{ "type": "URL", "indicator": "https://buzz-plus.icu/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://buzz-plus.icu/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4366981999, "indicator": "https://buzz-plus.icu/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "6a0e70462533707c15e72292", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T03:36:39.925000", "created": "2026-05-21T02:39:02.897000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 212, "FileHash-SHA1": 226, "FileHash-SHA256": 1512, "IPv4": 409, "URL": 880, "hostname": 1350, "domain": 378, "CIDR": 1, "email": 3, "Mutex": 3 }, "indicator_count": 4974, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e703e7c0457682c548691", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:54.394000", "created": "2026-05-21T02:38:54.394000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e703e6a884aeed75d9180", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:54.205000", "created": "2026-05-21T02:38:54.205000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e7033ee9e679939ba3294", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:43.726000", "created": "2026-05-21T02:38:43.726000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e702f7b1b513a66e1789e", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:39.508000", "created": "2026-05-21T02:38:39.508000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0b53626be41dfe6834d2e4", "name": "* Cross-Platform iOS Curveball Crypto Forgery Exploit * CAPE Sandbox", "description": "Standalone iOS Mobile Infrastrure Name: document.html (~1MB, 12,311 lines, null title tag) * MD5: 6816bd15813549fa95a543dc7593b2a3\n* SHA-1: d73716914eb0b2a0211...\n2. Malformed Mathematical Parsing Architecture\nThe js loader handles strings by evaluating positions directly from malformed cryptographic signatures rather than declaring standard network callbacks.\n* Script Target String Hash: 57c8a0597dcd4...\n-Internal File Path Queried\n-Location Isolation: The engine scans for multi-locale layout properties during browser rendering. By targeting string array offsets, the logic programmatically generates continuous queries.\n-Exploitation Vector: Leverages WebKit script execution directly within volatile mobile browser memory due to hollow processes [root+code] result likely xxs/f.\n-Floods local [exe] threads with continuous data-parsing tasks. This isolates the runtime process inside iOS hardware, generating background loops, interface lag,&memory exhaustion w/o raising traditional system level malware flags.", "modified": "2026-05-20T08:57:18.461000", "created": "2026-05-18T17:58:58.565000", "tags": [ "link", "calendar", "keep track", "apple support", "doctype html", "title", "locale", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "meta", "defense evasion", "next", "meta tags", "script tags" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 54, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 281, "hostname": 149, "URL": 255, "domain": 118 }, "indicator_count": 864, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0b5364337dfd91041f4d22", "name": "* Cross-Platform iOS Curveball Crypto Forgery Exploit * CAPE Sandbox", "description": "Standalone iOS Mobile Infrastrure Name: document.html (~1MB, 12,311 lines, null title tag) * MD5: 6816bd15813549fa95a543dc7593b2a3\n* SHA-1: d73716914eb0b2a0211...\n2. Malformed Mathematical Parsing Architecture\nThe js loader handles strings by evaluating positions directly from malformed cryptographic signatures rather than declaring standard network callbacks.\n* Script Target String Hash: 57c8a0597dcd4...\n-Internal File Path Queried\n-Location Isolation: The engine scans for multi-locale layout properties during browser rendering. By targeting string array offsets, the logic programmatically generates continuous queries.\n-Exploitation Vector: Leverages WebKit script execution directly within volatile mobile browser memory due to hollow processes [root+code] result likely xxs/f.