSIL/Bladabindi.AJ GC!", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ GC!" }, { "id": "Win.Packed.Generic-9795615-0\t.", "display_name": "Win.Packed.Generic-9795615-0\t.", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ", "display_name": "Backdoor:MSIL/Bladabindi.AJ", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ" }, { "id": "Win.Packed.Fecn-7077459-0", "display_name": "Win.Packed.Fecn-7077459-0", "target": null }, { "id": "Trojan:MSIL/Ranos.A", "display_name": "Trojan:MSIL/Ranos.A", "target": "/malware/Trojan:MSIL/Ranos.A" }, { "id": "Win.Trojan.Generic-6417450-0", "display_name": "Win.Trojan.Generic-6417450-0", "target": null }, { "id": "ALF:Backdoor:MSIL/Noancooe.KA", "display_name": "ALF:Backdoor:MSIL/Noancooe.KA", "target": null }, { "id": "Win.Packed.Msilperseus-9956592-0", "display_name": "Win.Packed.Msilperseus-9956592-0", "target": null }, { "id": "Trojan:MSIL/ClipBanker", "display_name": "Trojan:MSIL/ClipBanker", "target": "/malware/Trojan:MSIL/ClipBanker" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1194", "name": "Spearphishing via Service", "display_name": "T1194 - Spearphishing via Service" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1911, "hostname": 714, "FileHash-SHA256": 1304, "FileHash-MD5": 159, "FileHash-SHA1": 71, "SSLCertFingerprint": 2, "domain": 421, "CVE": 1, "email": 4 }, "indicator_count": 4587, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e32dd0c55bf224eb99dd58", "name": "Appspot.com - Google account fraud & infostealing", "description": "Fake Google email accounts. I\u2019ve reviewed a handful of targets with this issue. If starting with a new device, signed up for a new google account,\nthe users are automatically logged out, forced to sign in again, checked security features where you can see an unauthorized autonomous general\nphone, or iPhone or MacBook was also signed in in a different location. Even if you delete the device or email account, I\u2019ve seen the intruder handle CnC of all backups of photos and clouds. \n\n\n\n[OTX auto populated - The full list of domain names: APPSPot.COM.com, which was created on the same day as the Google search engine, has been published by the internet regulator, the IANA.]", "modified": "2025-11-05T01:01:26.928000", "created": "2025-10-06T02:47:44.098000", "tags": [ "aaaa", "susp", "trojan", "google", "server", "domain status", "registrar abuse", "domain name", "us registrant", "email", "contact email", "rdap database", "google app", "google hosted", "please", "vulnerabilities", "join", "bring", "api explorer", "engine", "admin sdk", "info", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "ssl certificate", "ascii text", "united", "pattern match", "mitre att", "general", "local", "path", "click", "strings", "porn", "phishing", "fraud", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "apt", "ansi", "dumps", "file string", "seen", "disabled hash", "close", "hosts", "contact", "tellwise", "passive dns", "urls", "pulse pulses", "files", "verdict", "domain", "files ip", "address", "location united", "asn as15169", "extraction", "data upload", "extra", "referen http", "changed data", "failed", "include review", "t07 exclude", "extri data", "changed", "exclude", "find s", "tvnes data", "status", "present nov", "name servers", "entries", "geoid no", "present dec", "date", "error", "title", "sugges", "typ no", "no entrieotound", "scam", "foundry", "sabey type", "denver", "quasi", "phoenix", "australia" ], "references": [ "appspot.com \u2022 hyper7install.appspot.com", "https://hybrid-analysis.com/sample/c61237fcb798f05e6af32a6aa13f8e795aac47559d601eb7f93ad65bcf58b418/68e30c476b91a8000b0dd786", "http://acounts.google.com/v/signin/identifier?continue=hts%253%252F2Fconsole.cloud.google.com2Fapengine&dsh=5-1106814258%2539876543210", "Changed last several digits of gmail account # In