{ "type": "URL", "indicator": "https://bytepoint.software", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://bytepoint.software", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3921760701, "indicator": "https://bytepoint.software", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "66d0a996b288ca46ab7e63ae", "name": "CEIDG (www.pitprojekt.pl , pitprojekt.pl) jak otworzy\u0107 firm\u0119, jak rozpocz\u0105\u0107 biznes, dzia\u0142alno\u015b\u0107 gospodarcza zak\u0142adanie, jak rozpocz\u0105\u0107 dzia\u0142alno\u015b\u0107 gospodarcz\u0105", "description": "Zawarte zasoby wed\u0142ug j\u0119zyka \u00c2\u00a31.1bn, a total of 7.4bn euros ($9.6bn; \u00a36.3bn)", "modified": "2024-12-05T21:16:06.820000", "created": "2024-08-29T17:02:13.392000", "tags": [ "admin", "asset", "dufur", "jnswj", "3px center", "saxla", "zjloj", "whasz htm", "oszczdno", "png ikona", "rt angielski", "angielski usa", "wersja rt", "narzuta chi2", "plik", "whasz", "bogaty hash", "sha256", "ssdeep", "schema", "strings", "guid", "blob", "sha256 file", "type type", "vhash", "imphash", "bvgquf", "cblrxf", "coqbmf", "efq78c", "gkrikb", "hdvrde", "hlo3ef", "izt63", "jnoxi", "kg2exe", "pejzasz", "rticon english", "english us", "chi2", "png rticon", "ico rtgroupicon", "code signing", "algorithm", "serial number", "sectigo public", "thumbprint", "rsa time", "valid from", "name sectigo", "valid", "valid usage", "ascii text", "neutral", "data rtcursor", "data rtdialog", "default", "rticon maori", "ceidg", "informacja o", "usugi", "z wniosek", "sprawd", "zarejestruj spk", "centralna", "ewidencja", "strona gwna", "formularze i", "sha1", "pehash", "richhash", "authentihash", "skrt", "system", "podaj", "windows z", "kreator", "dostawca", "wifi", "nazwa typ", "md5 nazwa", "imphasz", "kropelka", "smyczki", "zasb manifestu", "neutralny", "ikona rt", "zawarte zasoby", "md5 chi2", "ikonagrupyrt", "rtmanifest", "zawarte", "sha256 typ" ], "references": [ "https://aplikacja.ceidg.gov.pl/ceidg.cms.engine/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4501, "URL": 4559, "hostname": 1957, "domain": 729, "FileHash-MD5": 903, "FileHash-SHA1": 849, "IPv4": 180, "email": 3, "IPv6": 2, "CVE": 1 }, "indicator_count": 13684, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "499 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f3e394bcf868816a29c2dc", "name": "Google Pixel 7a Devices - Telus ISP devices 'protected' by Norton", "description": "Exactly as above. I mean, out of all of the phones these ones make phonecalls (most of the time can send & receive calls). Can be a little tricky. Incomplete - it be doing it's own thing downloading/uploading stuff and heading down the 'way all the other phones went' route.", "modified": "2024-11-02T15:05:54.240000", "created": "2024-03-15T05:58:44.839000", "tags": [ "ISP", "Google", "Telus", "Norton", "Pixel" ], "references": [ "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark", "https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark", "https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark", "https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark", "https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "", "https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details", "https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network", "http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications", "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1231, "FileHash-SHA1": 1215, "FileHash-SHA256": 99653, "URL": 158638, "domain": 49468, "hostname": 77233, "email": 6, "CIDR": 5450, "CVE": 55 }, "indicator_count": 392949, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "533 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c08b488620dac7697026c7", "name": "Fakefolder | Ransom:Win32/CVE affecting HCA Healthcare cloud", "description": "Cloud computing - User Acceptance Testing (UAT)\napparently used by HCA one of the nations leading healthcare providers. It's seems HCA's cloud is compromised. The cloud has a number of high priority vulnerabilities, malware, ransomware, zero day, etc. Patient accounts aiming involved, (some patients received letters of serious PII, PHI compromise) lost records, patient blacklisting, hacking, and nefarious manipulations by providers. I've been made aware of CORHIO closing compromised patient accounts. Some patients account access and data has reportedly been lost.\n#VirTool:Win32/Obfuscator.ADB\nALF:HeraklezEval:Ransom:Win32/CVE\nRansom:Win32/StopCrypt.AK!MTB\nRansom:Win32/Wannaren.A\nTrojan:Win32/BlackMon\nTrojan:Win32/Fakefolder\nTulach Malware", "modified": "2024-10-15T14:02:54.772000", "created": "2024-08-17T11:36:40.810000", "tags": [ "microsoft edge", "iocs", "alberta ndp", "security", "vc rescue", "disk", "apple", "google", "windows", "powershell", "security https", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "site", "cisco umbrella", "alexa top", "blacklist", "million", "mail spammer", "firehol", "ip address", "noname057", "anonymizer", "firehol proxy", "proxy", "india mail", "malware", "full name", "first", "v3 serial", "number", "cus odigicert", "global tls", "rsa4096 sha256", "ca1 validity", "subject public", "key info", "dns replication", "date", "script script", "as12912", "a domains", "a li", "poland unknown", "t mobile", "domains", "przejd", "passive dns", "authority", "meta", "accept", "cname", "record type", "ttl value", "aaaa", "poland", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "location poland", "asnone united", "moved", "location", "vary", "accept encoding", "content type", "virtool", "related pulses", "file samples", "files matching", "show", "search", "date hash", "next", "showing", "as39198", "body", "window", "certificate", "hostname", "unknown", "red bull", "script urls", "as2828 verizon", "ireland unknown", "gmt content", "as8068", "as8075", "servers", "creation date", "united", "trojan", "trojan features", "win32", "msr aug", "urls", "reverse dns", "trojandropper", "historical ssl", "referrer", "infiltrate", "threat network", "malicious", "snapchat", "eternal blue", "sneaky simay", "groups", "covert", "probe", "whois lookup", "domain name", "united", "as15169 google", "a nxdomain", "germany", "dynamicloader", "yara rule", "high", "medium", "port", "dynamic", "domain", "file name", "pcap", "copy", "url host", "port method", "user agent", "okrnserver", "002000", "hit tcpmemhit", "algorithm", "data", "cus oentrust", "entrust", "l1k validity", "cpl lwarszawa", "ot mobile", "status", "name servers", "as6354", "mtb aug", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "location united", "win32 exe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "vs2010", "info compiler", "products", "vs2008", "header intel", "name md5", "type", "language", "ascii text", "cyrillic", "registrar of", "domain names", "ii llc", "contacted", "file type", "mb file", "graph", "ip detections", "country", "type name", "network", "tsara brashears", "december", "typhon reborn", "speakez securus", "hacktool", "emotet", "formbook", "critical", "installer", "tofsee", "hiddentear", "cnc", "email collection", "apple data", "data collection", "tsara brashears", "for privacy", "record value", "emails", "expiration date", "swipper", "tulach", "aitm", "query", "observed dns", "activity dns", "total", "google llc", "pe32", "write", "april", "defender", "otx telemetry", "win32cve aug", "polska s", "copyright", "levelblue", "dashboard", "pulse submit", "url analysis", "as20940", "as16625 akamai", "entrustdns", "france", "entries", "refresh", "443 ma2592000", "net174", "net1740000", "mcics", "read c", "write c", "tlsv1", "default", "module load", "execution", "dock", "persistence", "xport", "redacted for", "privacy tech", "privacy admin", "organization", "postal code", "stateprovince", "server", "registrar abuse", "code", "high priority", "critical", "CVE-2023-29059" ], "references": [ "uat.drw.hcahealthcare.cloud | developers.t-mobile.pl | kwvjuemg.exe", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "Antivirus Detections: Ransom:Win32/Wannaren.A UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX Alerts procmem_yara creates_largekey