\n-Floods local [exe] threads with continuous data-parsing tasks. This isolates the runtime process inside iOS hardware, generating background loops, interface lag,&memory exhaustion w/o raising traditional system level malware flags.", "modified": "2026-05-20T08:56:56.059000", "created": "2026-05-18T17:59:00.842000", "tags": [ "link", "calendar", "keep track", "apple support", "doctype html", "title", "locale", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "meta", "defense evasion", "next", "meta tags", "script tags" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 54, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 281, "hostname": 149, "URL": 255, "domain": 118 }, "indicator_count": 864, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0b535b1d8235c877c4fc81", "name": "* Cross-Platform iOS Curveball Crypto Forgery Exploit * CAPE Sandbox", "description": "Standalone iOS Mobile Infrastrure Name: document.html (~1MB, 12,311 lines, null title tag) * MD5: 6816bd15813549fa95a543dc7593b2a3\n* SHA-1: d73716914eb0b2a0211...\n2. Malformed Mathematical Parsing Architecture\nThe js loader handles strings by evaluating positions directly from malformed cryptographic signatures rather than declaring standard network callbacks.\n* Script Target String Hash: 57c8a0597dcd4...\n-Internal File Path Queried\n-Location Isolation: The engine scans for multi-locale layout properties during browser rendering. By targeting string array offsets, the logic programmatically generates continuous queries.\n-Exploitation Vector: Leverages WebKit script execution directly within volatile mobile browser memory due to hollow processes [root+code] result likely xxs/f.\n-Floods local [exe] threads with continuous data-parsing tasks. This isolates the runtime process inside iOS hardware, generating background loops, interface lag,&memory exhaustion w/o raising traditional system level malware flags.", "modified": "2026-05-20T08:52:51.376000", "created": "2026-05-18T17:58:51.398000", "tags": [ "link", "calendar", "keep track", "apple support", "doctype html", "title", "locale", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "meta", "defense evasion", "next", "meta tags", "script tags" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 54, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 281, "hostname": 149, "URL": 255, "domain": 117 }, "indicator_count": 863, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 2856 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/buzz-plus.icu", "whois": "http://whois.domaintools.com/buzz-plus.icu", "domain": "buzz-plus.icu", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "6a0e70462533707c15e72292", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T03:36:39.925000", "created": "2026-05-21T02:39:02.897000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 212, "FileHash-SHA1": 226, "FileHash-SHA256": 1512, "IPv4": 409, "URL": 880, "hostname": 1350, "domain": 378, "CIDR": 1, "email": 3, "Mutex": 3 }, "indicator_count": 4974, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e703e7c0457682c548691", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:54.394000", "created": "2026-05-21T02:38:54.394000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e703e6a884aeed75d9180", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:54.205000", "created": "2026-05-21T02:38:54.205000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e7033ee9e679939ba3294", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:43.726000", "created": "2026-05-21T02:38:43.726000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e702f7b1b513a66e1789e", "name": "snake logger darkbot CAPE Sandbox", "description": "The full text of the full report on the events of 9 March 2017:..-. and the details will appear on BBC Radio 5 live on Wednesday, 7 March at 19:00 BST", "modified": "2026-05-21T02:38:39.508000", "created": "2026-05-21T02:38:39.508000", "tags": [ "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "file type", "strong", "crc32", "sha1", "library", "accept", "date", "mainexe", "body", "shutdown", "guard", "title", "lockfile", "pxff pxff", "qxff qxff", "rxff rxff", "vxff vxff", "x8bxe5", "sx8b", "px8be px8be", "xf7xd8 xf7xd8", "pxe8 pxe8", "wx8b", "done", "pass", "chat", "handle", "cloudflare", "whois server", "entity cloud14", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "pe file", "mitre attack", "network info", "sample", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "malicious", "darkbot", "next", "script", "meta", "virustotal", "style", "noscript", "vtuishell", "function", "base", "iframe", "persist", "full", "android sandbox", "europemadrid", "current object", "has permission", "accesses", "dropped info", "zenbox android", "guest