{ "type": "URL", "indicator": "https://business.bing.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://business.bing.com", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #29", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #93", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain bing.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain bing.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4048900041, "indicator": "https://business.bing.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "6709ad372568d7810af2e480", "name": "https://rcmp[.]ca/en/alberta // rcmp[.]ca // rcmp-grc[.]gc[.]ca - 12.06.25", "description": "Alberta RCMP\nhttps://rcmp[.]ca/en/alberta // rcmp[.]ca // rcmp-grc[.]gc[.]ca", "modified": "2026-01-05T22:04:46.025000", "created": "2024-10-11T22:56:55.968000", "tags": [ "entity", "RCMP", "Alberta", "EPS", "Edmonton Police Services", "RCMP AB", "CrimeStoppers AB" ], "references": [ "https://www.virustotal.com/graph/embed/g69422d071856425cb7ef01a90232cae9aef9af2362ad45db8fc83caabe618606?theme=dark", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13/iocs", "https://urlquery.net/report/54993e5a-9b3f-4eef-a219-6ed529b4ea66", "https://www.filescan.io/uploads/6775f8d1108e6fdea94ba637/reports/ba88f2c2-96e9-4106-9b93-4f7fa7f1519a/overview", "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", "https://www.virustotal.com/gui/collection/malpedia_win_tofsee/summary", "https://viz.greynoise.io/analysis/ade7d4f8-0bf7-4582-9a91-f7b26c0bb9f7", "", "https://rcmp[.]ca/en/alberta", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a/67e0baae85aff10b880edd20", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "", "Government", "Telecommunications", "Education", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 764, "FileHash-SHA1": 760, "FileHash-SHA256": 4062, "domain": 378, "hostname": 1808, "URL": 886, "SSLCertFingerprint": 18, "email": 10, "CVE": 1 }, "indicator_count": 8687, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "680896aa900ac914a8897345", "name": "hxxps://crimestoppers[.]ab[.]ca -12.03.25", "description": "Analysis of hxxps://crimestoppers[.]ab[.]ca -Updated", "modified": "2026-01-02T10:03:02.125000", "created": "2025-04-23T07:28:42.097000", "tags": [ "entity", "please", "javascript", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "prefetch8 ansi", "show process", "ansi", "hash seen", "pcap processing", "pcap", "date", "ck id", "command decode", "threat level", "win64", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "path", "model", "encrypt", "mozi", "strings", "contact", "Crimestoppers", "Alberta" ], "references": [ "https://www.virustotal.com/graph/embed/g9668c50e2de9469883f69177b8280205c5494e1dae4548ea954447efa9601d63?theme=dark", "https://www.virustotal.com/gui/collection/539def30dd6cf1765c95f042e1b5c91fdab6f3210a78bf7ec42a5369afc87b63/iocs", "https://www.virustotal.com/gui/collection/539def30dd6cf1765c95f042e1b5c91fdab6f3210a78bf7ec42a5369afc87b63/summary", "https://www.hybrid-analysis.com/sample/1a5188c269891d3e27426787b243b056586c6536570a7112af4533bc63b764ca", "https://www.filescan.io/uploads/680891efe9c1e25797a05346/reports/f954a2d9-7437-4734-b64e-e6a2f07e6ccf/overview", "https://www.hybrid-analysis.com/sample/1a5188c269891d3e27426787b243b056586c6536570a7112af4533bc63b764ca/67e0bb7c22b1b76d6209c910", "https://www.filescan.io/uploads/69300efc8e26c121ec957ab6/reports/5ec46a13-5686-4def-bd1e-705effebb749/overview" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 24, "FileHash-SHA256": 683, "URL": 439, "domain": 204, "hostname": 103, "SSLCertFingerprint": 6, "email": 3 }, "indicator_count": 1487, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ef0516013ca78448bf4e5", "name": "Foundry \u2022 Reflected Networks Pornhub Malvertising Subsidiary", "description": "Foundry ? Pornhub\nsanfoundry.com\ncompliance.fifoundry.net- Pornhub subsidiary. Targets networks, devices, routers, used for promoting pornography and her music. Producer revealed her hooks were used for Justin Bieber & Tori Kelly songs that. A producer stated her songs had been grifted. Both Tsara Brashears & a studio were in Pegasus & attacked by \u2018Lazarus\u2019 Group. She was told in detail how her songs can be used by music insiders if they choose. Target trolled by mocking hackers re: the JB and Kelly song.. Trojan:Win32/DisableUAC.A!bit\n, MSIL:Suspicious:ScreenCapture.S01\nIDS Detections\nLokiBot Checkin\nLokiBot User-Agent (Charon/Inferno)\nLokiBot Application/Credential Data Exfiltration Detected M1\nLokiBot Request for C2 Commands Detected M1\nLokiBot Application/Credential Data Exfiltration Detected M2\nLokiBot Request for C2 Commands Detected M2\nTrojan Generic - POST To gate.php with no referer\nSSL excessive fatal alerts (possible POODLE attack against server)\nI will revisit this. Gloryhole Foundation?", "modified": "2025-09-02T04:01:31.218000", "created": "2025-08-03T05:14:57.402000", "tags": [ "united", "moved", "entries", "passive dns", "detected m1", "next associated", "mtb apr", "mtb aug", "server", "gmt content", "trojandropper", "trojan", "body", "lokibot request", "c2 commands", "detected m2", "otx telemetry", "historical otx", "twitter running", "open ports", "cves", "time", "dynamicloader", "port", "search", "show", "destination", "alerts", "copy", "dynamic", "medium", "write", "creation date", "hostmaster", "urls", "domain", "showing", "hostname add", "pulse pulses", "date", "flag", "falcon sandbox", "name server", "markmonitor", "analysis", "mitre att", "anonymous", "upgrade", "hybrid", "contact", "usa windows", "december", "input threat", "level analysis", "summary", "february", "hwp support", "january", "october", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "calls", "command", "javascript", "object model", "model", "windir", "json data", "localappdata", "ascii text", "temp", "getprocaddress", "script", "license", "runtime process", "copy md5", "facebook", "roboto", "error", "win64", "path", "blink", "meta", "factory", "general", "comspec", "click", "strings", "damage", "mini", "stop", "core", "expl", "win32", "gmt server", "ecacc saa83dd", "ipv4 add", "twitter", "cobalt strike", "mozilla" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 263, "FileHash-SHA1": 256, "FileHash-SHA256": 837, "hostname": 4415, "URL": 1918, "domain": 1884, "email": 2, "SSLCertFingerprint": 2 }, "indicator_count": 9577, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "681972c85a50af103c25319d", "name": "hxxps://ecfmg[.]org - 05.05.25", "description": "Malcore - Simple File Analysis\n\nDomain Analysis: ECFMG", "modified": "2025-06-05T02:05:37.765000", "created": "2025-05-06T02:24:08.420000", "tags": [ "malcore", "file analysis", "part", "encrypt", "sha1", "digicert inc", "ee fingerprint", "ee sha256", "ea first", "adobe", "october", "e1 