process_creation_suspicious_location network_bind deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window cape_extracted_content injection_rwx network_http", "Yara Detections: LZMA , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Alerts: procmem_yara creates_largekey process_creation_suspicious_location network_bind cape_extracted_content", "Alerts: deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request injection_rwx network_http", "Alerts: network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window", "nr-data.net [Apple Private Data Collection]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES | twitter.com | www.pornhub.com | www.anyxxxtube.net", "Apple path:https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "record-viewer-application.hcahealthcare.cloud", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "Tulach IP: 114.114.114.114", "Antivirus Detections: #VirTool:Win32/Obfuscator.ADB | IDS Detections:Observed DNS Query to .biz TLD | Domains Contacted: pywolwnvd.biz", "Yara Detections: SUSP_Unsigned_GoogleUpdate OriginalFilenameGoogleUpdate.exe | Alerts cape_extracted_content", "Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS) 'Swipper'", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059\\", "cvename.cg | https://cve.mitre.org/cgi | https://cve.mitre.org/cgi-bin/cvename.cg... | https://cve.mitre.org/cgi-bin/cvename.cgi?nam...", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | https://cve.mitre.org/css/main.css", "https://cve.mitre.org/images/cvelogobanner.png | https://cve.mitre.org/images/linkedin.jpg | https://cve.mitre.org/images/medium.png", "https://cve.mitre.org/images/nvd-logo.png | https://cve.mitre.org/images/search_icon.png | https://cve.mitre.org/images/twitter.jpg", "https://cve.mitre.org/images/youtube.png | https://cve.mitre.org/includes/browserheight.js | https://cve.mitre.org/includes/jquery-3.2.1.min.js", "https://cve.mitre.org/css/print.css | https://cve.mitre.org/favicon.ico | https://cve.mitre.org/images/GitHub_round_sm", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | cve.mitre.org" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/BlackMon", "display_name": "Trojan:Win32/BlackMon", "target": "/malware/Trojan:Win32/BlackMon" }, { "id": "Trojan:Win32/Fakefolder", "display_name": "Trojan:Win32/Fakefolder", "target": "/malware/Trojan:Win32/Fakefolder" }, { "id": "Ransom:Win32/Wannaren.A", "display_name": "Ransom:Win32/Wannaren.A", "target": "/malware/Ransom:Win32/Wannaren.A" }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Healthcare", "Technology", "Civilian Society", "Telecommunications", "Networking" ], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1975, "FileHash-SHA1": 1731, "FileHash-SHA256": 4646, "URL": 636, "domain": 283, "hostname": 798, "email": 12, "CVE": 3, "SSLCertFingerprint": 2 }, "indicator_count": 10086, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "670c5ff728e6e5b891e26e45", "name": "IOC", "description": "", "modified": "2024-10-14T00:04:07.913000", "created": "2024-10-14T00:04:07.913000", "tags": [ "admin", "asset", "dufur", "jnswj", "3px center", "saxla", "zjloj", "whasz htm", "oszczdno", "png ikona", "rt angielski", "angielski usa", "wersja rt", "narzuta chi2", "plik", "whasz", "bogaty hash", "sha256", "ssdeep", "schema", "strings", "guid", "blob", "sha256 file", "type type", "vhash", "imphash", "bvgquf", "cblrxf", "coqbmf", "efq78c", "gkrikb", "hdvrde", "hlo3ef", "izt63", "jnoxi", "kg2exe", "pejzasz", "rticon english", "english us", "chi2", "png rticon", "ico rtgroupicon", "code signing", "algorithm", "serial number", "sectigo public", "thumbprint", "rsa time", "valid from", "name sectigo", "valid", "valid usage", "ascii text", "neutral", "data rtcursor", "data rtdialog", "default", "rticon maori", "ceidg", "informacja o", "usugi", "z wniosek", "sprawd", "zarejestruj spk", "centralna", "ewidencja", "strona gwna", "formularze i", "sha1", "pehash", "richhash", "authentihash", "skrt", "system", "podaj", "windows z", "kreator", "dostawca", "wifi", "nazwa typ", "md5 nazwa", "imphasz", "kropelka", "smyczki", "zasb manifestu", "neutralny", "ikona rt", "zawarte zasoby", "md5 chi2", "ikonagrupyrt", "rtmanifest", "zawarte", "sha256 typ" ], "references": [ "https://aplikacja.ceidg.gov.pl/ceidg.cms.engine/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "66d0a996b288ca46ab7e63ae", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "WayneState", "id": "296756", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4243, "URL": 4550, "hostname": 1957, "domain": 729, "FileHash-MD5": 801, "FileHash-SHA1": 747, "IPv4": 180, "email": 3, "IPv6": 2 }, "indicator_count": 13212, "is_author": false, "is_subscribing": null, "subscriber_count": 4, "modified_text": "552 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669ac41b3186b8cc8c40e9e3", "name": "Powershell", "description": "Matches rule PowerShell Module File Created By Non-PowerShell Process by Nasreddine Bencherchali\nDetects creation of a new PowerShell module \".psm1\", \".psd1\", \".dll\", \".ps1\", etc. by a non-PowerShell process\n\nFilescan.io\nWindowsPowerShell.zip\napplication/zip\nMD5:\n07d37fc575e373f878ae3c7cca2bfc25\nSHA1:\na2fc89aba12f8739184d44d0fffbe6323d9654eb\nSHA256:\ne75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832\nSHA512:\n36dc7349d052cd474818a6ae3149eda469d829cf2e4d9a0e55252468cdf9e9704d5293b8b4f73b4a25b07f8c8dd8eeab2ed18bbb1ff7d76958b51eb555562339\n\nTriage:\nhttps://tria.ge/240719-taxv5aydlj\nhttps://tria.ge/240719-tfpfyasdqh\nhttps://tria.ge/240719-tj9laasfke\nhttps://tria.ge/240719-tnb6kssgmc\nhttps://tria.ge/240719-trwpdsshqh\nhttps://tria.ge/240719-tv84wstbkg\nhttps://tria.ge/240719-t1hh5atcpd\nhttps://tria.ge/240719-t7wpbszgkl\n\nMalcore: https://app.malcore.io/share/652553f6aec33d70a1dbbd25/669993193506cdb760b3f36a\n\nKaspersky: E75FF18EE5C7226E225AA9959DF439F1488DF8CD3D43F5471361ED0426700832", "modified": "2024-09-01T17:02:12.379000", "created": "2024-07-19T19:52:59.626000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/summary", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/iocs", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/graph", "https://www.virustotal.com/graph/embed/g4d28c765e54941129dbbf8d4a8dc25bb3b5452f14e0a4886a0af0c2991188611?theme=dark", "https://www.virustotal.com/gui/file/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832/relations", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578339&Signature=fTYUE3KoGSnr2%2BSrv9dZpgk3uXJc2rf%2BQeCyhAVDWiuiHGaYqhFHfgzQD2KheomXUSHne5MCvS9XH1LGW7Xhrg7CIG0gEe5cVjxrkmumne%2B%2Fd%2FBQagomnCKzfbwdExaO45sfA9rz4eQtyfLzFifYoRXDRtJK7P%2BNmISkv0Qz9FGIgXrrPDvmwJevgry%2FaMfiTEa2%2BxSDdWf9e6kdZW5YBVuxEdpGowcPsPEkpbdiSG12pG", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578437&Signature=HM1ThjLEyrQmeLst3eY3osRWxC6ETs2RVbR4uKhN5emP%2Fe3Jbf6OsLPvmoAyaPTh%2B9RLyjIrqyR3f4rwg%2B4kkyiEZCyCkGKSRvQK4zC8eMuq80kOGYcvFLPwtvcH20xe7%2FPhGk2au3z4GfauzR1s8meGtQYRDlmXZARLTB2G0tno%2FJOq8rNm7NLHvVH1MpMBoQ47RRIwE0ecUUSYXmQGMAOQVAgmigrpydiFzFYN2wYJDkmfVTmEc9kylTmQ", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583501&Signature=igubOWmez%2BKPjBiU2Af7vHhJ5SwgwsKaafuyzobymmqUDs%2F8vkuh1A%2BbsMADWo0B%2FBEZht3BD%2B1%2FvItWrcfBgja57sMCBln9vBXfK7nCclcy9%2BeujGu7wlQLlhyfAeGNd8suRdK8x4WrJJ5bdqfAh7Ns0mOjPliF9uu3UJ9I7qH6N5IAd%2Bkb8h7Xce%2F%2BavnF8jLmHHwwCP5ILzgNRc94rmrWFp5eXzxQ3aHd9btY2D", "https://vtbehaviour.commondatastorage.googleapis.com/e6f203e988e7aa801739359c6222dcb181d290fc10de5f61d354d43f8557daa0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583905&Signature=QPgFBr8MN1iCe8SwxWZ4BgTfkaViEC4PHLzUrGQ3Jdndo8Z44osVc0CIRcnkJJtNDFU03AM82A8wJ2jMjaFYoEbthsaxPWWufSulM8nS%2BU8RoCr04jUq5GnAWPVNjxukSTbgD0F7pUSf0pVaFwwvpSWCQ6hedQEwF52DQyViV8u9UDOeLii4rkmRlMfMlGIsxIP4CEwy0Gy8Q7Lw6FX8cxG%2FehoJatyiwaFdwwbbLbnu2lQHDaZuwZ38Oy", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583790&Signature=K2lWpuyPxZ8FgvBVeyB6hsfMbuIBkRXd522JtGonUcHxxtwoomV2fuuFbXC5edVAoGPuZJ24D%2Fv7rEHOHYCS2347F4Mq0VQr0PQt68rfbA8DBHTGs1XBS3QFLveflOjIkNzmhJWg23fuvM%2F1Ci0jSxKnR5XeURTArrkbf5eYA72p4QUFMKDgYO6kRpNXHLuDocJdXWjM7AiQ7ZBQdx%2F%2FeNZgb7k7s%2FPTzGuZ%2FTgEvxiGAiaV6PghFIIPSj", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583388&Signature=L5dgUL09kvWOiINZMa%2FvgcDAW5AFV%2Fqie184iaXQKGccuTzwDYsyx0%2BhI%2FxOXIkON%2Bw0RoRuoasFag44WeapuTjlnv8di%2FZ8iWJdeRGqWOdJ8P4EAPZIICsU%2BxjXP%2BzOSNTz5tcekdSceS%2BkTyDYMO%2F9QxZVwsIV1WnvZaGiR%2BOKIfs4YFXgeGWc23ktkKxbRfeKQY1kFyHTh8Re3lBLC%2Fkq%2FExvl7kqxKIebqquWmo%", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583872&Signature=cfVN9vaAZ5UXUaFiEoATwrbKG2RNxzOu3wiH5KMlXdPxTgtpQ920ONEqOhhUb8MNxJwW3AVsCAahYTLdN3FigRPmjIClNTYz%2BoS%2BDl354Z4ZxefdKjl0HJ4%2FmGuzVTBNtc6pftGk4VMAvjgoerYhBf6Olu3ajrMT3h89lKsdBSGc6ra20Btzd%2BzY3Uh1J2gPZ%2BzZPHkTbR0OUTh3oorvIq9Fue8rDbL6PzZLxfPFEZ%2FFCRUnFo", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583838&Signature=dw6B7oYQHQ1CxhfF67YE3TZfvqWvO%2FgErgu9Ms4R462ssOAuET7%2F9guBVvhETqvO7ClziwNXLV%2F31SM7aYXjXEUOmfJtHqf5vpFUCub63bX6a1GILj%2BtbX8EmURT4JftAGT%2BwDdgQnHX3y5MvnWd9NpYE8TTYStcf%2BQOWZLWiMNe%2BSxjpsMyOG2ryZdsm7iCyH%2BWdXrvG%2Bh9ccwxPOnUOwoOxUV3hp1ifVzCkbUtYySGTom29VJ8", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583383&Signature=N7snLsiqkPikwYU0zKl8QxasbcLXiGFXIFaIVT%2FEvzaLWUbnPEkuvuuOAxz9la0bmVndAimDsaexUgrGErDmDbBZ46apRuUnYH3GwBNvZ3YaBIVII4IfP8kDN%2Bi2b3meTPaoyhnWR4UIuYord2Ejg5nAYQ3FJxv4KKyrm8NTlU1cEHTpiBToFL3AVBUOHvCUQ4T1wRMpgO6%2FmyokYYZl8GZa4tjpI%2BncAIOTAfOZePVQ7sAnKHmckU", "https://viz.greynoise.io/analysis/b5c2d562-eee0-46cb-8696-0585e3ce27b8" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4402, "URL": 1463, "domain": 621, "hostname": 1159, "FileHash-MD5": 423, "FileHash-SHA1": 423 }, "indicator_count": 8491, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "595 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667af3df55de77efb0309afe", "name": "Norton's Elevated Cybersecurity Team at it's best - W11 PC - 01.18.24", "description": "Norton's Elevated Cybersecurity Team at it's best - W11 PC - 01.18.24\nRead: https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/summary for Summary of their 'elite team' & their efforts", "modified": "2024-08-30T17:04:50.688000", "created": "2024-06-25T16:44:15.585000", "tags": [ "please", "javascript" ], "references": [ "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/summary", "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/iocs", "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/graph" ], "public": 1, "adversary": "Norton Telus", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 857, "FileHash-MD5": 44, "FileHash-SHA1": 38, "FileHash-SHA256": 1942, "domain": 593, "hostname": 762 }, "indicator_count": 4236, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "597 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6620419d5922de85f4e42163", "name": "Microsoft Edge", "description": "Just some Browser Stuff\nC:\\Program Files (x86)\\Microsoft\\\nEdge\nEdgecore\nEdgeUpdate\nEdgeWebview\nTemp", "modified": "2024-08-30T16:02:04.572000", "created": "2024-04-17T21:39:41.184000", "tags": [ "please", "javascript", "Microsoft Edge" ], "references": [ "https://www.virustotal.com/gui/collection/08db79bb721ab9568968fe40f29aedc39ba2b57e9bc9c67ac034b54a9b6d739f/iocs", "https://www.virustotal.com/gui/collection/08db79bb721ab9568968fe40f29aedc39ba2b57e9bc9c67ac034b54a9b6d739f/graph", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.virustotal.com/gui/collection/08db79bb721ab9568968fe40f29aedc39ba2b57e9bc9c67ac034b54a9b6d739f/summary" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1546.010", "name": "AppInit DLLs", "display_name": "T1546.010 - AppInit DLLs" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1542.001", "name": "System Firmware", "display_name": "T1542.001 - System Firmware" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Education", "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 6, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 288, "FileHash-SHA1": 122, "FileHash-SHA256": 1149, "URL": 246, "domain": 110, "hostname": 110 }, "indicator_count": 2025, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "597 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6695e27f356a22d97fba5ca8", "name": "Critical attack/s continues to affect YouTube Creator/s account/s", "description": "Related to YouTube creator/s attack/s. Found as part of Jays Youtube Bot.exe and YouTube bots.\nFull CnC, access and id devices. Redirects views, resells. spoofs, binds and/or accounts. FRAUD! \nReference: YARA Signature Match - THOR APT Scanner\nRULE: SUSP_Wextract_Anomaly_Unsigned_May23\nRULE_SET: Livehunt - Suspicious290 Indicators \ud83c\udff9\nRULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28\nRULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_Wextract_Anomaly_Unsigned_May23\nDESCRIPTION: Detects an anomalous unsigned wextract that contains additional code and has been seen abused to deliver malware\nREFERENCE: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/\nRULE_AUTHOR: X__Junior\nThor for details #susp_wextract_anomaly_unsigned_may23", "modified": "2024-08-15T02:00:24.886000", "created": "2024-07-16T03:01:17.316000", "tags": [ "win32 exe", "wextract", "kb file", "files", "file type", "javascript", "graph", "ip detections", "country", "userprofile", "runtime modules", "samplepath", "delnoderundll32", "mpgph131 hr", "hourly rl", "highest c", "mpgph131 lg", "onlogon rl", "highest", "process", "registrya", "registry keys", "registry", "windows policy", "shell folders", "file execution", "binary data", "security center", "text c", "peexe c", "xml c", "zip c", "file system", "written c", "dropped", "hashes", "windows nt", "wow64", "referer https", "date thu", "get https", "request", "gecko response", "gmt connection", "gmt vary", "etag", "accept", "win64", "query", "windows get", "internal", "set file", "create", "create process", "windows read", "shutdown system", "modify access", "delete registry", "enumerate", "behavior tags", "k0pmbc", "spsfsb", "ctsu", "efq78c", "egw7od", "en3i8d", "i6ydgd", "iz1fbc", "izt63", "kum7z", "vs2003", "sp1 build", "contained", "info compiler", "products", "header intel", "name md5", "type", "language", "simplified", "army", "variant sides", "with russia", "ramnit", "netsupport rat", "sneaky server", "replacement", "unauthorized", "sim unlock", "emotet", "chaos", "malicious", "critical", "copy", "life", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "cc linker", "urls", "gandi sas", "domains", "cloudflare", "ii llc", "psiusa", "domain robot", "ltd dba", "com laude", "ascio", "contacted", "ms word", "document", "b file", "html", "javascript jac", "html iu3", "executed by usa", "#wextract", "#unsigned", "thor", "stealer", "evader", "systemroot", "grum", "high", "delete c", "cape", "write", "103 read", "clsid read", "date read", "trojan", "united", "unknown", "status", "cname", "creation date", "search", "as1921", "austria unknown", "emails", "expiration date", "date", "pragma", "next", "passive dns", "backdoor", "win32", "scan endpoints", "all scoreblue", "ipv4", "usa", "co", "teams", "cybercrime", "spoof", "benjamin", "dynamicloader", "write c", "pe32 executable", "show", "yara rule", "windows", "recon", "worm", "powershell", "june", "delphi", "malware", "malice", "retaliation", "through the nights", "apple", "lenovo", "ios", "hackers", "move", "moved" ], "references": [ "WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4", "MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com", "CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^", "CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan", "CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)", "CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)", "CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)", "CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)", "CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data", "CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)", "CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)", "CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)", "CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent", "CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet", "CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com", "Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)", "Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered", "Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645", "Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI", "https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection", "Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2", "https://www.youtube.com/watch?v=GyuMozsVyYs", "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004", "http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&", "https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr", "nr-data.net [Apple Private Data Collection]", "https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic", "https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WAT:Blacked-E", "display_name": "WAT:Blacked-E", "target": null }, { "id": "Win32:RmnDrp [Inf]", "display_name": "Win32:RmnDrp [Inf]", "target": null }, { "id": "AI:FileInfector.EAEEA7850C", "display_name": "AI:FileInfector.EAEEA7850C", "target": null }, { "id": "Virus.Ramnit/Nimnul", "display_name": "Virus.Ramnit/Nimnul", "target": null }, { "id": "Trojan.Crifi.1", "display_name": "Trojan.Crifi.1", "target": null }, { "id": "Trojan.MSIL.Injurer.cbd", "display_name": "Trojan.MSIL.Injurer.cbd", "target": null }, { "id": "Win.Downloader.Small-1645", "display_name": "Win.Downloader.Small-1645", "target": null }, { "id": "Trojan:Win32/Scrarev.C", "display_name": "Trojan:Win32/Scrarev.C", "target": "/malware/Trojan:Win32/Scrarev.C" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Speesipro.A", "display_name": "Trojan:Win32/Speesipro.A", "target": "/malware/Trojan:Win32/Speesipro.A" }, { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Backdoor:Win32/Likseput.B", "display_name": "Backdoor:Win32/Likseput.B", "target": "/malware/Backdoor:Win32/Likseput.B" }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "display_name": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1134.004", "name": "Parent PID Spoofing", "display_name": "T1134.004 - Parent PID Spoofing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003.007", "name": "Proc Filesystem", "display_name": "T1003.007 - Proc Filesystem" }, { "id": "T1042", "name": "Change Default File Association", "display_name": "T1042 - Change Default File Association" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Media", "Technology", "Civil Society", "Crime Victims" ], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4312, "domain": 1056, "hostname": 1818, "URL": 5125, "FileHash-MD5": 310, "FileHash-SHA1": 221, "email": 3 }, "indicator_count": 12845, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "612 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583838&Signature=dw6B7oYQHQ1CxhfF67YE3TZfvqWvO%2FgErgu9Ms4R462ssOAuET7%2F9guBVvhETqvO7ClziwNXLV%2F31SM7aYXjXEUOmfJtHqf5vpFUCub63bX6a1GILj%2BtbX8EmURT4JftAGT%2BwDdgQnHX3y5MvnWd9NpYE8TTYStcf%2BQOWZLWiMNe%2BSxjpsMyOG2ryZdsm7iCyH%2BWdXrvG%2Bh9ccwxPOnUOwoOxUV3hp1ifVzCkbUtYySGTom29VJ8", "Yara Detections: SUSP_Unsigned_GoogleUpdate OriginalFilenameGoogleUpdate.exe | Alerts cape_extracted_content", "CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "https://cve.mitre.org/images/youtube.png | https://cve.mitre.org/includes/browserheight.js | https://cve.mitre.org/includes/jquery-3.2.1.min.js", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583501&Signature=igubOWmez%2BKPjBiU2Af7vHhJ5SwgwsKaafuyzobymmqUDs%2F8vkuh1A%2BbsMADWo0B%2FBEZht3BD%2B1%2FvItWrcfBgja57sMCBln9vBXfK7nCclcy9%2BeujGu7wlQLlhyfAeGNd8suRdK8x4WrJJ5bdqfAh7Ns0mOjPliF9uu3UJ9I7qH6N5IAd%2Bkb8h7Xce%2F%2BavnF8jLmHHwwCP5ILzgNRc94rmrWFp5eXzxQ3aHd9btY2D", "https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark", "https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://aplikacja.ceidg.gov.pl/ceidg.cms.engine/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet", "https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details", "uat.drw.hcahealthcare.cloud | developers.t-mobile.pl | kwvjuemg.exe", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary", "Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578339&Signature=fTYUE3KoGSnr2%2BSrv9dZpgk3uXJc2rf%2BQeCyhAVDWiuiHGaYqhFHfgzQD2KheomXUSHne5MCvS9XH1LGW7Xhrg7CIG0gEe5cVjxrkmumne%2B%2Fd%2FBQagomnCKzfbwdExaO45sfA9rz4eQtyfLzFifYoRXDRtJK7P%2BNmISkv0Qz9FGIgXrrPDvmwJevgry%2FaMfiTEa2%2BxSDdWf9e6kdZW5YBVuxEdpGowcPsPEkpbdiSG12pG", "https://www.virustotal.com/graph/embed/g4d28c765e54941129dbbf8d4a8dc25bb3b5452f14e0a4886a0af0c2991188611?theme=dark", "CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data", "CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)", "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/graph", "https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr", "Antivirus Detections: Ransom:Win32/Wannaren.A UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX Alerts procmem_yara creates_largekey process_creation_suspicious_location network_bind deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window cape_extracted_content injection_rwx network_http", "https://www.youtube.com/watch?v=GyuMozsVyYs", "https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004", "CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize", "Tulach IP: 114.114.114.114", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | https://cve.mitre.org/css/main.css", "Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com", "Alerts: network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window", "record-viewer-application.hcahealthcare.cloud", "https://cve.mitre.org/images/cvelogobanner.png | https://cve.mitre.org/images/linkedin.jpg | https://cve.mitre.org/images/medium.png", "Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042", "MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/gui/file/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832/relations", "Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan", "^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2", "https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583790&Signature=K2lWpuyPxZ8FgvBVeyB6hsfMbuIBkRXd522JtGonUcHxxtwoomV2fuuFbXC5edVAoGPuZJ24D%2Fv7rEHOHYCS2347F4Mq0VQr0PQt68rfbA8DBHTGs1XBS3QFLveflOjIkNzmhJWg23fuvM%2F1Ci0jSxKnR5XeURTArrkbf5eYA72p4QUFMKDgYO6kRpNXHLuDocJdXWjM7AiQ7ZBQdx%2F%2FeNZgb7k7s%2FPTzGuZ%2FTgEvxiGAiaV6PghFIIPSj", "https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network", "TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645", "Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | cve.mitre.org", "CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent", "https://cve.mitre.org/css/print.css | https://cve.mitre.org/favicon.ico | https://cve.mitre.org/images/GitHub_round_sm", "Alerts: procmem_yara creates_largekey process_creation_suspicious_location network_bind cape_extracted_content", "Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583383&Signature=N7snLsiqkPikwYU0zKl8QxasbcLXiGFXIFaIVT%2FEvzaLWUbnPEkuvuuOAxz9la0bmVndAimDsaexUgrGErDmDbBZ46apRuUnYH3GwBNvZ3YaBIVII4IfP8kDN%2Bi2b3meTPaoyhnWR4UIuYord2Ejg5nAYQ3FJxv4KKyrm8NTlU1cEHTpiBToFL3AVBUOHvCUQ4T1wRMpgO6%2FmyokYYZl8GZa4tjpI%2BncAIOTAfOZePVQ7sAnKHmckU", "https://www.virustotal.com/gui/collection/08db79bb721ab9568968fe40f29aedc39ba2b57e9bc9c67ac034b54a9b6d739f/iocs", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/iocs", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578437&Signature=HM1ThjLEyrQmeLst3eY3osRWxC6ETs2RVbR4uKhN5emP%2Fe3Jbf6OsLPvmoAyaPTh%2B9RLyjIrqyR3f4rwg%2B4kkyiEZCyCkGKSRvQK4zC8eMuq80kOGYcvFLPwtvcH20xe7%2FPhGk2au3z4GfauzR1s8meGtQYRDlmXZARLTB2G0tno%2FJOq8rNm7NLHvVH1MpMBoQ47RRIwE0ecUUSYXmQGMAOQVAgmigrpydiFzFYN2wYJDkmfVTmEc9kylTmQ", "https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark", "Alerts: deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request injection_rwx network_http", "Apple path:https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583872&Signature=cfVN9vaAZ5UXUaFiEoATwrbKG2RNxzOu3wiH5KMlXdPxTgtpQ920ONEqOhhUb8MNxJwW3AVsCAahYTLdN3FigRPmjIClNTYz%2BoS%2BDl354Z4ZxefdKjl0HJ4%2FmGuzVTBNtc6pftGk4VMAvjgoerYhBf6Olu3ajrMT3h89lKsdBSGc6ra20Btzd%2BzY3Uh1J2gPZ%2BzZPHkTbR0OUTh3oorvIq9Fue8rDbL6PzZLxfPFEZ%2FFCRUnFo", "https://cve.mitre.org/images/nvd-logo.png | https://cve.mitre.org/images/search_icon.png | https://cve.mitre.org/images/twitter.jpg", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583388&Signature=L5dgUL09kvWOiINZMa%2FvgcDAW5AFV%2Fqie184iaXQKGccuTzwDYsyx0%2BhI%2FxOXIkON%2Bw0RoRuoasFag44WeapuTjlnv8di%2FZ8iWJdeRGqWOdJ8P4EAPZIICsU%2BxjXP%2BzOSNTz5tcekdSceS%2BkTyDYMO%2F9QxZVwsIV1WnvZaGiR%2BOKIfs4YFXgeGWc23ktkKxbRfeKQY1kFyHTh8Re3lBLC%2Fkq%2FExvl7kqxKIebqquWmo%", "Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS) 'Swipper'", "https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection", "Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered", "CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)", "https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI", "CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)", "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/iocs", "http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61", "CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)", "https://vtbehaviour.commondatastorage.googleapis.com/e6f203e988e7aa801739359c6222dcb181d290fc10de5f61d354d43f8557daa0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583905&Signature=QPgFBr8MN1iCe8SwxWZ4BgTfkaViEC4PHLzUrGQ3Jdndo8Z44osVc0CIRcnkJJtNDFU03AM82A8wJ2jMjaFYoEbthsaxPWWufSulM8nS%2BU8RoCr04jUq5GnAWPVNjxukSTbgD0F7pUSf0pVaFwwvpSWCQ6hedQEwF52DQyViV8u9UDOeLii4rkmRlMfMlGIsxIP4CEwy0Gy8Q7Lw6FX8cxG%2FehoJatyiwaFdwwbbLbnu2lQHDaZuwZ38Oy", "Yara Detections: LZMA , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)", "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/summary", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/graph", "https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark", "https://viz.greynoise.io/analysis/b5c2d562-eee0-46cb-8696-0585e3ce27b8", "Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "cvename.cg | https://cve.mitre.org/cgi | https://cve.mitre.org/cgi-bin/cvename.cg... | https://cve.mitre.org/cgi-bin/cvename.cgi?nam...", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)", "https://www.virustotal.com/gui/collection/08db79bb721ab9568968fe40f29aedc39ba2b57e9bc9c67ac034b54a9b6d739f/summary", "https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic", "Antivirus Detections: #VirTool:Win32/Obfuscator.ADB | IDS Detections:Observed DNS Query to .biz TLD | Domains Contacted: pywolwnvd.biz", "https://twitter.com/PORNO_SEXYBABES | twitter.com | www.pornhub.com | www.anyxxxtube.net", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/summary", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "https://www.virustotal.com/gui/collection/08db79bb721ab9568968fe40f29aedc39ba2b57e9bc9c67ac034b54a9b6d739f/graph", "WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059\\", "TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d", "nr-data.net [Apple Private Data Collection]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Norton Telus" ], "malware_families": [ "Tulach malware", "Virus.ramnit/nimnul", "Trojan:win32/fakefolder", "Win.downloader.small-1645", "Trojan:win32/scrarev.c", "Alf:heraklezeval:ransom:win32/cve", "Alf:heraklezeval:trojanspy:win32/socstealer", "Trojan.msil.injurer.cbd", "Trojan:win32/blackmon", "Trojandownloader:win32/upatre", "Worm:win32/benjamin", "Trojandownloader:win32/cutwail.bs", "Trojan:win32/speesipro.a", "Backdoor:win32/likseput.b", "Ransom:win32/stopcrypt.ak!mtb", "Virus:win32/sality.at", "#virtool:win32/obfuscator.adb", "Trojan.crifi.1", "Trojandownloader:win32/nemucod", "Win32:rmndrp [inf]", "Wat:blacked-e", "Ai:fileinfector.eaeea7850c", "Trojan:win32/zombie.a", "Pws:win32/qqpass.b!mtb", "Ransom:win32/wannaren.a" ], "industries": [ "Telecommunications", "Education", "Media", "Civil society", "Networking", "Healthcare", "Government", "Civilian society", "Crime victims", "Technology" ], "unique_indicators": 54585 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/bytepoint.software", "whois": "http://whois.domaintools.com/bytepoint.software", "domain": "bytepoint.software", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "66d0a996b288ca46ab7e63ae", "name": "CEIDG (www.pitprojekt.pl , pitprojekt.pl) jak otworzy\u0107 firm\u0119, jak rozpocz\u0105\u0107 biznes, dzia\u0142alno\u015b\u0107 gospodarcza zak\u0142adanie, jak rozpocz\u0105\u0107 dzia\u0142alno\u015b\u0107 gospodarcz\u0105", "description": "Zawarte zasoby wed\u0142ug j\u0119zyka \u00c2\u00a31.1bn, a total of 7.4bn euros ($9.6bn; \u00a36.3bn)", "modified": "2024-12-05T21:16:06.820000", "created": "2024-08-29T17:02:13.392000", "tags": [ "admin", "asset", "dufur", "jnswj", "3px center", "saxla", "zjloj", "whasz htm", "oszczdno", "png ikona", "rt angielski", "angielski usa", "wersja rt", "narzuta chi2", "plik", "whasz", "bogaty hash", "sha256", "ssdeep", "schema", "strings", "guid", "blob", "sha256 file", "type type", "vhash", "imphash", "bvgquf", "cblrxf", "coqbmf", "efq78c", "gkrikb", "hdvrde", "hlo3ef", "izt63", "jnoxi", "kg2exe", "pejzasz", "rticon english", "english us", "chi2", "png rticon", "ico rtgroupicon", "code signing", "algorithm", "serial number", "sectigo public", "thumbprint", "rsa time", "valid from", "name sectigo", "valid", "valid usage", "ascii text", "neutral", "data rtcursor", "data rtdialog", "default", "rticon maori", "ceidg", "informacja o", "usugi", "z wniosek", "sprawd", "zarejestruj spk", "centralna", "ewidencja", "strona gwna", "formularze i", "sha1", "pehash", "richhash", "authentihash", "skrt", "system", "podaj", "windows z", "kreator", "dostawca", "wifi", "nazwa typ", "md5 nazwa", "imphasz", "kropelka", "smyczki", "zasb manifestu", "neutralny", "ikona rt", "zawarte zasoby", "md5 chi2", "ikonagrupyrt", "rtmanifest", "zawarte", "sha256 typ" ], "references": [ "https://aplikacja.ceidg.gov.pl/ceidg.cms.engine/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4501, "URL": 4559, "hostname": 1957, "domain": 729, "FileHash-MD5": 903, "FileHash-SHA1": 849, "IPv4": 180, "email": 3, "IPv6": 2, "CVE": 1 }, "indicator_count": 13684, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "499 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65f3e394bcf868816a29c2dc", "name": "Google Pixel 7a Devices - Telus ISP devices 'protected' by Norton", "description": "Exactly as above. I mean, out of all of the phones these ones make phonecalls (most of the time can send & receive calls). Can be a little tricky. Incomplete - it be doing it's own thing downloading/uploading stuff and heading down the 'way all the other phones went' route.", "modified": "2024-11-02T15:05:54.240000", "created": "2024-03-15T05:58:44.839000", "tags": [ "ISP", "Google", "Telus", "Norton", "Pixel" ], "references": [ "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/summary", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/graph/embed/ga590434b8e274dc99fd39dd298c8c786abff51132c8d4646bb3fb3f1f4c3d100?theme=dark", "https://www.virustotal.com/graph/embed/g16457cd5ead246d99d2ecf37b965641b258cffddb8374ad194cdea194868d1ec?theme=dark", "https://www.virustotal.com/graph/embed/g2ef035cd31754a649909336c174aa141b9cca7e431994d12969e0d9d73a01b71?theme=dark", "https://www.virustotal.com/graph/embed/g1ea71614909243c1a291970fa39651a2d169deef25b7418fab2f0299221eb152?theme=dark", "https://www.virustotal.com/graph/embed/g20d14d97883a4127a500c45fcfb6e3e4961a30ef4bf74db7ab918bcbdb3f476b?theme=dark", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "", "https://www.filescan.io/uploads/66feb74d83903120b70c820f/reports/0a3a6c27-a872-4e0c-86a4-0fc690fb5ecd/details", "https://tip.neiki.dev/file/fb0b66efe3b780270db0693b6df42dd08068428b86fc1a579fe5117d4ae76e07/network", "http://www.hybrid-analysis.com/file-collection/66febb8ee0244a7af5014d61" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Telecommunications", "Technology", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1231, "FileHash-SHA1": 1215, "FileHash-SHA256": 99653, "URL": 158638, "domain": 49468, "hostname": 77233, "email": 6, "CIDR": 5450, "CVE": 55 }, "indicator_count": 392949, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "533 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c08b488620dac7697026c7", "name": "Fakefolder | Ransom:Win32/CVE affecting HCA Healthcare cloud", "description": "Cloud computing - User Acceptance Testing (UAT)\napparently used by HCA one of the nations leading healthcare providers. It's seems HCA's cloud is compromised. The cloud has a number of high priority vulnerabilities, malware, ransomware, zero day, etc. Patient accounts aiming involved, (some patients received letters of serious PII, PHI compromise) lost records, patient blacklisting, hacking, and nefarious manipulations by providers. I've been made aware of CORHIO closing compromised patient accounts. Some patients account access and data has reportedly been lost.