system", "persistence" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329568&Signature=IkbWoghENMgO0Vi0G33kEnSpOwdmP8yBe7C%2BtzhHBskojswgkdMlYDj0DOnptywc64KNSUgeupN5mWkS0LXuybETgPHYd4HYPG8ktV7dUbnVRIG%2BcsTjFEK1dZI5NvQDbZYsD3OWFsK6gil71bHUphUIWfLjNXuajVj%2BR11zcJWhS%2FtDQzx2O%2BIBuHP86PbUTEMDoHHFkHoZHwhwcDL8G9RoicUPSVKewZ3RhcaX2Xpc%2F3cyKq", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779329682&Signature=HQsQ6JIJ6eEe2cR78wlv7R7l5ka1KLsn%2FolYSQzBCEPpjgQAJOi%2FDuHtwY5l6CHb4sK8tHHAq1ifF44vJOlpMihyRW33STqD01QJ2jNm%2Bkdc6Ph8UQ6BnEciHeADfB3v5dXyl%2FYkkQ%2FJqV3mZMbc9tBQmza3HsXWtSYxdVWBsqaXdnyVKaxexVF16f9AuDf9GSj96MEPsmoQB35tjbXvupGv%2BXioRvdJxk37gOH81p32wQ%2Bvv", "https://vtbehaviour.commondatastorage.googleapis.com/bf6a466412d657c940e417486231c7d0443fddc1bd687ae011c3ec2809bd56dc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330293&Signature=Z%2Fd5falNeJ5Sr83mYEi%2BXDKCueLy3vcdeeLt%2F%2FNNTmDXr%2B8VOhZSaUnqgn7tIHVA8sq4kfxOzP8atA2c%2BkDkbSMTYMi3E2RaudxzZ0cIQcin0cwG%2Bc6Ah2LkmwlvMSiFV2BX4rHMhMenVEE8PHVtnpQUrwYJEdD3V1NkUTJShKSuzJjMJIjIpdICKBBn5ZDfJfnqlDpVn9uo4Tcb0QMyPPPEv5j0de44oISnibMExEhbIgFshum5V7Jc", "https://vtbehaviour.commondatastorage.googleapis.com/ccd573523bfa74f41c41e6a020c5b760d52460e0a77129b7c6673d4f4ac0bfd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330635&Signature=re%2FuG4fUxL0rE3q7lOequC7gJICljDctOzy7nBhrje3uBPHhClYMNGKxYWnAC4e%2BRhBHKSaS3ZthKB8ivGxIdfUS8ktxU5Yl1qI11t37%2BFm057DGulZHdhT0By8vjA7mju1EkgRYFXcdpUcsdk7bQ6yqQd0qFGyGNC30ZRU5EFTgBjbysmi6Hj2D9odG2fpcFfzOTUThiGWhII78HarsZBdhHlA5AClXfDw92AC07XjP50bnJV7dT2na", "https://vtbehaviour.commondatastorage.googleapis.com/0366e99c4dd0b3f3ba1f0ee53be280ace9aa36629ecdda4227fbe0dcd69adf24_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779330865&Signature=lTq%2B4domCQZf0DZuQ3%2F9AT3rOnxLdz3OKyhp1PGSrjZFKLq%2F5r4d%2FTImb9SgUHTfTbNrFv7uPQTjrB7TpEsAb%2F0gIQcLxpJlOftQ5ifzx5Dh%2BSc2lHI55YuUZeDxmqAbHZqIYy2loL6d%2BcooLmEI%2B4k7LyHGHyw3DZZDYobzE1zNKqjZjFADoJpK%2F1Z95DjMX1%2BVtf6sn4oCPXQ1%2FfMPTrD2YillSIeb88t", "https://vtbehaviour.commondatastorage.googleapis.com/00066842ce6c13b3db2a0b8843830ef5d82c5c86ca8da83c59e90e93b7dc5c8a_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779331227&Signature=MCrqghYx6iIxE%2B5YcfGg76mxr1FAs%2BmV1x6LMN8xzbe3DWO3sIhTzJErmNAjCDdrSDtD%2FTJrs8xdyOmhEBYRnfM%2BoDkCgfL54Khogx3XitiZHEZOoJ%2BG6ndTrPeQySymflSLswl1sKNnO8uMTOkxNFDPVHpuA%2BHvhZ4svmsijbULQ00M51GilsEzK7yXE9M%2Fh%2FTHn4hR0W23S%2BBS7lted0EedxLSgIVapglnQQpGMQ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 163, "FileHash-SHA1": 98, "FileHash-SHA256": 884, "IPv4": 48, "URL": 150, "hostname": 170, "domain": 96, "CIDR": 1, "email": 3 }, "indicator_count": 1613, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0b53626be41dfe6834d2e4", "name": "* Cross-Platform iOS Curveball Crypto Forgery Exploit * CAPE Sandbox", "description": "Standalone iOS Mobile Infrastrure Name: document.html (~1MB, 12,311 lines, null title tag) * MD5: 6816bd15813549fa95a543dc7593b2a3\n* SHA-1: d73716914eb0b2a0211...\n2. Malformed Mathematical Parsing Architecture\nThe js loader handles strings by evaluating positions directly from malformed cryptographic signatures rather than declaring standard network callbacks.\n* Script Target String Hash: 57c8a0597dcd4...\n-Internal File Path Queried\n-Location Isolation: The engine scans for multi-locale layout properties during browser rendering. By targeting string array offsets, the logic programmatically generates continuous queries.\n-Exploitation Vector: Leverages WebKit script execution directly within volatile mobile browser memory due to hollow processes [root+code] result likely xxs/f.\n-Floods local [exe] threads with continuous data-parsing tasks. This isolates the runtime process inside iOS hardware, generating background loops, interface lag,&memory exhaustion w/o raising traditional system level malware flags.", "modified": "2026-05-20T08:57:18.461000", "created": "2026-05-18T17:58:58.565000", "tags": [ "link", "calendar", "keep track", "apple support", "doctype html", "title", "locale", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "meta", "defense evasion", "next", "meta tags", "script tags" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 54, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 281, "hostname": 149, "URL": 255, "domain": 118 }, "indicator_count": 864, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0b5364337dfd91041f4d22", "name": "* Cross-Platform iOS Curveball Crypto Forgery Exploit * CAPE Sandbox", "description": "Standalone iOS Mobile Infrastrure Name: document.html (~1MB, 12,311 lines, null title tag) * MD5: 6816bd15813549fa95a543dc7593b2a3\n* SHA-1: d73716914eb0b2a0211...