example", "http://console.cloud.google.com/appengine", "https://310940000.android.com.twitter.android.adsenseformobileapps.com/", "https://www.netify.ai/resources/domains \u2022 192-168-0-21.3pt3m9ng2hf.ddns.manage.alta.inc", "device-local-de06e551-6b23-4aa3-bb67-6972ae6d30b5.remotewd.com 192.168.0.21", "116e33e0-8832-11ec-aef5-99a1d044639a-local.solinkcloud.com", "jaycobundaberg.eclipseaurahub.com.au 192.168.0.21", "grafana.ledocloud.com\u2022 192.168.0.21", "192-168-0-21.siliconevalley1.direct.quickconnect.to" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32/Madang", "display_name": "Win32/Madang", "target": null }, { "id": "Win.Downloader.Small-1966", "display_name": "Win.Downloader.Small-1966", "target": null }, { "id": "Win32:SaliCode", "display_name": "Win32:SaliCode", "target": null }, { "id": "Virtool:Win32/Vbinder.CO", "display_name": "Virtool:Win32/Vbinder.CO", "target": "/malware/Virtool:Win32/Vbinder.CO" }, { "id": "!Themida", "display_name": "!Themida", "target": null }, { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "Win32/Scrarev.C", "display_name": "Win32/Scrarev.C", "target": null }, { "id": "Trojan:MSIL/RapidStealer.A", "display_name": "Trojan:MSIL/RapidStealer.A", "target": "/malware/Trojan:MSIL/RapidStealer.A" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 222, "FileHash-MD5": 146, "FileHash-SHA1": 317, "FileHash-SHA256": 1120, "email": 3, "hostname": 881, "URL": 1338, "SSLCertFingerprint": 7 }, "indicator_count": 4034, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "165 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688865644a38fd5eef407891", "name": "Denver Apartment Community website with multiple compromises", "description": "Network of a multi block Denver Townhome complex experiencing issues with info stealing, password o, spyware, ransomware, malware\u2026 \u2022Win.Trojan.Crypted-30\tPWS:Win32/Zbot\u2022(phish_alert_sp2_2.0.0.0) \u2022 (phish_alert_sp1_1.0.0.0 )(30)_url_001.bin\tFile detected as \"image\", this format is not supported on WINDOWS\terror\t\nMay 23rd 2023 06:20:30 (UTC)\tRe__Motherson_INVENSITY_Project_Discussion_url_001.bin\tFile \"Re__Motherson_INVENSITY_Project_Discussion_url_001.bin\" was detected as \"image\", this format is not supported on WINDOWS\terror\t\nMay 5th 2023 07:59:14 (UTC)\tRE XDR Roadmap Planning Workshop for Temasek Polytechnic_url_007.bin\tFile \"RE XDR Roadmap Planning Workshop for Temasek Polytechnic_url_007.bin\" was detected as \"image\", this format is not supported on WINDOWS\terror", "modified": "2025-08-28T06:00:46.366000", "created": "2025-07-29T06:08:36.869000", "tags": [ "context related", "associated urls", "community", "present jul", "present jun", "present may", "present apr", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present showing", "sha256", "submitted", "urls", "passive dns", "http", "unique", "ip asn", "as701 verizon", "url add", "pulse pulses", "ip address", "related nids", "windows error", "file", "re xdr", "workshop", "march", "february", "january", "windows nt", "klpx", "span", "script", "united", "indicator", "appdata", "pattern match", "runtime process", "copy md5", "iframe", "date", "jquery", "null", "solid", "code", "summer", "polish", "body", "hybrid", "general", "local", "accept", "click", "strings", "music", "class", "core", "contact", "flag", "united kingdom", "name server", "tcp system", "private limited", "prefetch2", "dns requests", "win32", "mtb jul", "susp", "worm", "trojan", "entries", "next associated", "mtb apr", "showing", "trojandropper", "virtool", "country", "csc corporate", "domains", "ransom", "lowfi", "urls show", "date checked", "url hostname", "domain address", "learn", "command", "control att", "ck id", "name tactics", "suspicious", "informative", "t1105 ingress", "tool transfer", "t1573 encrypted", "dynamicloader", "medium", "yara rule", "high", "windows", "remote data", "http traffic", "installs", "windows