fingerprint", "info", "first", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "intealth", "nsi1", "prefetch8 ansi", "ansi", "show process", "section", "figure", "hash seen", "date", "pcap processing", "pcap", "win64", "span", "suspicious", "form", "hybrid", "twitter", "meta", "body", "service", "august", "facebook", "comspec", "close", "click", "hosts", "general", "path", "model", "bran", "mozilla", "strings", "contact", "UAlberta", "ECFMG" ], "references": [ "https://app.malcore.io/report/67ab258eda3e8886f5e4eb10/scan/67ab2665292fee4c5ec0b4d5", "https://www.hybrid-analysis.com/sample/ca5568efb9bf69de73013b6d7d0ef433cabf2c12c1e9d1e563bcaf6445bed0be", "https://www.filescan.io/uploads/68197116c7418694c8a5d9bd/reports/25f29dd6-c473-4e65-9fe4-fedd357dee67/overview", "https://www.hybrid-analysis.com/sample/ca5568efb9bf69de73013b6d7d0ef433cabf2c12c1e9d1e563bcaf6445bed0be/681970419aeb093a0508ec56" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Education", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "SSLCertFingerprint": 189, "URL": 211, "domain": 60, "hostname": 177, "email": 8, "FileHash-SHA1": 19, "FileHash-SHA256": 39 }, "indicator_count": 728, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "318 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "680a8d38da27a781f3874c55", "name": "connect-care[.]ca - 04.24.25 - #UAlberta #DataBreach -> #Alberta #Healthcare", "description": "Found some more problems when attempting to access connectcare with my old (stolen) credentials and a work-a-round. It appears (as it was tied to the University of Alberta) that this account also has been tampered with. Conducted general domain analysis. Related to all healthcare pulses in this AlienVault Group in the listed countries below (several others to add in yet).", "modified": "2025-05-24T18:05:13.820000", "created": "2025-04-24T19:12:56.287000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "entity", "javascript", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "ansi", "connect care", "memoryfile scan", "span", "pcap processing", "pcap", "script", "pdf url", "win64", "date", "iframe", "contact", "footer", "meta", "wave", "suspicious", "general", "mission", "calgary", "comspec", "hybrid", "mozilla", "main", "body", "form", "model", "close", "click", "hosts", "mozi", "core", "false", "april", "path", "window", "dest", "bran", "strings", "malicious", "UAlberta", "Connect Care", "Alberta Health Services", "Healthcare", "#YYG", "#YYC" ], "references": [ "https://www.hybrid-analysis.com/sample/54aa9d1f10c072da249c270460c0269fae28347cc10abcb2f8a0c104a4abdaf5", "https://www.virustotal.com/graph/embed/g7a13908b6b3844af97ae41353ef4e5ddac98d327bf0b4b2d97343fbf97836264?theme=dark", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163", "https://www.filescan.io/uploads/680a86d6218c4a98ade08dd3/reports/4b5b194b-2a17-4f63-965b-804b22cef458/overview", "https://www.hybrid-analysis.com/sample/54aa9d1f10c072da249c270460c0269fae28347cc10abcb2f8a0c104a4abdaf5/680a8663a2ca2123f506b2c7", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163/summary", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Anguilla", "Aruba", "Netherlands", "Mexico", "Saint Vincent and the Grenadines", "Cura\u00e7ao", "Bonaire, Sint Eustatius and Saba", "Panama", "Tanzania, United Republic of", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Healthcare", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 89, "FileHash-SHA1": 84, "FileHash-SHA256": 166, "domain": 48, "hostname": 179, "URL": 151, "email": 14, "SSLCertFingerprint": 14 }, "indicator_count": 745, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67d9aa3446a826d09e3fcbd1", "name": "SSL [.] com - (Unenriched)", "description": "Analysis of phishing domain/service - ssl dot com\n\nUpdated 04.09.25: was able to pull IOCs from graph (vT): https://www.virustotal.com/graph/embed/ga5becca9d0964040a5408d2de66d37952e5d92e7a3694941a8d11cc8bbf1fc94?theme=dark", "modified": "2025-05-08T21:00:41.641000", "created": "2025-03-18T17:15:32.007000", "tags": [ "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "sandbox", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "javascript", "ansi", "pcap processing", "pcap", "prefetch8 ansi", "united", "date", "threat level", "show process", "hash seen", "programfiles", "win64", "comspec", "suspicious", "model", "hybrid", "close", "click", "hosts", "service", "general", "path", "encrypt", "strings", "contact", "SSL" ], "references": [ "https://www.filescan.io/uploads/67d9a1b50a7899f3579c2e15/reports/e94f370c-9b21-4fc7-be6d-a23f17a236a0/ioc", "https://hybrid-analysis.com/sample/225749540c7c585ae4567062cfb85980f0966cc3386540b5259471b8e2e5315e", "https://www.virustotal.com/gui/domain/ssl.com/details", "https://hybrid-analysis.com/sample/225749540c7c585ae4567062cfb85980f0966cc3386540b5259471b8e2e5315e/67d9a21c369b542db10921d1", "https://www.virustotal.com/graph/embed/ga5becca9d0964040a5408d2de66d37952e5d92e7a3694941a8d11cc8bbf1fc94?theme=dark", "https://www.virustotal.com/gui/collection/9ba080a708abedd7a118bdc24ce5cf5d842d87a86b89b9cc2191afe0f0d4231c", "https://www.virustotal.com/gui/collection/9ba080a708abedd7a118bdc24ce5cf5d842d87a86b89b9cc2191afe0f0d4231c/iocs", "https://www.virustotal.com/gui/collection/9ba080a708abedd7a118bdc24ce5cf5d842d87a86b89b9cc2191afe0f0d4231c/summary", "https://metadefender.com/results/url/aHR0cDovL3NzbC5jb20=", "https://pastebin.com/yYxyUWra - 03.18.25 = Paste to CERT Related Pulses/References", "https://www.virustotal.com/graph/embed/ga5becca9d0964040a5408d2de66d37952e5d92e7a3694941a8d11cc8bbf1fc94?theme=dark - 04.09.25" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Technology", "Education", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218, "FileHash-MD5": 80, "FileHash-SHA1": 80, "FileHash-SHA256": 462, "domain": 31, "hostname": 225, "SSLCertFingerprint": 15, "email": 10 }, "indicator_count": 1121, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "345 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67e6ffbc9aeff4c5629b79eb", "name": "Threat Intelligence - Firebase - Interesting - 03.28.25", "description": "Related to a Firebase thing (I'll have to go through my notes)***", "modified": "2025-04-27T19:00:05.873000", "created": "2025-03-28T19:59:56.661000", "tags": [ "threat intelligence", "feed", "ioc", "change theme", "contact us", "intelligence", "threats api", "analyze api", "overview", "threats explore", "rate limits", "stixtaxii", "bulk export", "please", "javascript", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "virus", "ransomware", "static", "indicator of compromise", "extraction", "emulation", "platform", "prefetch8 ansi", "show process", "ansi", "hash seen", "script", "programfiles", "date", "threat level", "ck id", "command decode", "win64", "suspicious", "comspec", "hybrid", "meta", "error", "body", "model", "close", "click", "hosts", "general", "path", "service", "strings", "contact", "triage", "report", "reported", "analyze", "download