\n#VirTool:Win32/Obfuscator.ADB\nALF:HeraklezEval:Ransom:Win32/CVE\nRansom:Win32/StopCrypt.AK!MTB\nRansom:Win32/Wannaren.A\nTrojan:Win32/BlackMon\nTrojan:Win32/Fakefolder\nTulach Malware", "modified": "2024-10-15T14:02:54.772000", "created": "2024-08-17T11:36:40.810000", "tags": [ "microsoft edge", "iocs", "alberta ndp", "security", "vc rescue", "disk", "apple", "google", "windows", "powershell", "security https", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "site", "cisco umbrella", "alexa top", "blacklist", "million", "mail spammer", "firehol", "ip address", "noname057", "anonymizer", "firehol proxy", "proxy", "india mail", "malware", "full name", "first", "v3 serial", "number", "cus odigicert", "global tls", "rsa4096 sha256", "ca1 validity", "subject public", "key info", "dns replication", "date", "script script", "as12912", "a domains", "a li", "poland unknown", "t mobile", "domains", "przejd", "passive dns", "authority", "meta", "accept", "cname", "record type", "ttl value", "aaaa", "poland", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "location poland", "asnone united", "moved", "location", "vary", "accept encoding", "content type", "virtool", "related pulses", "file samples", "files matching", "show", "search", "date hash", "next", "showing", "as39198", "body", "window", "certificate", "hostname", "unknown", "red bull", "script urls", "as2828 verizon", "ireland unknown", "gmt content", "as8068", "as8075", "servers", "creation date", "united", "trojan", "trojan features", "win32", "msr aug", "urls", "reverse dns", "trojandropper", "historical ssl", "referrer", "infiltrate", "threat network", "malicious", "snapchat", "eternal blue", "sneaky simay", "groups", "covert", "probe", "whois lookup", "domain name", "united", "as15169 google", "a nxdomain", "germany", "dynamicloader", "yara rule", "high", "medium", "port", "dynamic", "domain", "file name", "pcap", "copy", "url host", "port method", "user agent", "okrnserver", "002000", "hit tcpmemhit", "algorithm", "data", "cus oentrust", "entrust", "l1k validity", "cpl lwarszawa", "ot mobile", "status", "name servers", "as6354", "mtb aug", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "location united", "win32 exe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "vs2010", "info compiler", "products", "vs2008", "header intel", "name md5", "type", "language", "ascii text", "cyrillic", "registrar of", "domain names", "ii llc", "contacted", "file type", "mb file", "graph", "ip detections", "country", "type name", "network", "tsara brashears", "december", "typhon reborn", "speakez securus", "hacktool", "emotet", "formbook", "critical", "installer", "tofsee", "hiddentear", "cnc", "email collection", "apple data", "data collection", "tsara brashears", "for privacy", "record value", "emails", "expiration date", "swipper", "tulach", "aitm", "query", "observed dns", "activity dns", "total", "google llc", "pe32", "write", "april", "defender", "otx telemetry", "win32cve aug", "polska s", "copyright", "levelblue", "dashboard", "pulse submit", "url analysis", "as20940", "as16625 akamai", "entrustdns", "france", "entries", "refresh", "443 ma2592000", "net174", "net1740000", "mcics", "read c", "write c", "tlsv1", "default", "module load", "execution", "dock", "persistence", "xport", "redacted for", "privacy tech", "privacy admin", "organization", "postal code", "stateprovince", "server", "registrar abuse", "code", "high priority", "critical", "CVE-2023-29059" ], "references": [ "uat.drw.hcahealthcare.cloud | developers.t-mobile.pl | kwvjuemg.exe", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "Antivirus Detections: Ransom:Win32/Wannaren.A UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX Alerts procmem_yara creates_largekey process_creation_suspicious_location network_bind deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window cape_extracted_content injection_rwx network_http", "Yara Detections: LZMA , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Alerts: procmem_yara creates_largekey process_creation_suspicious_location network_bind cape_extracted_content", "Alerts: deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request injection_rwx network_http", "Alerts: network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window", "nr-data.net [Apple Private Data Collection]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES | twitter.com | www.pornhub.com | www.anyxxxtube.net", "Apple path:https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "record-viewer-application.hcahealthcare.cloud", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "Tulach IP: 114.114.114.114", "Antivirus Detections: #VirTool:Win32/Obfuscator.ADB | IDS Detections:Observed DNS Query to .biz TLD | Domains Contacted: pywolwnvd.biz", "Yara Detections: SUSP_Unsigned_GoogleUpdate OriginalFilenameGoogleUpdate.exe | Alerts cape_extracted_content", "Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS) 'Swipper'", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059\\", "cvename.cg | https://cve.mitre.org/cgi | https://cve.mitre.org/cgi-bin/cvename.cg... | https://cve.mitre.org/cgi-bin/cvename.cgi?nam...", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | https://cve.mitre.org/css/main.css", "https://cve.mitre.org/images/cvelogobanner.png | https://cve.mitre.org/images/linkedin.jpg | https://cve.mitre.org/images/medium.png", "https://cve.mitre.org/images/nvd-logo.png | https://cve.mitre.org/images/search_icon.png | https://cve.mitre.org/images/twitter.jpg", "https://cve.mitre.org/images/youtube.png | https://cve.mitre.org/includes/browserheight.js | https://cve.mitre.org/includes/jquery-3.2.1.min.js", "https://cve.mitre.org/css/print.css | https://cve.mitre.org/favicon.ico | https://cve.mitre.org/images/GitHub_round_sm", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | cve.mitre.org" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/BlackMon", "display_name": "Trojan:Win32/BlackMon", "target": "/malware/Trojan:Win32/BlackMon" }, { "id": "Trojan:Win32/Fakefolder", "display_name": "Trojan:Win32/Fakefolder", "target": "/malware/Trojan:Win32/Fakefolder" }, { "id": "Ransom:Win32/Wannaren.A", "display_name": "Ransom:Win32/Wannaren.A", "target": "/malware/Ransom:Win32/Wannaren.A" }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Healthcare", "Technology", "Civilian Society", "Telecommunications", "Networking" ], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1975, "FileHash-SHA1": 1731, "FileHash-SHA256": 4646, "URL": 636, "domain": 283, "hostname": 798, "email": 12, "CVE": 3, "SSLCertFingerprint": 2 }, "indicator_count": 10086, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "670c5ff728e6e5b891e26e45", "name": "IOC", "description": "", "modified": "2024-10-14T00:04:07.913000", "created": "2024-10-14T00:04:07.913000", "tags": [ "admin", "asset", "dufur", "jnswj", "3px center", "saxla", "zjloj", "whasz htm", "oszczdno", "png ikona", "rt angielski", "angielski usa", "wersja rt", "narzuta chi2", "plik", "whasz", "bogaty hash", "sha256", "ssdeep", "schema", "strings", "guid", "blob", "sha256 file", "type type", "vhash", "imphash", "bvgquf", "cblrxf", "coqbmf", "efq78c", "gkrikb", "hdvrde", "hlo3ef", "izt63", "jnoxi", "kg2exe", "pejzasz", "rticon english", "english us", "chi2", "png rticon", "ico rtgroupicon", "code signing", "algorithm", "serial number", "sectigo public", "thumbprint", "rsa time", "valid from", "name sectigo", "valid", "valid usage", "ascii text", "neutral", "data rtcursor", "data rtdialog", "default", "rticon maori", "ceidg", "informacja o", "usugi", "z wniosek", "sprawd", "zarejestruj