startup", "malware", "copy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1134, "hostname": 292, "domain": 197, "FileHash-MD5": 139, "FileHash-SHA1": 130, "FileHash-SHA256": 708, "email": 2 }, "indicator_count": 2602, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68886564cdc44059c7b2ef08", "name": "Denver Apartment Community website with multiple compromises", "description": "Network of a multi block Denver Townhome complex experiencing issues with info stealing, password o, spyware, ransomware, malware\u2026 \u2022Win.Trojan.Crypted-30\tPWS:Win32/Zbot\u2022(phish_alert_sp2_2.0.0.0) \u2022 (phish_alert_sp1_1.0.0.0 )(30)_url_001.bin\tFile detected as \"image\", this format is not supported on WINDOWS\terror\t\nMay 23rd 2023 06:20:30 (UTC)\tRe__Motherson_INVENSITY_Project_Discussion_url_001.bin\tFile \"Re__Motherson_INVENSITY_Project_Discussion_url_001.bin\" was detected as \"image\", this format is not supported on WINDOWS\terror\t\nMay 5th 2023 07:59:14 (UTC)\tRE XDR Roadmap Planning Workshop for Temasek Polytechnic_url_007.bin\tFile \"RE XDR Roadmap Planning Workshop for Temasek Polytechnic_url_007.bin\" was detected as \"image\", this format is not supported on WINDOWS\terror", "modified": "2025-08-28T06:00:46.366000", "created": "2025-07-29T06:08:36.770000", "tags": [ "context related", "associated urls", "community", "present jul", "present jun", "present may", "present apr", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present showing", "sha256", "submitted", "urls", "passive dns", "http", "unique", "ip asn", "as701 verizon", "url add", "pulse pulses", "ip address", "related nids", "windows error", "file", "re xdr", "workshop", "march", "february", "january", "windows nt", "klpx", "span", "script", "united", "indicator", "appdata", "pattern match", "runtime process", "copy md5", "iframe", "date", "jquery", "null", "solid", "code", "summer", "polish", "body", "hybrid", "general", "local", "accept", "click", "strings", "music", "class", "core", "contact", "flag", "united kingdom", "name server", "tcp system", "private limited", "prefetch2", "dns requests", "win32", "mtb jul", "susp", "worm", "trojan", "entries", "next associated", "mtb apr", "showing", "trojandropper", "virtool", "country", "csc corporate", "domains", "ransom", "lowfi", "urls show", "date checked", "url hostname", "domain address", "learn", "command", "control att", "ck id", "name tactics", "suspicious", "informative", "t1105 ingress", "tool transfer", "t1573 encrypted", "dynamicloader", "medium", "yara rule", "high", "windows", "remote data", "http traffic", "installs", "windows startup", "malware", "copy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1134, "hostname": 292, "domain": 197, "FileHash-MD5": 139, "FileHash-SHA1": 130, "FileHash-SHA256": 708, "email": 2 }, "indicator_count": 2602, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://foundry2-lbl.dvr.dn2.n-helix.com/", "https://hybrid-analysis.com/sample/c61237fcb798f05e6af32a6aa13f8e795aac47559d601eb7f93ad65bcf58b418/68e30c476b91a8000b0dd786", "https://www.netify.ai/resources/domains \u2022 192-168-0-21.3pt3m9ng2hf.ddns.manage.alta.inc", "grafana.ledocloud.com\u2022 192.168.0.21", "https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/", "https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/", "https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg", "https://310940000.android.com.twitter.android.adsenseformobileapps.com/", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6", "appspot.com \u2022 hyper7install.appspot.com", "192-168-0-21.siliconevalley1.direct.quickconnect.to", "https://hyundaibariavungtau3s.com/vehicle/hyundai-custin", "Terse Unencrypted Request for Google - Likely Connectivity