submit", "sha512", "prefetch8", "sha256", "sha1", "filesize", "file", "process key", "iocs", "process", "config", "copy", "target", "impact" ], "references": [ "https://pulsedive.com/indicator/?iid=68496815", "https://www.virustotal.com/gui/domain/virustotalcloud.firebaseapp.com", "https://www.virustotal.com/gui/domain/virustotalcloud.firebaseapp.com/details", "https://hybrid-analysis.com/sample/81676c04bdcd5f8e16e125049b63a3853d8cdcd68080bcad382c99313a29a8aa", "https://www.filescan.io/uploads/67e6fbc2f274bf2d8e27bf9c/reports/cebd554f-01e7-4a20-b447-4f7a9d9ccc48/ioc", "https://hybrid-analysis.com/sample/81676c04bdcd5f8e16e125049b63a3853d8cdcd68080bcad382c99313a29a8aa/67e6fb999ade40aeca0025b2", "https://tria.ge/250328-yg3r6sslv5/behavioral1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" } ], "industries": [ "Technology", "Education", "Telecommunications", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "domain": 6, "FileHash-MD5": 46, "FileHash-SHA1": 47, "FileHash-SHA256": 47, "SSLCertFingerprint": 7, "email": 4, "hostname": 15 }, "indicator_count": 204, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "356 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67e6e8d275e9af41c5b1145c", "name": "138[.]88[.]54[.]34[.]bc[.]googleusercontent[.]com", "description": "138[.]88[.]54[.]34[.]bc[.]googleusercontent[.]com\nSubmitted to VT, FS, PD, MD\n\nTriage -> some potential assoc. w. virustotal[.[firebaseapp[.]com ??", "modified": "2025-04-27T18:03:51.813000", "created": "2025-03-28T18:22:10.123000", "tags": [ "please", "javascript", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "prefetch8 ansi", "ansi", "date", "show process", "pcap processing", "threat level", "hash seen", "pcap", "sha256", "script", "meta", "virustotal", "win64", "suspicious", "comspec", "hybrid", "body", "iframe", "model", "close", "click", "hosts", "general", "path", "service", "strings", "contact", "nsi1", "jid560662135", "slc1", "z409072123", "threat intelligence", "feed", "ioc", "change theme", "contact us", "intelligence", "threats api", "analyze api", "overview", "threats explore", "rate limits", "stixtaxii", "bulk export", "virus", "ransomware", "static", "indicator of compromise", "extraction", "emulation", "platform", "community", "results", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "file" ], "references": [ "https://hybrid-analysis.com/sample/17c3ff1fc83e2b651cb7b830f97833fbf05986d5b32b5d180937b7fed8b721b3/67e6e2a122728175b007effc", "https://pulsedive.com/indicator/?iid=68288076", "https://www.filescan.io/uploads/67e6e25af274bf2d8e279d3a/reports/30034848-b06b-443d-b898-77b47ea0048c/overview", "https://metadefender.com/results/url/aHR0cDovLzEzOC44OC41NC4zNC5iYy5nb29nbGV1c2VyY29udGVudC5jb20=", "https://tria.ge/250328-wws56sztax", "https://polyswarm.network/scan/results/url/6f357a6585e7e96c2ce57d4f9f68e9f0ab0bd7f51d8efe333b3fabae9eb8ab0a/details" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "United Kingdom of Great Britain and Northern Ireland", "Spain" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 66, "FileHash-SHA1": 63, "FileHash-SHA256": 62, "SSLCertFingerprint": 7, "URL": 70, "email": 3, "hostname": 25, "domain": 6 }, "indicator_count": 302, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "356 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67e5b274d3c655145f165ab7", "name": "Hybrid Analysis / Filescan of VT Graph -> Just for kicks", "description": "Just threw in a graph into Hybrid Analysis to see what it pulls from it -> IOCs in this pulse\n\nThe VT Graph: https://www.virustotal.com/graph/embed/g831fa6e61c89456b9be9df8d705dec5282a938ecc1e2443a9663ec2db6fa07b1?theme=dark\n\nRelated VT Collection\nMalcerts submitted to Filescan. io - 03.26.25 = https://www.virustotal.com/gui/collection/906953228691774a070b263dca65ada5f5da7c293fe152d8d93249161aa44922/iocs (in references)\n\nAlso tossed it into Filescan. io = https://www.filescan.io/uploads/67e5b0d409c39f5498b627ea/reports/d86bf9bb-449d-491a-9127-b8a6ac553822/overview", "modified": "2025-04-26T20:02:34.518000", "created": "2025-03-27T20:17:56.580000", "tags": [ "please", "javascript", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "prefetch8 ansi", "ansi", "show process", "hash seen", "date", "pcap processing", "pcap", "threat level", "ck id", "command decode", "meta", "win64", "suspicious", "general", "hybrid", "virustotal", "body", "comspec", "close", "click", "hosts", "service", "path", "model", "strings", "contact", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/906953228691774a070b263dca65ada5f5da7c293fe152d8d93249161aa44922/iocs", "https://hybrid-analysis.com/sample/15eddfc9f8ebe4f85414b858a4f7d69f123d53aef07b63943215378850482f76/67e5a4bcf63bbe94c90326d3", "https://www.virustotal.com/graph/embed/g831fa6e61c89456b9be9df8d705dec5282a938ecc1e2443a9663ec2db6fa07b1?theme=dark", "https://www.filescan.io/uploads/67e5b0d409c39f5498b627ea/reports/d86bf9bb-449d-491a-9127-b8a6ac553822/overview" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Technology", "Telecommunications", "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 20, "FileHash-SHA256": 20, "SSLCertFingerprint": 10, "URL": 16, "email": 6, "hostname": 16, "domain": 6 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "357 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67e1aa875e6c907d7e1b5fa0", "name": "hxxps://tech4service.ca - 03.24.25", "description": "YEG tech/hardware vendor", "modified": "2025-04-23T18:02:31.021000", "created": "2025-03-24T18:55:03.147000", "tags": [ "please", "javascript", "threat intelligence", "feed", "ioc", "change theme", "contact us", "intelligence", "threats api", "analyze api", "overview", "threats explore", "rate limits", "stixtaxii", "bulk export", "community", "results", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "file", "service", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "virus", "ransomware", "static", "indicator of compromise", "extraction", "emulation", "platform", "prefetch8 ansi", "ansi", "show process", "hash seen", "pcap processing", "pcap", "date", "ck id", "command decode", "mitre att", "win64", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "path", "model", "encrypt", "upgrade", "strings", "contact" ], "references": [ "https://www.virustotal.com/gui/url/d3fcc8b4575e8e04b8c80b171089c26f3d117ac9b11e971dc4fd0345f00b4414", "https://pulsedive.com/indicator/?iid=68410521", "https://metadefender.com/results/url/aHR0cHM6Ly90ZWNoNHNlcnZpY2UuY2E=", "https://hybrid-analysis.com/sample/4ac0486c18ef662f2ba44e75cc13830d7e3d6a8ec20040a78e7818a6484bf807", "https://www.filescan.io/uploads/67e1a7ffc26eb3fd74f584c0/reports/28bf2c8b-9ebd-4f47-8428-135838c23c2f/overview", "https://www.filescan.io/uploads/67e1a7ffc26eb3fd74f584c0/reports/28bf2c8b-9ebd-4f47-8428-135838c23c2f/geolocation", "https://www.filescan.io/uploads/67e1a7ffc26eb3fd74f584c0/reports/28bf2c8b-9ebd-4f47-8428-135838c23c2f/ioc", "https://hybrid-analysis.com/sample/4ac0486c18ef662f2ba44e75cc13830d7e3d6a8ec20040a78e7818a6484bf807/67e1a708525a509d1805065a", "", "https://pulsedive.com/indicator/?iid=68410679" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 