spk", "centralna", "ewidencja", "strona gwna", "formularze i", "sha1", "pehash", "richhash", "authentihash", "skrt", "system", "podaj", "windows z", "kreator", "dostawca", "wifi", "nazwa typ", "md5 nazwa", "imphasz", "kropelka", "smyczki", "zasb manifestu", "neutralny", "ikona rt", "zawarte zasoby", "md5 chi2", "ikonagrupyrt", "rtmanifest", "zawarte", "sha256 typ" ], "references": [ "https://aplikacja.ceidg.gov.pl/ceidg.cms.engine/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": "66d0a996b288ca46ab7e63ae", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "WayneState", "id": "296756", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4243, "URL": 4550, "hostname": 1957, "domain": 729, "FileHash-MD5": 801, "FileHash-SHA1": 747, "IPv4": 180, "email": 3, "IPv6": 2 }, "indicator_count": 13212, "is_author": false, "is_subscribing": null, "subscriber_count": 4, "modified_text": "552 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669ac41b3186b8cc8c40e9e3", "name": "Powershell", "description": "Matches rule PowerShell Module File Created By Non-PowerShell Process by Nasreddine Bencherchali\nDetects creation of a new PowerShell module \".psm1\", \".psd1\", \".dll\", \".ps1\", etc. by a non-PowerShell process\n\nFilescan.io\nWindowsPowerShell.zip\napplication/zip\nMD5:\n07d37fc575e373f878ae3c7cca2bfc25\nSHA1:\na2fc89aba12f8739184d44d0fffbe6323d9654eb\nSHA256:\ne75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832\nSHA512:\n36dc7349d052cd474818a6ae3149eda469d829cf2e4d9a0e55252468cdf9e9704d5293b8b4f73b4a25b07f8c8dd8eeab2ed18bbb1ff7d76958b51eb555562339\n\nTriage:\nhttps://tria.ge/240719-taxv5aydlj\nhttps://tria.ge/240719-tfpfyasdqh\nhttps://tria.ge/240719-tj9laasfke\nhttps://tria.ge/240719-tnb6kssgmc\nhttps://tria.ge/240719-trwpdsshqh\nhttps://tria.ge/240719-tv84wstbkg\nhttps://tria.ge/240719-t1hh5atcpd\nhttps://tria.ge/240719-t7wpbszgkl\n\nMalcore: https://app.malcore.io/share/652553f6aec33d70a1dbbd25/669993193506cdb760b3f36a\n\nKaspersky: E75FF18EE5C7226E225AA9959DF439F1488DF8CD3D43F5471361ED0426700832", "modified": "2024-09-01T17:02:12.379000", "created": "2024-07-19T19:52:59.626000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/summary", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/iocs", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/graph", "https://www.virustotal.com/graph/embed/g4d28c765e54941129dbbf8d4a8dc25bb3b5452f14e0a4886a0af0c2991188611?theme=dark", "https://www.virustotal.com/gui/file/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832/relations", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578339&Signature=fTYUE3KoGSnr2%2BSrv9dZpgk3uXJc2rf%2BQeCyhAVDWiuiHGaYqhFHfgzQD2KheomXUSHne5MCvS9XH1LGW7Xhrg7CIG0gEe5cVjxrkmumne%2B%2Fd%2FBQagomnCKzfbwdExaO45sfA9rz4eQtyfLzFifYoRXDRtJK7P%2BNmISkv0Qz9FGIgXrrPDvmwJevgry%2FaMfiTEa2%2BxSDdWf9e6kdZW5YBVuxEdpGowcPsPEkpbdiSG12pG", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578437&Signature=HM1ThjLEyrQmeLst3eY3osRWxC6ETs2RVbR4uKhN5emP%2Fe3Jbf6OsLPvmoAyaPTh%2B9RLyjIrqyR3f4rwg%2B4kkyiEZCyCkGKSRvQK4zC8eMuq80kOGYcvFLPwtvcH20xe7%2FPhGk2au3z4GfauzR1s8meGtQYRDlmXZARLTB2G0tno%2FJOq8rNm7NLHvVH1MpMBoQ47RRIwE0ecUUSYXmQGMAOQVAgmigrpydiFzFYN2wYJDkmfVTmEc9kylTmQ", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583501&Signature=igubOWmez%2BKPjBiU2Af7vHhJ5SwgwsKaafuyzobymmqUDs%2F8vkuh1A%2BbsMADWo0B%2FBEZht3BD%2B1%2FvItWrcfBgja57sMCBln9vBXfK7nCclcy9%2BeujGu7wlQLlhyfAeGNd8suRdK8x4WrJJ5bdqfAh7Ns0mOjPliF9uu3UJ9I7qH6N5IAd%2Bkb8h7Xce%2F%2BavnF8jLmHHwwCP5ILzgNRc94rmrWFp5eXzxQ3aHd9btY2D", "https://vtbehaviour.commondatastorage.googleapis.com/e6f203e988e7aa801739359c6222dcb181d290fc10de5f61d354d43f8557daa0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583905&Signature=QPgFBr8MN1iCe8SwxWZ4BgTfkaViEC4PHLzUrGQ3Jdndo8Z44osVc0CIRcnkJJtNDFU03AM82A8wJ2jMjaFYoEbthsaxPWWufSulM8nS%2BU8RoCr04jUq5GnAWPVNjxukSTbgD0F7pUSf0pVaFwwvpSWCQ6hedQEwF52DQyViV8u9UDOeLii4rkmRlMfMlGIsxIP4CEwy0Gy8Q7Lw6FX8cxG%2FehoJatyiwaFdwwbbLbnu2lQHDaZuwZ38Oy", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583790&Signature=K2lWpuyPxZ8FgvBVeyB6hsfMbuIBkRXd522JtGonUcHxxtwoomV2fuuFbXC5edVAoGPuZJ24D%2Fv7rEHOHYCS2347F4Mq0VQr0PQt68rfbA8DBHTGs1XBS3QFLveflOjIkNzmhJWg23fuvM%2F1Ci0jSxKnR5XeURTArrkbf5eYA72p4QUFMKDgYO6kRpNXHLuDocJdXWjM7AiQ7ZBQdx%2F%2FeNZgb7k7s%2FPTzGuZ%2FTgEvxiGAiaV6PghFIIPSj", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583388&Signature=L5dgUL09kvWOiINZMa%2FvgcDAW5AFV%2Fqie184iaXQKGccuTzwDYsyx0%2BhI%2FxOXIkON%2Bw0RoRuoasFag44WeapuTjlnv8di%2FZ8iWJdeRGqWOdJ8P4EAPZIICsU%2BxjXP%2BzOSNTz5tcekdSceS%2BkTyDYMO%2F9QxZVwsIV1WnvZaGiR%2BOKIfs4YFXgeGWc23ktkKxbRfeKQY1kFyHTh8Re3lBLC%2Fkq%2FExvl7kqxKIebqquWmo%", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583872&Signature=cfVN9vaAZ5UXUaFiEoATwrbKG2RNxzOu3wiH5KMlXdPxTgtpQ920ONEqOhhUb8MNxJwW3AVsCAahYTLdN3FigRPmjIClNTYz%2BoS%2BDl354Z4ZxefdKjl0HJ4%2FmGuzVTBNtc6pftGk4VMAvjgoerYhBf6Olu3ajrMT3h89lKsdBSGc6ra20Btzd%2BzY3Uh1J2gPZ%2BzZPHkTbR0OUTh3oorvIq9Fue8rDbL6PzZLxfPFEZ%2FFCRUnFo", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583838&Signature=dw6B7oYQHQ1CxhfF67YE3TZfvqWvO%2FgErgu9Ms4R462ssOAuET7%2F9guBVvhETqvO7ClziwNXLV%2F31SM7aYXjXEUOmfJtHqf5vpFUCub63bX6a1GILj%2BtbX8EmURT4JftAGT%2BwDdgQnHX3y5MvnWd9NpYE8TTYStcf%2BQOWZLWiMNe%2BSxjpsMyOG2ryZdsm7iCyH%2BWdXrvG%2Bh9ccwxPOnUOwoOxUV3hp1ifVzCkbUtYySGTom29VJ8", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583383&Signature=N7snLsiqkPikwYU0zKl8QxasbcLXiGFXIFaIVT%2FEvzaLWUbnPEkuvuuOAxz9la0bmVndAimDsaexUgrGErDmDbBZ46apRuUnYH3GwBNvZ3YaBIVII4IfP8kDN%2Bi2b3meTPaoyhnWR4UIuYord2Ejg5nAYQ3FJxv4KKyrm8NTlU1cEHTpiBToFL3AVBUOHvCUQ4T1wRMpgO6%2FmyokYYZl8GZa4tjpI%2BncAIOTAfOZePVQ7sAnKHmckU", "https://viz.greynoise.io/analysis/b5c2d562-eee0-46cb-8696-0585e3ce27b8" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4402, "URL": 1463, "domain": 621, "hostname": 1159, "FileHash-MD5": 423, "FileHash-SHA1": 423 }, "indicator_count": 8491, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "595 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667af3df55de77efb0309afe", "name": "Norton's Elevated Cybersecurity Team at it's best - W11 PC - 01.18.24", "description": "Norton's Elevated Cybersecurity Team at it's best - W11 PC - 01.18.24\nRead: https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/summary for Summary of their 'elite team' & their efforts", "modified": "2024-08-30T17:04:50.688000", "created": "2024-06-25T16:44:15.585000", "tags": [ "please", "javascript" ], "references": [ "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/summary", "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/iocs", "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/graph" ], "public": 1, "adversary": "Norton Telus", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 857, "FileHash-MD5": 44, "FileHash-SHA1": 38, "FileHash-SHA256": 1942, "domain": 593, "hostname": 762 }, "indicator_count": 4236, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "597 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6620419d5922de85f4e42163", "name": "Microsoft Edge", "description": "Just some Browser Stuff\nC:\\Program Files (x86)\\Microsoft\\\nEdge\nEdgecore\nEdgeUpdate\nEdgeWebview\nTemp", "modified": "2024-08-30T16:02:04.572000", "created": "2024-04-17T21:39:41.184000", "tags": [ "please", "javascript", "Microsoft Edge" ], "references": [ "https://www.virustotal.com/gui/collection/08db79bb721ab9568968fe40f29aedc39ba2b57e9bc9c67ac034b54a9b6d739f/iocs", "https://www.virustotal.com/gui/collection/08db79bb721ab9568968fe40f29aedc39ba2b57e9bc9c67ac034b54a9b6d739f/graph", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.virustotal.com/gui/collection/08db79bb721ab9568968fe40f29aedc39ba2b57e9bc9c67ac034b54a9b6d739f/summary" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1546.010", "name": "AppInit DLLs", "display_name": "T1546.010 - AppInit DLLs" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1542.001", "name": "System Firmware", "display_name": "T1542.001 - System Firmware" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" } ], "industries": [ "Education", "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 6, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 288, "FileHash-SHA1": 122, "FileHash-SHA256": 1149, "URL": 246, "domain": 110, "hostname": 110 }, "indicator_count": 2025, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "597 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6695e27f356a22d97fba5ca8", "name": "Critical attack/s continues to affect YouTube Creator/s account/s", "description": "Related to YouTube creator/s attack/s. Found as part of Jays Youtube Bot.exe and YouTube bots.