Check", "https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]", "https://account.helix.com/activate/start", "cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com", "https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam", "feedback-pa.clients6.google.com/v1/survey/trigger/", "https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade", "http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/", "anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022", "http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466", "http://console.cloud.google.com/appengine", "https://hyundaibariavungtau3s.com/vehicle/stargazer", "116e33e0-8832-11ec-aef5-99a1d044639a-local.solinkcloud.com", "https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "zalo.me | href | Binary File | ATT&CK ID T1566.002", "anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net", "device-local-de06e551-6b23-4aa3-bb67-6972ae6d30b5.remotewd.com 192.168.0.21", "jaycobundaberg.eclipseaurahub.com.au 192.168.0.21", "Changed last several digits of gmail account # In example", "https://hyundaibariavungtau3s.com/vehicle/ioniq-5", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue", "drive.google.com/", "http://acounts.google.com/v/signin/identifier?continue=hts%253%252F2Fconsole.cloud.google.com2Fapengine&dsh=5-1106814258%2539876543210" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Backdoor:msil/bladabindi.aj", "Trojan:msil/rapidstealer.a", "Win.packed.generic-9795615-0", "Win32/scrarev.c", "Win.virus.virlock-6804475-0", "Win.downloader.small-1966", "Win32/madang", "Win.trojan.generic-6417450-0", "!themida", "Alf:backdoor:msil/noancooe.ka", "Trojan:msil/clipbanker", "Trojan:win32/floxif.e", "Virtool:win32/vbinder.co", "Trojan:msil/ranos.a", "Win32:salicode", "Win.malware.bzub-6727003-0", "Other malware", "Backdoor:msil/bladabindi.aj gc!", "Win.trojan.generic-9801687-0", "Win.packed.generic-9795615-0\t.", "Nid", "Win.packed.msilperseus-9956592-0", "Win.dropper.njrat-10015886-0", "Virus:win32/sality.at", "Win.packed.fecn-7077459-0" ], "industries": [], "unique_indicators": 10982 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/bitfrozen.org", "whois": "http://whois.domaintools.com/bitfrozen.org", "domain": "bitfrozen.org", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "692d02f096f3ec8b5b507496", "name": "Google Drive: Share Files Online with Secure Cloud Storage | Google Workspace", "description": "nJRAT | Corrupted Google Drive sent to targets former device. Years long social engineering may have been involved. All\nIoC\u2019s Appears to involve years of social engineering. Google\ndrive service in question is a storage service based in Vietnam. | \n\nBotnet / Check-ins / Spyware / Cams. [Anon Sec Botnet subdomain name pulsed. Close directly related to zalo.me\nand tbtteams.com]\nRequires further research.\n\nThis pulse is a bit confusing due where and who it originated from.", "modified": "2025-12-31T02:01:50.101000", "created": "2025-12-01T02:52:32.483000", "tags": [ "business", "enterprise", "drive", "english", "google drive", "try drive", "business small", "workspace", "sign", "strong", "find", "life", "tools", "protect", "cloud", "simple", "android", "indonesia", "video", "mb download", "shared may", "shared", "learn", "drive drive", "name date", "javascript", "dynamicloader", "medium", "minimal headers", "high", "observed get", "get http", "united", "yara rule", "http", "write", "guard", "malware", "read c", "ms windows", "intel", "png image", "rgba", "pe32", "get na", "explorer", "music", "virlock", "media", "ho chi", "minh city", "viet nam", "storage company", "limited", "google", "address as", "luutruso", "cloudflar", "domain", "asn15169", "asn56153", "asn13335", "cisco", "umbrella rank", "apex domain", "url https", "kb stylesheet", "kb font", "kb image", "image", "kb script", "november", "resource path", "size", "type mimetype", "primary request", "redirect chain", "kb document", "urls", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "t1590 gather", "windir", "openurl