189, "FileHash-MD5": 21, "FileHash-SHA1": 20, "FileHash-SHA256": 20, "domain": 29, "email": 7, "hostname": 37, "SSLCertFingerprint": 20 }, "indicator_count": 343, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67e113ee4c99a48ec9f7f689", "name": "hxxps://www[.]homearcadeinabox[.]com - 03.24.25", "description": "hxxps://www[.]homearcadeinabox[.]com\n\nYEG-based Android Box Distributor", "modified": "2025-04-23T07:01:52.444000", "created": "2025-03-24T08:12:30.637000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "prefetch8 ansi", "date", "threat level", "pcap processing", "show process", "pcap", "hash seen", "sha256", "win64", "suspicious", "comspec", "hybrid", "model", "encrypt", "close", "click", "hosts", "general", "path", "mozi", "strings", "contact", "please", "javascript", "threat intelligence", "feed", "ioc", "change theme", "contact us", "intelligence", "threats api", "analyze api", "overview", "threats explore", "rate limits", "stixtaxii", "bulk export", "community", "results", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "file", "service", "virus", "ransomware", "static", "indicator of compromise", "extraction", "emulation", "platform", "entity" ], "references": [ "https://hybrid-analysis.com/sample/f365ad976bd2a8d76bde7f955db2a06c9c430ffbb96bc4bd40b799a5190da839/67e10e11e9e6b273b5030af6", "https://www.virustotal.com/gui/url/feb5f01dcd95d4607a0dbb97dbd6352af5ffb67770238cf0a1d5086d52654248?nocache=1", "https://pulsedive.com/indicator/?iid=68394260", "https://metadefender.com/results/url/aHR0cHM6Ly93d3cuaG9tZWFyY2FkZWluYWJveC5jb20=", "https://www.filescan.io/uploads/67e110bec26eb3fd74f4f3ad/reports/0fcb3a74-e7dd-4a0c-8976-5dc4f912e70d/overview", "https://www.virustotal.com/graph/embed/g48d4db81e8674614bec5518a136f3761f7f07ed069374524aa839196f53d629c?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Technology", "Media", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 38, "FileHash-SHA1": 38, "FileHash-SHA256": 49, "SSLCertFingerprint": 12, "URL": 16, "domain": 92, "email": 6, "hostname": 68 }, "indicator_count": 319, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "361 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67db9be18168bc23126a0f17", "name": "Falcon Sandbox (Hybrid Analysis), FileScan[.]io & URLScan[.]io - UAlberta[.]ca domain analysis", "description": "Domain Analysis of hxxp://ualberta[.]ca w. Hybrid Analysis, Filescan, URLscan\n-Followed up w. analysis of previously submitted URLscan submissions w. an analysis by Greynoise[.]io (up to 03.19.25)\n-Greynoise yielded (from URLScan 120 Identified & 10 Unknowns) - the results classified as RIOTS appear to be confounded (potential abuse of Amazon Web Services in combination w. other cloud provider services.\n-It appears just visiting and/or touching this domain is - generally not recommended\n-Results from PulseDive -> Redirects to: https://www.ualberta[.]ca/en/index.html // SSL certificate found: ualberta[.]ca and 239 more. Edmonton, Canada, University of Alberta. dnsmaster@ualberta.ca\neasyDNS Technologies Inc. Amazon ALB, Amazon Cloudfront, Apache HTTP Server, Bootstrap, Coveo, Crazy Egg, Facebook Pixel, Font Awesome, Google Analytics, Google Font API, jQuery, Linkedin Insight Tag, Microsoft Clarity, Open Graph, TikTok Pixel, Twitter Ads", "modified": "2025-04-19T04:02:16.037000", "created": "2025-03-20T04:38:57.551000", "tags": [ "as16509", "amazon02", "redirect", "as14618", "amazonaes", "search", "public", "home search", "live api", "blog docs", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "pcap processing", "ansi", "pcap", "gecko", "win64", "khtml", "windows nt", "brand", "prefetch8 ansi", "microsoft edge", "date", "cookie", "mozilla", "suspicious", "comspec", "window", "model", "hybrid", "accept", "hacked", "starfield", "encrypt", "close", "click", "twitter", "hosts", "service", "general", "path", "union", "dest", "strings", "contact" ], "references": [ "https://hybrid-analysis.com/sample/dea64c4ce5cd9b55fb634888e4c6530728e266c8cb6d2bf670a9fe9e3f712c43/67db93032dc368d2d80c3df1", "https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://www.filescan.io/uploads/67db2f67b93e688233ef36e9/reports/7e4e4377-5eb9-48a7-848d-bfdca4fb244c/ioc", "https://hybrid-analysis.com/sample/dea64c4ce5cd9b55fb634888e4c6530728e266c8cb6d2bf670a9fe9e3f712c43", "https://hybrid-analysis.com/sample/dea64c4ce5cd9b55fb634888e4c6530728e266c8cb6d2bf670a9fe9e3f712c43/67db93032dc368d2d80c3df1", "https://viz.greynoise.io/analysis/5692e934-322f-48b9-bd9b-556e653ff5b6", "https://pulsedive.com/ioc/ualberta.ca" ], "public": 1, "adversary": "dosdean@ualberta[.]ca // ciso@ualberta[.]ca", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Education", "Technology", "Government", "Agriculture", "Healthcare", "Chemical", "Finance", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 897, "domain": 37, "email": 34, "hostname": 396, "FileHash-MD5": 71, "FileHash-SHA1": 69, "FileHash-SHA256": 69, "SSLCertFingerprint": 23 }, "indicator_count": 1596, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "https://www.virustotal.com/gui/domain/virustotalcloud.firebaseapp.com/details", "https://www.filescan.io/uploads/67e1a7ffc26eb3fd74f584c0/reports/28bf2c8b-9ebd-4f47-8428-135838c23c2f/overview", "https://pulsedive.com/indicator/?iid=68410679", "https://www.hybrid-analysis.com/sample/ca5568efb9bf69de73013b6d7d0ef433cabf2c12c1e9d1e563bcaf6445bed0be/681970419aeb093a0508ec56", "https://pulsedive.com/indicator/?iid=68410521", "https://pastebin.com/yYxyUWra - 03.18.25 = Paste to CERT Related Pulses/References", "https://www.filescan.io/uploads/67db2f67b93e688233ef36e9/reports/7e4e4377-5eb9-48a7-848d-bfdca4fb244c/ioc", "https://polyswarm.network/scan/results/url/6f357a6585e7e96c2ce57d4f9f68e9f0ab0bd7f51d8efe333b3fabae9eb8ab0a/details", "https://www.virustotal.com/graph/embed/g7a13908b6b3844af97ae41353ef4e5ddac98d327bf0b4b2d97343fbf97836264?theme=dark", "https://www.filescan.io/uploads/69300efc8e26c121ec957ab6/reports/5ec46a13-5686-4def-bd1e-705effebb749/overview", "https://www.hybrid-analysis.com/sample/1a5188c269891d3e27426787b243b056586c6536570a7112af4533bc63b764ca", "https://hybrid-analysis.com/sample/81676c04bdcd5f8e16e125049b63a3853d8cdcd68080bcad382c99313a29a8aa", "https://www.filescan.io/uploads/67e1a7ffc26eb3fd74f584c0/reports/28bf2c8b-9ebd-4f47-8428-135838c23c2f/ioc", "https://metadefender.com/results/url/aHR0cDovL3NzbC5jb20=", "https://pulsedive.com/ioc/ualberta.ca", "https://www.filescan.io/uploads/6775f8d1108e6fdea94ba637/reports/ba88f2c2-96e9-4106-9b93-4f7fa7f1519a/overview", "https://pulsedive.com/indicator/?iid=68496815", "https://www.hybrid-analysis.com/sample/54aa9d1f10c072da249c270460c0269fae28347cc10abcb2f8a0c104a4abdaf5", "https://metadefender.com/results/url/aHR0cHM6Ly90ZWNoNHNlcnZpY2UuY2E=", "https://www.virustotal.com/graph/embed/ga5becca9d0964040a5408d2de66d37952e5d92e7a3694941a8d11cc8bbf1fc94?theme=dark - 04.09.25", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13", "https://www.virustotal.com/gui/collection/9ba080a708abedd7a118bdc24ce5cf5d842d87a86b89b9cc2191afe0f0d4231c/summary", "https://www.hybrid-analysis.com/sample/ca5568efb9bf69de73013b6d7d0ef433cabf2c12c1e9d1e563bcaf6445bed0be", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163/iocs", "https://www.virustotal.com/graph/embed/g9668c50e2de9469883f69177b8280205c5494e1dae4548ea954447efa9601d63?theme=dark", "https://viz.greynoise.io/analysis/ade7d4f8-0bf7-4582-9a91-f7b26c0bb9f7", "https://hybrid-analysis.com/sample/81676c04bdcd5f8e16e125049b63a3853d8cdcd68080bcad382c99313a29a8aa/67e6fb999ade40aeca0025b2", "https://www.hybrid-analysis.com/sample/1a5188c269891d3e27426787b243b056586c6536570a7112af4533bc63b764ca/67e0bb7c22b1b76d6209c910", "https://pulsedive.com/indicator/?iid=68394260", "https://viz.greynoise.io/analysis/5692e934-322f-48b9-bd9b-556e653ff5b6", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13/iocs", "https://www.virustotal.com/gui/domain/virustotalcloud.firebaseapp.com", "https://hybrid-analysis.com/sample/4ac0486c18ef662f2ba44e75cc13830d7e3d6a8ec20040a78e7818a6484bf807/67e1a708525a509d1805065a", "https://www.virustotal.com/gui/collection/539def30dd6cf1765c95f042e1b5c91fdab6f3210a78bf7ec42a5369afc87b63/iocs", "https://pulsedive.com/indicator/?iid=68288076", "https://www.virustotal.com/gui/collection/malpedia_win_tofsee/summary", "https://www.filescan.io/uploads/67e5b0d409c39f5498b627ea/reports/d86bf9bb-449d-491a-9127-b8a6ac553822/overview", "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163", "https://urlquery.net/report/54993e5a-9b3f-4eef-a219-6ed529b4ea66", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a/67e0baae85aff10b880edd20", "https://www.virustotal.com/gui/collection/9ba080a708abedd7a118bdc24ce5cf5d842d87a86b89b9cc2191afe0f0d4231c", "https://www.filescan.io/uploads/68197116c7418694c8a5d9bd/reports/25f29dd6-c473-4e65-9fe4-fedd357dee67/overview", "https://www.filescan.io/uploads/680a86d6218c4a98ade08dd3/reports/4b5b194b-2a17-4f63-965b-804b22cef458/overview", "https://www.filescan.io/uploads/67e6e25af274bf2d8e279d3a/reports/30034848-b06b-443d-b898-77b47ea0048c/overview", "https://hybrid-analysis.com/sample/17c3ff1fc83e2b651cb7b830f97833fbf05986d5b32b5d180937b7fed8b721b3/67e6e2a122728175b007effc", "https://www.virustotal.com/gui/url/d3fcc8b4575e8e04b8c80b171089c26f3d117ac9b11e971dc4fd0345f00b4414", "https://rcmp[.]ca/en/alberta", "https://www.virustotal.com/gui/domain/ssl.com/details", "https://metadefender.com/results/url/aHR0cDovLzEzOC44OC41NC4zNC5iYy5nb29nbGV1c2VyY29udGVudC5jb20=", "https://hybrid-analysis.com/sample/225749540c7c585ae4567062cfb85980f0966cc3386540b5259471b8e2e5315e", "https://www.virustotal.com/gui/collection/9ba080a708abedd7a118bdc24ce5cf5d842d87a86b89b9cc2191afe0f0d4231c/iocs", "https://tria.ge/250328-wws56sztax", "https://www.virustotal.com/gui/collection/539def30dd6cf1765c95f042e1b5c91fdab6f3210a78bf7ec42a5369afc87b63/summary", "https://www.filescan.io/uploads/67e1a7ffc26eb3fd74f584c0/reports/28bf2c8b-9ebd-4f47-8428-135838c23c2f/geolocation", "https://hybrid-analysis.com/sample/f365ad976bd2a8d76bde7f955db2a06c9c430ffbb96bc4bd40b799a5190da839/67e10e11e9e6b273b5030af6", "https://www.virustotal.com/gui/url/feb5f01dcd95d4607a0dbb97dbd6352af5ffb67770238cf0a1d5086d52654248?nocache=1", "https://metadefender.com/results/url/aHR0cHM6Ly93d3cuaG9tZWFyY2FkZWluYWJveC5jb20=", "https://www.virustotal.com/graph/embed/g48d4db81e8674614bec5518a136f3761f7f07ed069374524aa839196f53d629c?theme=dark", "https://hybrid-analysis.com/sample/15eddfc9f8ebe4f85414b858a4f7d69f123d53aef07b63943215378850482f76/67e5a4bcf63bbe94c90326d3", "https://www.virustotal.com/gui/collection/906953228691774a070b263dca65ada5f5da7c293fe152d8d93249161aa44922/iocs", "https://www.hybrid-analysis.com/sample/54aa9d1f10c072da249c270460c0269fae28347cc10abcb2f8a0c104a4abdaf5/680a8663a2ca2123f506b2c7", "https://hybrid-analysis.com/sample/dea64c4ce5cd9b55fb634888e4c6530728e266c8cb6d2bf670a9fe9e3f712c43", "https://www.filescan.io/uploads/67e6fbc2f274bf2d8e27bf9c/reports/cebd554f-01e7-4a20-b447-4f7a9d9ccc48/ioc", "https://www.virustotal.com/graph/embed/g69422d071856425cb7ef01a90232cae9aef9af2362ad45db8fc83caabe618606?theme=dark", "https://www.virustotal.com/graph/embed/ga5becca9d0964040a5408d2de66d37952e5d92e7a3694941a8d11cc8bbf1fc94?theme=dark", "https://tria.ge/250328-yg3r6sslv5/behavioral1", "https://hybrid-analysis.com/sample/225749540c7c585ae4567062cfb85980f0966cc3386540b5259471b8e2e5315e/67d9a21c369b542db10921d1", "https://www.filescan.io/uploads/680891efe9c1e25797a05346/reports/f954a2d9-7437-4734-b64e-e6a2f07e6ccf/overview", "https://hybrid-analysis.com/sample/4ac0486c18ef662f2ba44e75cc13830d7e3d6a8ec20040a78e7818a6484bf807", "https://www.filescan.io/uploads/67d9a1b50a7899f3579c2e15/reports/e94f370c-9b21-4fc7-be6d-a23f17a236a0/ioc", "https://www.virustotal.com/graph/embed/g831fa6e61c89456b9be9df8d705dec5282a938ecc1e2443a9663ec2db6fa07b1?theme=dark", "https://www.filescan.io/uploads/67e110bec26eb3fd74f4f3ad/reports/0fcb3a74-e7dd-4a0c-8976-5dc4f912e70d/overview", "https://app.malcore.io/report/67ab258eda3e8886f5e4eb10/scan/67ab2665292fee4c5ec0b4d5", "https://urlscan.io/search/#page.domain%3Awww.ualberta.ca", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163/summary", "https://hybrid-analysis.com/sample/dea64c4ce5cd9b55fb634888e4c6530728e266c8cb6d2bf670a9fe9e3f712c43/67db93032dc368d2d80c3df1" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "dosdean@ualberta[.]ca // ciso@ualberta[.]ca" ], "malware_families": [], "industries": [ "", "Media", "Telecommunications", "Finance", "Education", "Chemical", "Technology", "Government", "Agriculture", "Healthcare" ], "unique_indicators": 19473 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/bing.com", "whois": "http://whois.domaintools.com/bing.com", "domain": "bing.com", "hostname": "business.bing.