\nFull CnC, access and id devices. Redirects views, resells. spoofs, binds and/or accounts. FRAUD! \nReference: YARA Signature Match - THOR APT Scanner\nRULE: SUSP_Wextract_Anomaly_Unsigned_May23\nRULE_SET: Livehunt - Suspicious290 Indicators \ud83c\udff9\nRULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28\nRULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_Wextract_Anomaly_Unsigned_May23\nDESCRIPTION: Detects an anomalous unsigned wextract that contains additional code and has been seen abused to deliver malware\nREFERENCE: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/\nRULE_AUTHOR: X__Junior\nThor for details #susp_wextract_anomaly_unsigned_may23", "modified": "2024-08-15T02:00:24.886000", "created": "2024-07-16T03:01:17.316000", "tags": [ "win32 exe", "wextract", "kb file", "files", "file type", "javascript", "graph", "ip detections", "country", "userprofile", "runtime modules", "samplepath", "delnoderundll32", "mpgph131 hr", "hourly rl", "highest c", "mpgph131 lg", "onlogon rl", "highest", "process", "registrya", "registry keys", "registry", "windows policy", "shell folders", "file execution", "binary data", "security center", "text c", "peexe c", "xml c", "zip c", "file system", "written c", "dropped", "hashes", "windows nt", "wow64", "referer https", "date thu", "get https", "request", "gecko response", "gmt connection", "gmt vary", "etag", "accept", "win64", "query", "windows get", "internal", "set file", "create", "create process", "windows read", "shutdown system", "modify access", "delete registry", "enumerate", "behavior tags", "k0pmbc", "spsfsb", "ctsu", "efq78c", "egw7od", "en3i8d", "i6ydgd", "iz1fbc", "izt63", "kum7z", "vs2003", "sp1 build", "contained", "info compiler", "products", "header intel", "name md5", "type", "language", "simplified", "army", "variant sides", "with russia", "ramnit", "netsupport rat", "sneaky server", "replacement", "unauthorized", "sim unlock", "emotet", "chaos", "malicious", "critical", "copy", "life", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "cc linker", "urls", "gandi sas", "domains", "cloudflare", "ii llc", "psiusa", "domain robot", "ltd dba", "com laude", "ascio", "contacted", "ms word", "document", "b file", "html", "javascript jac", "html iu3", "executed by usa", "#wextract", "#unsigned", "thor", "stealer", "evader", "systemroot", "grum", "high", "delete c", "cape", "write", "103 read", "clsid read", "date read", "trojan", "united", "unknown", "status", "cname", "creation date", "search", "as1921", "austria unknown", "emails", "expiration date", "date", "pragma", "next", "passive dns", "backdoor", "win32", "scan endpoints", "all scoreblue", "ipv4", "usa", "co", "teams", "cybercrime", "spoof", "benjamin", "dynamicloader", "write c", "pe32 executable", "show", "yara rule", "windows", "recon", "worm", "powershell", "june", "delphi", "malware", "malice", "retaliation", "through the nights", "apple", "lenovo", "ios", "hackers", "move", "moved" ], "references": [ "WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4", "MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com", "CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke", "Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^", "CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan", "CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)", "CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)", "CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)", "CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)", "CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data", "CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)", "CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)", "CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)", "CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)", "CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent", "CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet", "CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)", "CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d", "Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly", "Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com", "Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)", "Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected", "Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered", "Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645", "Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI", "https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection", "Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042", "https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2", "https://www.youtube.com/watch?v=GyuMozsVyYs", "Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"", "https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004", "http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&", "https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr", "nr-data.net [Apple Private Data Collection]", "https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic", "https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "WAT:Blacked-E", "display_name": "WAT:Blacked-E", "target": null }, { "id": "Win32:RmnDrp [Inf]", "display_name": "Win32:RmnDrp [Inf]", "target": null }, { "id": "AI:FileInfector.EAEEA7850C", "display_name": "AI:FileInfector.EAEEA7850C", "target": null }, { "id": "Virus.Ramnit/Nimnul", "display_name": "Virus.Ramnit/Nimnul", "target": null }, { "id": "Trojan.Crifi.1", "display_name": "Trojan.Crifi.1", "target": null }, { "id": "Trojan.MSIL.Injurer.cbd", "display_name": "Trojan.MSIL.Injurer.cbd", "target": null }, { "id": "Win.Downloader.Small-1645", "display_name": "Win.Downloader.Small-1645", "target": null }, { "id": "Trojan:Win32/Scrarev.C", "display_name": "Trojan:Win32/Scrarev.C", "target": "/malware/Trojan:Win32/Scrarev.C" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Trojan:Win32/Speesipro.A", "display_name": "Trojan:Win32/Speesipro.A", "target": "/malware/Trojan:Win32/Speesipro.A" }, { "id": "Virus:Win32/Sality.AT", "display_name": "Virus:Win32/Sality.AT", "target": "/malware/Virus:Win32/Sality.AT" }, { "id": "TrojanDownloader:Win32/Upatre", "display_name": "TrojanDownloader:Win32/Upatre", "target": "/malware/TrojanDownloader:Win32/Upatre" }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "PWS:Win32/QQpass.B!MTB", "display_name": "PWS:Win32/QQpass.B!MTB", "target": "/malware/PWS:Win32/QQpass.B!MTB" }, { "id": "Backdoor:Win32/Likseput.B", "display_name": "Backdoor:Win32/Likseput.B", "target": "/malware/Backdoor:Win32/Likseput.B" }, { "id": "Worm:Win32/Benjamin", "display_name": "Worm:Win32/Benjamin", "target": "/malware/Worm:Win32/Benjamin" }, { "id": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "display_name": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1134.004", "name": "Parent PID Spoofing", "display_name": "T1134.004 - Parent PID Spoofing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003.007", "name": "Proc Filesystem", "display_name": "T1003.007 - Proc Filesystem" }, { "id": "T1042", "name": "Change Default File Association", "display_name": "T1042 - Change Default File Association" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Media", "Technology", "Civil Society", "Crime Victims" ], "TLP": "green", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4312, "domain": 1056, "hostname": 1818, "URL": 5125, "FileHash-MD5": 310, "FileHash-SHA1": 221, "email": 3 }, "indicator_count": 12845, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "612 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://bytepoint.software", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://bytepoint.software", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776629787.2655227 }