c", "prefetch2", "tor analysis", "dns requests", "domain address", "rsdsq jfu", "ollydbg ollydbg", "wireshark", "external", "binary file", "mitre att", "ck matrix", "aaaa", "cong ty", "co phan", "code", "province hcm", "files", "ip address", "request", "flag", "country", "contacted hosts", "process details", "link initial", "t1480 execution", "domains", "moved", "gmt content", "all ipv4", "url analysis", "location viet", "title", "error", "problem", "url add", "related nids", "files location", "flag united", "development att", "name server", "markmonitor", "localappdata", "programfiles", "edge", "hyundai", "social engineering", ".mil", "hackers", "phishing eml", "summary", "cisco umbrella", "google safe", "browsing", "current dns", "a record", "ip information", "ipasns ip", "detail domain", "domain tree", "links apex", "transfer", "b script", "b stylesheet", "frame b830", "b document", "value", "december", "degurafregistry", "gat object", "jsl object", "gapijstiming", "iframe function", "domainpath name", "nid value", "source level", "files domain", "files related", "tags", "related tags", "virustotal", "foundry", "pulse otx", "dark", "vietnam", "present aug", "present nov", "present jul", "present sep", "unknown aaaa", "search", "name servers", "present oct", "trojan", "data upload", "extraction", "se https", "include review", "exclude sugges", "find s", "failed", "typ don", "faith", "study", "romeo\u2019s", "juliettes", "femme fatales", "strategy", "honey pot", "honey traps", "spy", "helix", "anons", "passive dns", "pulse pulses", "files ip", "address", "location united", "asn as400519", "whois registrar", "ms defender", "files matching", "number", "sample analysis", "hide samples", "date hash", "cameras", "cams", "spycam", "botnet", "vietnam", "company limited", "dnssec", "status", "india unknown", "present may", "espionage", "hostname add", "generic", "cnc activity", "backdoor", "ipv4", "anonsecbotnet", "iptv" ], "references": [ "drive.google.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "zalo.me | href | Binary File | ATT&CK ID T1566.002", "https://account.helix.com/activate/start", "anonsecbotnet.cameraddns.net \u2022 cameraddns.net \u2022 http://iptv.cameraddns.net/cotich/ \u2022 http://iptv.cameraddns.net/cotichC \u2022", "https://iptv.cameraddns.net/kodi/zips/plugin.video.iptvjson]", "Terse Unencrypted Request for Google - Likely Connectivity Check", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/c7aa2b182b17cfb5efb3367e0bc7b36e7088ab43a8fb21a772a0f8f90b7329d9", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/d334c3220573f98da1a0eef13be9c8b0053447519b3a6ace3728bcffa10b99b6", "cpcalendars.hyundaibariavungtau3s.com \u2022 cpcontacts.hyundaibariavungtau3s.com", "https://hyundaibariavungtau3s.com/vehicle/stargazer", "https://hyundaibariavungtau3s.com/vehicle/ioniq-5", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-venue", "https://hyundaibariavungtau3s.com/vehicle/new-hyundai-palisade", "https://hyundaibariavungtau3s.com/vehicle/hyundai-custin", "https://hyundaibariavungtau3s.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/", "https://delivery-mp-microsoft.dvrx.dn3.n-helix.com \u2022 https://dnsplay.dn2.n-helix.com", "https://dnss2.dn2.n-helix.com \u2022 https://dnssounib.dn2.n-helix.com/", "https://foundry2-lbl.dvr.dn2.n-helix.com/ \u2022 https://node8-serve.dvrx.dn3.n-helix.com \u2022 https://sfbambi-tel.dn2.n-helix.com \u2022 https://softlayer3.dn2.n-helix.com", "http://bjdclub.ru/out.phtml?www.skyxxxgals.info/feet-licking-porn/", "http://www.yayabay.com/forum/adclick.php?url=http%3a%2f%2fhkprice.info%2fpornstars%2f22466", "https://asianleak.com/videos/8120/sg-cousin-showering-spy-cam", "feedback-pa.clients6.google.com/v1/survey/trigger/", "https://feedback-pa.clients6.google.com/v1/survey/trigger/trigger_anonymous?key=AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg", "anonsecbotnet.cameraddns.net \u2022 http://anonsecbotnet.cameraddns.net \u2022 https://anonsecbotnet.cameraddns.net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Virus.Virlock-6804475-0", "display_name": "Win.Virus.Virlock-6804475-0", "target": null }, { "id": "Win.Malware.Bzub-6727003-0", "display_name": "Win.Malware.Bzub-6727003-0", "target": null }, { "id": "Win.Trojan.Generic-9801687-0", "display_name": "Win.Trojan.Generic-9801687-0", "target": null }, { "id": "NID", "display_name": "NID", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "Win.Dropper.njRAT-10015886-0", "display_name": "Win.Dropper.njRAT-10015886-0", "target": null }, { "id": "Win.Packed.Generic-9795615-0", "display_name": "Win.Packed.Generic-9795615-0", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ GC!", "display_name": "Backdoor:MSIL/Bladabindi.AJ GC!", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ GC!" }, { "id": "Win.Packed.Generic-9795615-0\t.", "display_name": "Win.Packed.Generic-9795615-0\t.", "target": null }, { "id": "Backdoor:MSIL/Bladabindi.AJ", "display_name": "Backdoor:MSIL/Bladabindi.AJ", "target": "/malware/Backdoor:MSIL/Bladabindi.AJ" }, { "id": "Win.Packed.Fecn-7077459-0", "display_name": "Win.Packed.Fecn-7077459-0", "target": null }, { "id": "Trojan:MSIL/Ranos.A", "display_name": "Trojan:MSIL/Ranos.A", "target": "/malware/Trojan:MSIL/Ranos.A" }, { "id": "Win.Trojan.Generic-6417450-0", "display_name": "Win.Trojan.Generic-6417450-0", "target": null }, { "id": "ALF:Backdoor:MSIL/Noancooe.KA", "display_name": "ALF:Backdoor:MSIL/Noancooe.KA", "target": null }, { "id": "Win.Packed.Msilperseus-9956592-0", "display_name": "Win.Packed.Msilperseus-9956592-0", "target": null }, { "id": "Trojan:MSIL/ClipBanker", "display_name": "Trojan:MSIL/ClipBanker", "target": "/malware/Trojan:MSIL/ClipBanker" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1194", "name": "Spearphishing via Service", "display_name": "T1194 - Spearphishing via Service" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1911, "hostname": 714, "FileHash-SHA256": 1304, "FileHash-MD5": 159, "FileHash-SHA1": 71, "SSLCertFingerprint": 2, "domain": 421, "CVE": 1, "email": 4 }, "indicator_count": 4587, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e32dd0c55bf224eb99dd58", "name": "Appspot.com - Google account fraud & infostealing", "description": "Fake Google email accounts. I\u2019ve reviewed a handful of targets with this issue. If starting with a new device, signed up for a new google account,\nthe users are automatically logged out, forced to sign in again, checked security features where you can see an unauthorized autonomous general\nphone, or iPhone or MacBook was also signed in in a different location. Even if you delete the device or email account, I\u2019ve seen the intruder handle CnC of all backups of photos and clouds. \n\n\n\n[OTX auto populated - The full list of domain names: APPSPot.COM.com, which was created on the same day as the Google search engine, has been published by the internet regulator, the IANA.]", "modified": "2025-11-05T01:01:26.928000", "created": "2025-10-06T02:47:44.098000", "tags": [ "aaaa", "susp", "trojan", "google", "server", "domain status", "registrar abuse", "domain name", "us registrant", "email", "contact email", "rdap database", "google app", "google hosted", "please", "vulnerabilities", "join", "bring", "api explorer", "engine", "admin sdk", "info", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "ssl certificate", "ascii text", "united", "pattern match", "mitre att", "general", "local", "path", "click", "strings", "porn", "phishing", "fraud", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "download", "apt", "ansi", "dumps", "file string", "seen", "disabled hash", "close", "hosts", "contact", "tellwise", "passive dns", "urls", "pulse pulses", "files", "verdict", "domain", "files ip", "address", "location