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "6709ad372568d7810af2e480", "name": "https://rcmp[.]ca/en/alberta // rcmp[.]ca // rcmp-grc[.]gc[.]ca - 12.06.25", "description": "Alberta RCMP\nhttps://rcmp[.]ca/en/alberta // rcmp[.]ca // rcmp-grc[.]gc[.]ca", "modified": "2026-01-05T22:04:46.025000", "created": "2024-10-11T22:56:55.968000", "tags": [ "entity", "RCMP", "Alberta", "EPS", "Edmonton Police Services", "RCMP AB", "CrimeStoppers AB" ], "references": [ "https://www.virustotal.com/graph/embed/g69422d071856425cb7ef01a90232cae9aef9af2362ad45db8fc83caabe618606?theme=dark", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13/iocs", "https://urlquery.net/report/54993e5a-9b3f-4eef-a219-6ed529b4ea66", "https://www.filescan.io/uploads/6775f8d1108e6fdea94ba637/reports/ba88f2c2-96e9-4106-9b93-4f7fa7f1519a/overview", "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", "https://www.virustotal.com/gui/collection/malpedia_win_tofsee/summary", "https://viz.greynoise.io/analysis/ade7d4f8-0bf7-4582-9a91-f7b26c0bb9f7", "", "https://rcmp[.]ca/en/alberta", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a/67e0baae85aff10b880edd20", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "", "Government", "Telecommunications", "Education", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 764, "FileHash-SHA1": 760, "FileHash-SHA256": 4062, "domain": 378, "hostname": 1808, "URL": 886, "SSLCertFingerprint": 18, "email": 10, "CVE": 1 }, "indicator_count": 8687, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "680896aa900ac914a8897345", "name": "hxxps://crimestoppers[.]ab[.]ca -12.03.25", "description": "Analysis of hxxps://crimestoppers[.]ab[.]ca -Updated", "modified": "2026-01-02T10:03:02.125000", "created": "2025-04-23T07:28:42.097000", "tags": [ "entity", "please", "javascript", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "prefetch8 ansi", "show process", "ansi", "hash seen", "pcap processing", "pcap", "date", "ck id", "command decode", "threat level", "win64", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "path", "model", "encrypt", "mozi", "strings", "contact", "Crimestoppers", "Alberta" ], "references": [ "https://www.virustotal.com/graph/embed/g9668c50e2de9469883f69177b8280205c5494e1dae4548ea954447efa9601d63?theme=dark", "https://www.virustotal.com/gui/collection/539def30dd6cf1765c95f042e1b5c91fdab6f3210a78bf7ec42a5369afc87b63/iocs", "https://www.virustotal.com/gui/collection/539def30dd6cf1765c95f042e1b5c91fdab6f3210a78bf7ec42a5369afc87b63/summary", "https://www.hybrid-analysis.com/sample/1a5188c269891d3e27426787b243b056586c6536570a7112af4533bc63b764ca", "https://www.filescan.io/uploads/680891efe9c1e25797a05346/reports/f954a2d9-7437-4734-b64e-e6a2f07e6ccf/overview", "https://www.hybrid-analysis.com/sample/1a5188c269891d3e27426787b243b056586c6536570a7112af4533bc63b764ca/67e0bb7c22b1b76d6209c910", "https://www.filescan.io/uploads/69300efc8e26c121ec957ab6/reports/5ec46a13-5686-4def-bd1e-705effebb749/overview" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 24, "FileHash-SHA256": 683, "URL": 439, "domain": 204, "hostname": 103, "SSLCertFingerprint": 6, "email": 3 }, "indicator_count": 1487, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ef0516013ca78448bf4e5", "name": "Foundry \u2022 Reflected Networks Pornhub Malvertising Subsidiary", "description": "Foundry ? Pornhub\nsanfoundry.com\ncompliance.fifoundry.net- Pornhub subsidiary. Targets networks, devices, routers, used for promoting pornography and her music. Producer revealed her hooks were used for Justin Bieber & Tori Kelly songs that. A producer stated her songs had been grifted. Both Tsara Brashears & a studio were in Pegasus & attacked by \u2018Lazarus\u2019 Group. She was told in detail how her songs can be used by music insiders if they choose. Target trolled by mocking hackers re: the JB and Kelly song.. Trojan:Win32/DisableUAC.A!bit\n, MSIL:Suspicious:ScreenCapture.S01\nIDS Detections\nLokiBot Checkin\nLokiBot User-Agent (Charon/Inferno)\nLokiBot Application/Credential Data Exfiltration Detected M1\nLokiBot Request for C2 Commands Detected M1\nLokiBot Application/Credential Data Exfiltration Detected M2\nLokiBot Request for C2 Commands Detected M2\nTrojan Generic - POST To gate.php with no referer\nSSL excessive fatal alerts (possible POODLE attack against server)\nI will revisit this. Gloryhole Foundation?", "modified": "2025-09-02T04:01:31.218000", "created": "2025-08-03T05:14:57.402000", "tags": [ "united", "moved", "entries", "passive dns", "detected m1", "next associated", "mtb apr", "mtb aug", "server", "gmt content", "trojandropper", "trojan", "body", "lokibot request", "c2 commands", "detected m2", "otx telemetry", "historical otx", "twitter running", "open ports", "cves", "time", "dynamicloader", "port", "search", "show", "destination", "alerts", "copy", "dynamic", "medium", "write", "creation date", "hostmaster", "urls", "domain", "showing", "hostname add", "pulse pulses", "date", "flag", "falcon sandbox", "name server", "markmonitor", "analysis", "mitre att", "anonymous", "upgrade", "hybrid", "contact", "usa windows", "december", "input threat", "level analysis", "summary", "february", "hwp support", "january", "october", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "calls", "command", "javascript", "object model", "model", "windir", "json data", "localappdata", "ascii text", "temp", "getprocaddress", "script", "license", "runtime process", "copy md5", "facebook", "roboto", "error", "win64", "path", "blink", "meta", "factory", "general", "comspec", "click", "strings", "damage", "mini", "stop", "core", "expl", "win32", "gmt server", "ecacc saa83dd", "ipv4 add", "twitter", "cobalt strike", "mozilla" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 263, "FileHash-SHA1": 256, "FileHash-SHA256": 837, "hostname": 4415, "URL": 1918, "domain": 1884, "email": 2, "SSLCertFingerprint": 2 }, "indicator_count": 9577, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "681972c85a50af103c25319d", "name": "hxxps://ecfmg[.]org - 05.05.25", "description": "Malcore - Simple File Analysis\n\nDomain Analysis: ECFMG", "modified": "2025-06-05T02:05:37.765000", "created": "2025-05-06T02:24:08.420000", "tags": [ "malcore", "file analysis", "part", "encrypt", "sha1", "digicert inc", "ee fingerprint", "ee sha256", "ea first", "adobe", "october", "e1 fingerprint", "info", "first", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "intealth", "nsi1", "prefetch8 ansi", "ansi", "show process", "section", "figure", "hash seen", "date", "pcap processing", "pcap", "win64", "span", "suspicious", "form", "hybrid", "twitter", "meta", "body", "service", "august", "facebook", "comspec", "close", "click", "hosts", "general", "path", "model", "bran", "mozilla", "strings", "contact", "UAlberta", "ECFMG" ], "references": [ "https://app.malcore.io/report/67ab258eda3e8886f5e4eb10/scan/67ab2665292fee4c5ec0b4d5", "https://www.hybrid-analysis.com/sample/ca5568efb9bf69de73013b6d7d0ef433cabf2c12c1e9d1e563bcaf6445bed0be", "https://www.filescan.io/uploads/68197116c7418694c8a5d9bd/reports/25f29dd6-c473-4e65-9fe4-fedd357dee67/overview", "https://www.hybrid-analysis.com/sample/ca5568efb9bf69de73013b6d7d0ef433cabf2c12c1e9d1e563bcaf6445bed0be/681970419aeb093a0508ec56" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Education", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "SSLCertFingerprint": 