\n2. Malformed Mathematical Parsing Architecture\nThe js loader handles strings by evaluating positions directly from malformed cryptographic signatures rather than declaring standard network callbacks.\n* Script Target String Hash: 57c8a0597dcd4...\n-Internal File Path Queried\n-Location Isolation: The engine scans for multi-locale layout properties during browser rendering. By targeting string array offsets, the logic programmatically generates continuous queries.\n-Exploitation Vector: Leverages WebKit script execution directly within volatile mobile browser memory due to hollow processes [root+code] result likely xxs/f.\n-Floods local [exe] threads with continuous data-parsing tasks. This isolates the runtime process inside iOS hardware, generating background loops, interface lag,&memory exhaustion w/o raising traditional system level malware flags.", "modified": "2026-05-20T08:56:56.059000", "created": "2026-05-18T17:59:00.842000", "tags": [ "link", "calendar", "keep track", "apple support", "doctype html", "title", "locale", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "meta", "defense evasion", "next", "meta tags", "script tags" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 54, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 281, "hostname": 149, "URL": 255, "domain": 118 }, "indicator_count": 864, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0b535b1d8235c877c4fc81", "name": "* Cross-Platform iOS Curveball Crypto Forgery Exploit * CAPE Sandbox", "description": "Standalone iOS Mobile Infrastrure Name: document.html (~1MB, 12,311 lines, null title tag) * MD5: 6816bd15813549fa95a543dc7593b2a3\n* SHA-1: d73716914eb0b2a0211...\n2. Malformed Mathematical Parsing Architecture\nThe js loader handles strings by evaluating positions directly from malformed cryptographic signatures rather than declaring standard network callbacks.\n* Script Target String Hash: 57c8a0597dcd4...\n-Internal File Path Queried\n-Location Isolation: The engine scans for multi-locale layout properties during browser rendering. By targeting string array offsets, the logic programmatically generates continuous queries.\n-Exploitation Vector: Leverages WebKit script execution directly within volatile mobile browser memory due to hollow processes [root+code] result likely xxs/f.\n-Floods local [exe] threads with continuous data-parsing tasks. This isolates the runtime process inside iOS hardware, generating background loops, interface lag,&memory exhaustion w/o raising traditional system level malware flags.", "modified": "2026-05-20T08:52:51.376000", "created": "2026-05-18T17:58:51.398000", "tags": [ "link", "calendar", "keep track", "apple support", "doctype html", "title", "locale", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "meta", "defense evasion", "next", "meta tags", "script tags" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120167&Signature=jjx58TOoBzcM3VAt6aHBhD4Uk3qycXhPqBQ8%2B8mz8WRFE4nQysuz0pE%2FJzqE8UZjK%2BX%2BAInP0ol%2FRWQbnzCDOo0O0F5e%2FPy2fpnO1vsZEOxNjdEtr2WkvWUDLO0qno2oh2JOVvZt1vgN4SNWIxyNjHTlG3fK01pZf1EQeRIp%2BAew7ogUBkxPG4u1kB31EZUg9aYJ%2BJfFOSHns2y38Qo9Nf7xOWRSWQL64s0fMLN%2FuJqo", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120190&Signature=zS7YS90991jg3aJaHUHkbgiegDEmI0TwVITFGgNG24UVG73I%2FgH%2FAZlVbEbTAd5%2BugQgcGmZuWW8i0Uw0p0%2FDhDWK6pGhJtJK3y2Ulgjnhw%2FaPWFotHlWDB9oEQFybyHcGd%2BNasc5tq5pO4HZh9iGudQbMGnWYMA6pNesIB%2BE%2F3Mjov7QwGStPg0XfB325h5ywgvcB0YPEpItbGtIaNV38AWc7GLWaZ7H02vKioR54IZVg7aAjnWK6", "https://vtbehaviour.commondatastorage.googleapis.com/f7f1f6f2f1b195829c5429c213d2e28536971247d42ec0ed7e7704de48f5d1b8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779120693&Signature=PVlkmBs1ypAK33UCMzZhLE7IQY1bFdSzhzuw67rSm6i4rNdSuRctwVViaGNmfwaEMtyJOO5F10u45F9x%2FXCSkpa27mW8a4CGp6bE5YSlMLespUT9sGxzgFnOhib4SXue%2B%2BSJDXmV%2FHsVXNWSpYtr9E%2Fithqwkr5P2KDnUgGp9T0aFrIdZxtTn4QtjdAduC7gCLDfRiNID7ZjPVJV0lq%2Fz1%2Fhu%2FQs0Sw4%2BX1iNvp%2Bed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 54, "FileHash-MD5": 6, "FileHash-SHA1": 1, "FileHash-SHA256": 281, "hostname": 149, "URL": 255, "domain": 117 }, "indicator_count": 863, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://buzz-plus.icu/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://buzz-plus.icu/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780234422.566901 }