united", "asn as15169", "extraction", "data upload", "extra", "referen http", "changed data", "failed", "include review", "t07 exclude", "extri data", "changed", "exclude", "find s", "tvnes data", "status", "present nov", "name servers", "entries", "geoid no", "present dec", "date", "error", "title", "sugges", "typ no", "no entrieotound", "scam", "foundry", "sabey type", "denver", "quasi", "phoenix", "australia" ], "references": [ "appspot.com \u2022 hyper7install.appspot.com", "https://hybrid-analysis.com/sample/c61237fcb798f05e6af32a6aa13f8e795aac47559d601eb7f93ad65bcf58b418/68e30c476b91a8000b0dd786", "http://acounts.google.com/v/signin/identifier?continue=hts%253%252F2Fconsole.cloud.google.com2Fapengine&dsh=5-1106814258%2539876543210", "Changed last several digits of gmail account # In example", "http://console.cloud.google.com/appengine", "https://310940000.android.com.twitter.android.adsenseformobileapps.com/", "https://www.netify.ai/resources/domains \u2022 192-168-0-21.3pt3m9ng2hf.ddns.manage.alta.inc", "device-local-de06e551-6b23-4aa3-bb67-6972ae6d30b5.remotewd.com 192.168.0.21", "116e33e0-8832-11ec-aef5-99a1d044639a-local.solinkcloud.com", "jaycobundaberg.eclipseaurahub.com.au 192.168.0.21", "grafana.ledocloud.com\u2022 192.168.0.21", "192-168-0-21.siliconevalley1.direct.quickconnect.to" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32/Madang", "display_name": "Win32/Madang", "target": null }, { "id": "Win.Downloader.Small-1966", "display_name": "Win.Downloader.Small-1966", "target": null }, { "id": "Win32:SaliCode", "display_name": "Win32:SaliCode", "target": null }, { "id": "Virtool:Win32/Vbinder.CO", "display_name": "Virtool:Win32/Vbinder.CO", "target": "/malware/Virtool:Win32/Vbinder.CO" }, { "id": "!Themida", "display_name": "!Themida", "target": null }, { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "Win32/Scrarev.C", "display_name": "Win32/Scrarev.C", "target": null }, { "id": "Trojan:MSIL/RapidStealer.A", "display_name": "Trojan:MSIL/RapidStealer.A", "target": "/malware/Trojan:MSIL/RapidStealer.A" } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 222, "FileHash-MD5": 146, "FileHash-SHA1": 317, "FileHash-SHA256": 1120, "email": 3, "hostname": 881, "URL": 1338, "SSLCertFingerprint": 7 }, "indicator_count": 4034, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "165 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688865644a38fd5eef407891", "name": "Denver Apartment Community website with multiple compromises", "description": "Network of a multi block Denver Townhome complex experiencing issues with info stealing, password o, spyware, ransomware, malware\u2026 \u2022Win.Trojan.Crypted-30\tPWS:Win32/Zbot\u2022(phish_alert_sp2_2.0.0.0) \u2022 (phish_alert_sp1_1.0.0.0 )(30)_url_001.bin\tFile detected as \"image\", this format is not supported on WINDOWS\terror\t\nMay 23rd 2023 06:20:30 (UTC)\tRe__Motherson_INVENSITY_Project_Discussion_url_001.bin\tFile \"Re__Motherson_INVENSITY_Project_Discussion_url_001.bin\" was detected as \"image\", this format is not supported on WINDOWS\terror\t\nMay 5th 2023 07:59:14 (UTC)\tRE XDR Roadmap Planning Workshop for Temasek Polytechnic_url_007.bin\tFile \"RE XDR Roadmap Planning Workshop for Temasek Polytechnic_url_007.bin\" was detected as \"image\", this format is not supported on WINDOWS\terror", "modified": "2025-08-28T06:00:46.366000", "created": "2025-07-29T06:08:36.869000", "tags": [ "context related", "associated urls", "community", "present jul", "present jun", "present may", "present apr", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present showing", "sha256", "submitted", "urls", "passive dns", "http", "unique", "ip asn", "as701 verizon", "url add", "pulse pulses", "ip address", "related nids", "windows error", "file", "re xdr", "workshop", "march", "february", "january", "windows nt", "klpx", "span", "script", "united", "indicator", "appdata", "pattern