189, "URL": 211, "domain": 60, "hostname": 177, "email": 8, "FileHash-SHA1": 19, "FileHash-SHA256": 39 }, "indicator_count": 728, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "318 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "680a8d38da27a781f3874c55", "name": "connect-care[.]ca - 04.24.25 - #UAlberta #DataBreach -> #Alberta #Healthcare", "description": "Found some more problems when attempting to access connectcare with my old (stolen) credentials and a work-a-round. It appears (as it was tied to the University of Alberta) that this account also has been tampered with. Conducted general domain analysis. Related to all healthcare pulses in this AlienVault Group in the listed countries below (several others to add in yet).", "modified": "2025-05-24T18:05:13.820000", "created": "2025-04-24T19:12:56.287000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "entity", "javascript", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "ansi", "connect care", "memoryfile scan", "span", "pcap processing", "pcap", "script", "pdf url", "win64", "date", "iframe", "contact", "footer", "meta", "wave", "suspicious", "general", "mission", "calgary", "comspec", "hybrid", "mozilla", "main", "body", "form", "model", "close", "click", "hosts", "mozi", "core", "false", "april", "path", "window", "dest", "bran", "strings", "malicious", "UAlberta", "Connect Care", "Alberta Health Services", "Healthcare", "#YYG", "#YYC" ], "references": [ "https://www.hybrid-analysis.com/sample/54aa9d1f10c072da249c270460c0269fae28347cc10abcb2f8a0c104a4abdaf5", "https://www.virustotal.com/graph/embed/g7a13908b6b3844af97ae41353ef4e5ddac98d327bf0b4b2d97343fbf97836264?theme=dark", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163", "https://www.filescan.io/uploads/680a86d6218c4a98ade08dd3/reports/4b5b194b-2a17-4f63-965b-804b22cef458/overview", "https://www.hybrid-analysis.com/sample/54aa9d1f10c072da249c270460c0269fae28347cc10abcb2f8a0c104a4abdaf5/680a8663a2ca2123f506b2c7", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163/summary", "https://www.virustotal.com/gui/collection/a3392b58587d812c8c186ecbe6b13ff3794bb0e45a5ba2e10de4e34708dbd163/iocs" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Anguilla", "Aruba", "Netherlands", "Mexico", "Saint Vincent and the Grenadines", "Cura\u00e7ao", "Bonaire, Sint Eustatius and Saba", "Panama", "Tanzania, United Republic of", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Healthcare", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 89, "FileHash-SHA1": 84, "FileHash-SHA256": 166, "domain": 48, "hostname": 179, "URL": 151, "email": 14, "SSLCertFingerprint": 14 }, "indicator_count": 745, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "329 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67d9aa3446a826d09e3fcbd1", "name": "SSL [.] com - (Unenriched)", "description": "Analysis of phishing domain/service - ssl dot com\n\nUpdated 04.09.25: was able to pull IOCs from graph (vT): https://www.virustotal.com/graph/embed/ga5becca9d0964040a5408d2de66d37952e5d92e7a3694941a8d11cc8bbf1fc94?theme=dark", "modified": "2025-05-08T21:00:41.641000", "created": "2025-03-18T17:15:32.007000", "tags": [ "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "sandbox", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "javascript", "ansi", "pcap processing", "pcap", "prefetch8 ansi", "united", "date", "threat level", "show process", "hash seen", "programfiles", "win64", "comspec", "suspicious", "model", "hybrid", "close", "click", "hosts", "service", "general", "path", "encrypt", "strings", "contact", "SSL" ], "references": [ "https://www.filescan.io/uploads/67d9a1b50a7899f3579c2e15/reports/e94f370c-9b21-4fc7-be6d-a23f17a236a0/ioc", "https://hybrid-analysis.com/sample/225749540c7c585ae4567062cfb85980f0966cc3386540b5259471b8e2e5315e", "https://www.virustotal.com/gui/domain/ssl.com/details", "https://hybrid-analysis.com/sample/225749540c7c585ae4567062cfb85980f0966cc3386540b5259471b8e2e5315e/67d9a21c369b542db10921d1", "https://www.virustotal.com/graph/embed/ga5becca9d0964040a5408d2de66d37952e5d92e7a3694941a8d11cc8bbf1fc94?theme=dark", "https://www.virustotal.com/gui/collection/9ba080a708abedd7a118bdc24ce5cf5d842d87a86b89b9cc2191afe0f0d4231c", "https://www.virustotal.com/gui/collection/9ba080a708abedd7a118bdc24ce5cf5d842d87a86b89b9cc2191afe0f0d4231c/iocs", "https://www.virustotal.com/gui/collection/9ba080a708abedd7a118bdc24ce5cf5d842d87a86b89b9cc2191afe0f0d4231c/summary", "https://metadefender.com/results/url/aHR0cDovL3NzbC5jb20=", "https://pastebin.com/yYxyUWra - 03.18.25 = Paste to CERT Related Pulses/References", "https://www.virustotal.com/graph/embed/ga5becca9d0964040a5408d2de66d37952e5d92e7a3694941a8d11cc8bbf1fc94?theme=dark - 04.09.25" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Technology", "Education", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218, "FileHash-MD5": 80, "FileHash-SHA1": 80, "FileHash-SHA256": 462, "domain": 31, "hostname": 225, "SSLCertFingerprint": 15, "email": 10 }, "indicator_count": 1121, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "345 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67e6ffbc9aeff4c5629b79eb", "name": "Threat Intelligence - Firebase - Interesting - 03.28.25", "description": "Related to a Firebase thing (I'll have to go through my notes)***", "modified": "2025-04-27T19:00:05.873000", "created": "2025-03-28T19:59:56.661000", "tags": [ "threat intelligence", "feed", "ioc", "change theme", "contact us", "intelligence", "threats api", "analyze api", "overview", "threats explore", "rate limits", "stixtaxii", "bulk export", "please", "javascript", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "virus", "ransomware", "static", "indicator of compromise", "extraction", "emulation", "platform", "prefetch8 ansi", "show process", "ansi", "hash seen", "script", "programfiles", "date", "threat level", "ck id", "command decode", "win64", "suspicious", "comspec", "hybrid", "meta", "error", "body", "model", "close", "click", "hosts", "general", "path", "service", "strings", "contact", "triage", "report", "reported", "analyze", "download submit", "sha512", "prefetch8", "sha256", "sha1", "filesize", "file", "process key", "iocs", "process", "config", "copy", "target", "impact" ], "references": [ "https://pulsedive.com/indicator/?iid=68496815", "https://www.virustotal.com/gui/domain/virustotalcloud.firebaseapp.com", "https://www.virustotal.com/gui/domain/virustotalcloud.firebaseapp.com/details", "https://hybrid-analysis.com/sample/81676c04bdcd5f8e16e125049b63a3853d8cdcd68080bcad382c99313a29a8aa", "https://www.filescan.io/uploads/67e6fbc2f274bf2d8e27bf9c/reports/cebd554f-01e7-4a20-b447-4f7a9d9ccc48/ioc", "https://hybrid-analysis.com/sample/81676c04bdcd5f8e16e125049b63a3853d8cdcd68080bcad382c99313a29a8aa/67e6fb999ade40aeca0025b2", "https://tria.ge/250328-yg3r6sslv5/behavioral1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" } ], "industries": [ "Technology", "Education", "Telecommunications", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "domain": 6, "FileHash-MD5": 46, "FileHash-SHA1": 47, "FileHash-SHA256": 47, "SSLCertFingerprint": 7, "email": 4, "hostname": 15 }, "indicator_count": 204, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "356 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67e6e8d275e9af41c5b1145c", "name": "138[.]88[.]54[.]34[.]bc[.]googleusercontent[.]com", "description": "138[.]88[.]54[.]34[.]bc[.]googleusercontent[.]com\nSubmitted to VT, FS, PD, MD\n\nTriage -> some potential assoc. w. virustotal[.