match", "runtime process", "copy md5", "iframe", "date", "jquery", "null", "solid", "code", "summer", "polish", "body", "hybrid", "general", "local", "accept", "click", "strings", "music", "class", "core", "contact", "flag", "united kingdom", "name server", "tcp system", "private limited", "prefetch2", "dns requests", "win32", "mtb jul", "susp", "worm", "trojan", "entries", "next associated", "mtb apr", "showing", "trojandropper", "virtool", "country", "csc corporate", "domains", "ransom", "lowfi", "urls show", "date checked", "url hostname", "domain address", "learn", "command", "control att", "ck id", "name tactics", "suspicious", "informative", "t1105 ingress", "tool transfer", "t1573 encrypted", "dynamicloader", "medium", "yara rule", "high", "windows", "remote data", "http traffic", "installs", "windows startup", "malware", "copy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1134, "hostname": 292, "domain": 197, "FileHash-MD5": 139, "FileHash-SHA1": 130, "FileHash-SHA256": 708, "email": 2 }, "indicator_count": 2602, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68886564cdc44059c7b2ef08", "name": "Denver Apartment Community website with multiple compromises", "description": "Network of a multi block Denver Townhome complex experiencing issues with info stealing, password o, spyware, ransomware, malware\u2026 \u2022Win.Trojan.Crypted-30\tPWS:Win32/Zbot\u2022(phish_alert_sp2_2.0.0.0) \u2022 (phish_alert_sp1_1.0.0.0 )(30)_url_001.bin\tFile detected as \"image\", this format is not supported on WINDOWS\terror\t\nMay 23rd 2023 06:20:30 (UTC)\tRe__Motherson_INVENSITY_Project_Discussion_url_001.bin\tFile \"Re__Motherson_INVENSITY_Project_Discussion_url_001.bin\" was detected as \"image\", this format is not supported on WINDOWS\terror\t\nMay 5th 2023 07:59:14 (UTC)\tRE XDR Roadmap Planning Workshop for Temasek Polytechnic_url_007.bin\tFile \"RE XDR Roadmap Planning Workshop for Temasek Polytechnic_url_007.bin\" was detected as \"image\", this format is not supported on WINDOWS\terror", "modified": "2025-08-28T06:00:46.366000", "created": "2025-07-29T06:08:36.770000", "tags": [ "context related", "associated urls", "community", "present jul", "present jun", "present may", "present apr", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present showing", "sha256", "submitted", "urls", "passive dns", "http", "unique", "ip asn", "as701 verizon", "url add", "pulse pulses", "ip address", "related nids", "windows error", "file", "re xdr", "workshop", "march", "february", "january", "windows nt", "klpx", "span", "script", "united", "indicator", "appdata", "pattern match", "runtime process", "copy md5", "iframe", "date", "jquery", "null", "solid", "code", "summer", "polish", "body", "hybrid", "general", "local", "accept", "click", "strings", "music", "class", "core", "contact", "flag", "united kingdom", "name server", "tcp system", "private limited", "prefetch2", "dns requests", "win32", "mtb jul", "susp", "worm", "trojan", "entries", "next associated", "mtb apr", "showing", "trojandropper", "virtool", "country", "csc corporate", "domains", "ransom", "lowfi", "urls show", "date checked", "url hostname", "domain address", "learn", "command", "control att", "ck id", "name tactics", "suspicious", "informative", "t1105 ingress", "tool transfer", "t1573 encrypted", "dynamicloader", "medium", "yara rule", "high", "windows", "remote data", "http traffic", "installs", "windows startup", "malware", "copy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1134, "hostname": 292, "domain": 197, "FileHash-MD5": 139, "FileHash-SHA1": 130, "FileHash-SHA256": 708, "email": 2 }, "indicator_count": 2602, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://bitfrozen.org", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://bitfrozen.org", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776596646.0888875 }