[firebaseapp[.]com ??", "modified": "2025-04-27T18:03:51.813000", "created": "2025-03-28T18:22:10.123000", "tags": [ "please", "javascript", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "prefetch8 ansi", "ansi", "date", "show process", "pcap processing", "threat level", "hash seen", "pcap", "sha256", "script", "meta", "virustotal", "win64", "suspicious", "comspec", "hybrid", "body", "iframe", "model", "close", "click", "hosts", "general", "path", "service", "strings", "contact", "nsi1", "jid560662135", "slc1", "z409072123", "threat intelligence", "feed", "ioc", "change theme", "contact us", "intelligence", "threats api", "analyze api", "overview", "threats explore", "rate limits", "stixtaxii", "bulk export", "virus", "ransomware", "static", "indicator of compromise", "extraction", "emulation", "platform", "community", "results", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "file" ], "references": [ "https://hybrid-analysis.com/sample/17c3ff1fc83e2b651cb7b830f97833fbf05986d5b32b5d180937b7fed8b721b3/67e6e2a122728175b007effc", "https://pulsedive.com/indicator/?iid=68288076", "https://www.filescan.io/uploads/67e6e25af274bf2d8e279d3a/reports/30034848-b06b-443d-b898-77b47ea0048c/overview", "https://metadefender.com/results/url/aHR0cDovLzEzOC44OC41NC4zNC5iYy5nb29nbGV1c2VyY29udGVudC5jb20=", "https://tria.ge/250328-wws56sztax", "https://polyswarm.network/scan/results/url/6f357a6585e7e96c2ce57d4f9f68e9f0ab0bd7f51d8efe333b3fabae9eb8ab0a/details" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "United Kingdom of Great Britain and Northern Ireland", "Spain" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 66, "FileHash-SHA1": 63, "FileHash-SHA256": 62, "SSLCertFingerprint": 7, "URL": 70, "email": 3, "hostname": 25, "domain": 6 }, "indicator_count": 302, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "356 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67e5b274d3c655145f165ab7", "name": "Hybrid Analysis / Filescan of VT Graph -> Just for kicks", "description": "Just threw in a graph into Hybrid Analysis to see what it pulls from it -> IOCs in this pulse\n\nThe VT Graph: https://www.virustotal.com/graph/embed/g831fa6e61c89456b9be9df8d705dec5282a938ecc1e2443a9663ec2db6fa07b1?theme=dark\n\nRelated VT Collection\nMalcerts submitted to Filescan. io - 03.26.25 = https://www.virustotal.com/gui/collection/906953228691774a070b263dca65ada5f5da7c293fe152d8d93249161aa44922/iocs (in references)\n\nAlso tossed it into Filescan. io = https://www.filescan.io/uploads/67e5b0d409c39f5498b627ea/reports/d86bf9bb-449d-491a-9127-b8a6ac553822/overview", "modified": "2025-04-26T20:02:34.518000", "created": "2025-03-27T20:17:56.580000", "tags": [ "please", "javascript", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "prefetch8 ansi", "ansi", "show process", "hash seen", "date", "pcap processing", "pcap", "threat level", "ck id", "command decode", "meta", "win64", "suspicious", "general", "hybrid", "virustotal", "body", "comspec", "close", "click", "hosts", "service", "path", "model", "strings", "contact", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/906953228691774a070b263dca65ada5f5da7c293fe152d8d93249161aa44922/iocs", "https://hybrid-analysis.com/sample/15eddfc9f8ebe4f85414b858a4f7d69f123d53aef07b63943215378850482f76/67e5a4bcf63bbe94c90326d3", "https://www.virustotal.com/graph/embed/g831fa6e61c89456b9be9df8d705dec5282a938ecc1e2443a9663ec2db6fa07b1?theme=dark", "https://www.filescan.io/uploads/67e5b0d409c39f5498b627ea/reports/d86bf9bb-449d-491a-9127-b8a6ac553822/overview" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Technology", "Telecommunications", "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 20, "FileHash-SHA256": 20, "SSLCertFingerprint": 10, "URL": 16, "email": 6, "hostname": 16, "domain": 6 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "357 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67e1aa875e6c907d7e1b5fa0", "name": "hxxps://tech4service.ca - 03.24.25", "description": "YEG tech/hardware vendor", "modified": "2025-04-23T18:02:31.021000", "created": "2025-03-24T18:55:03.147000", "tags": [ "please", "javascript", "threat intelligence", "feed", "ioc", "change theme", "contact us", "intelligence", "threats api", "analyze api", "overview", "threats explore", "rate limits", "stixtaxii", "bulk export", "community", "results", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "file", "service", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "virus", "ransomware", "static", "indicator of compromise", "extraction", "emulation", "platform", "prefetch8 ansi", "ansi", "show process", "hash seen", "pcap processing", "pcap", "date", "ck id", "command decode", "mitre att", "win64", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "path", "model", "encrypt", "upgrade", "strings", "contact" ], "references": [ "https://www.virustotal.com/gui/url/d3fcc8b4575e8e04b8c80b171089c26f3d117ac9b11e971dc4fd0345f00b4414", "https://pulsedive.com/indicator/?iid=68410521", "https://metadefender.com/results/url/aHR0cHM6Ly90ZWNoNHNlcnZpY2UuY2E=", "https://hybrid-analysis.com/sample/4ac0486c18ef662f2ba44e75cc13830d7e3d6a8ec20040a78e7818a6484bf807", "https://www.filescan.io/uploads/67e1a7ffc26eb3fd74f584c0/reports/28bf2c8b-9ebd-4f47-8428-135838c23c2f/overview", "https://www.filescan.io/uploads/67e1a7ffc26eb3fd74f584c0/reports/28bf2c8b-9ebd-4f47-8428-135838c23c2f/geolocation", "https://www.filescan.io/uploads/67e1a7ffc26eb3fd74f584c0/reports/28bf2c8b-9ebd-4f47-8428-135838c23c2f/ioc", "https://hybrid-analysis.com/sample/4ac0486c18ef662f2ba44e75cc13830d7e3d6a8ec20040a78e7818a6484bf807/67e1a708525a509d1805065a", "", "https://pulsedive.com/indicator/?iid=68410679" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 189, "FileHash-MD5": 21, "FileHash-SHA1": 20, "FileHash-SHA256": 20, "domain": 29, "email": 7, "hostname": 37, "SSLCertFingerprint": 20 }, "indicator_count": 343, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "360 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://business.bing.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://business.bing.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776604474.6401424 }