{ "type": "URL", "indicator": "https://csi.gstatic.com/csi", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://csi.gstatic.com/csi", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #511", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #14", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain gstatic.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain gstatic.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3179116874, "indicator": "https://csi.gstatic.com/csi", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69fb42e924f3890f5aed52dc", "name": "Habo Analysis System", "description": "", "modified": "2026-05-06T13:55:26.102000", "created": "2026-05-06T13:32:25.127000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 169, "domain": 31, "hostname": 199, "FileHash-SHA1": 221, "URL": 100, "FileHash-MD5": 185, "IPv4": 105 }, "indicator_count": 1010, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bbc441983dff57f6ec0df7", "name": "VirusTotal report\n for base.apk", "description": "", "modified": "2026-04-18T09:01:28.947000", "created": "2026-03-19T09:39:13.279000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 23, "domain": 6, "hostname": 13 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bb44d6cf2d4aeed93b9758", "name": "VirusTotal report\n for base.apk", "description": "", "modified": "2026-04-18T00:09:29.223000", "created": "2026-03-19T00:35:34.729000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 46, "domain": 12, "hostname": 25 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a8f62801f99b53e543cc45", "name": "8d17053b7abddb0cdea433a89fc9359d7a89cb645b2f22a23c58773ec686190e.exe dttcodexgigas.364c151c29cba5a640a69f63e7d86e507d5b4c7f", "description": "Malware/trojan", "modified": "2026-04-04T03:09:54.908000", "created": "2026-03-05T03:19:04.585000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1011, "FileHash-SHA1": 105, "URL": 305, "domain": 108, "hostname": 191, "FileHash-MD5": 63, "email": 2 }, "indicator_count": 1785, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6608aaf7ca0e965e593ed1d4", "name": "MUI programu Microsoft Office Access (w j\u0119zyku angielskim) zosta\u0142o u\u017cyte do wys\u0142ania z\u0142o\u015bliwego oprogramowania na serwer w Czechach jest to pierwszy tego typu atak na komputer. e", "description": "A look back at some of the key words and phrases used to describe the situation in Italy, as \"probacja\" (or \"democrata), as they were translated into English.", "modified": "2025-10-17T11:03:07.034000", "created": "2024-03-31T00:14:47.183000", "tags": [ "sha256", "ssdeep", "reputacja", "tworzy pliki", "informacje", "bardzo duga", "tworzy", "adresy url", "tworzy katalog", "win64", "ameryki", "typ pliku", "serwer nazw", "san jose", "adres", "digital", "data wyganicia", "csc corporate", "domains", "ca data", "data utworzenia", "dnssec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6432, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2140, "hostname": 5874, "FileHash-SHA256": 12539, "FileHash-MD5": 3686, "FileHash-SHA1": 2751, "IPv4": 503, "URL": 10770, "email": 26, "CVE": 88, "YARA": 6, "JA3": 2, "IPv6": 28, "SSLCertFingerprint": 5, "BitcoinAddress": 3, "CIDR": 1 }, "indicator_count": 38422, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6811d6fa4e56b78ea0f083f4", "name": "ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)", "description": "Source IP: 212.1.211.209\nJA3 Client hashes: d8c87b9bfde38897979e41242626c2f3\nJA3 Server hashes: 2e721a91f6a6db92f1622699c895d2d4\nhttps://www.virustotal.com/gui/file/7d09dfde4593a882172047308b701611ff9fd4c10d753fe89cb093965fbe67de/detection", "modified": "2025-04-30T07:53:30.459000", "created": "2025-04-30T07:53:30.459000", "tags": [ "sha256", "ssdeep", "submission", "modification", "version", "minsk", "common name", "country code", "by locality", "android" ], "references": [ "http://193.230.215.3", "http://www.sanselo.com", "http://audiostories.xyz/remote_config/similar_apps/kids_eng.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 9, "FileHash-SHA256": 58, "URL": 23, "hostname": 1 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "395 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "668bfcb0b48a387b9d2c8562", "name": "Ministerstwo Finans\u00f3w - Portal Gov.pl", "description": "Pliki cookie zosta\u0142y ju\u017c zapisane i wydrukowane.\n5852be629358e18160c5483bfc8c9f0023b974565f2d59ce7f4497cc734b4ecd 30 pa\u017a 2022 b8a2476b55132fdf0531d6cd48126b759dc08a8f5b019917b62373e536a0b8c9 26 pa\u017a 2022 2700fbe4001e27ba55d72841817b0b9454954b496f21e4259c88919027172694 6 wrze\u015bnia 2022 r. 91da570586b7c04e3012215469ed8b8c5aa036068cc48ba7a7ac0d8cce34290e 5 wrze\u015bnia 2022 r. 1757d8363e28b35b9e29c44d0bc87e2a03d90ca50dadd780924528e0a13d49e1 31 sierpnia 2022 r. fe5744ed48406b90eae1747aab5386645406ad61cdc629ebc7ded97aa099ae28 30 lipca 2022 r. c730bac7a1da3b6263e7672c85cb4deb229c45479bd64bc7194a9a8bb16b8cb6 16 lipca 2022 r. 177b428ac63ad3b6c606ed11b33c9fc4d79f6ff5e6b3ac3ee849f1e2d1f2c903 16 lipca 2022 r. a35121637b79b7d926b63afceae409fdb35c14ad5431ecd199179622e1711ca6", "modified": "2024-10-17T05:28:49.118000", "created": "2024-07-08T14:50:24.496000", "tags": [ "polskiej", "przejd", "usugi dla", "logowanie", "profil zaufany", "skarbowa", "zobacz", "ksef", "zastpca szefa", "stopka", "rada", "inquest labs", "vba project", "vbaproject", "kopiuj md5", "kopiuj sha1", "skopiuj sha256", "sha1", "sha256", "typ tekst", "opis tekst", "ascii md5", "rozmiar", "typ dane", "pdf c", "text c", "ounizeto", "validation ca", "sha2", "odigicert inc", "cusa", "authority", "rsa ca", "cncertum domain", "cngeotrust ev", "oglobalsign", "unicode", "z bom", "crlf", "rgba", "dane obrazu", "tekst utf8", "v2 dokument", "dane", "dokument html", "jpeg", "skrt", "opis", "poczenie", "wifi", "start", "nazwa typ", "md5 nazwa", "procesu plik", "pe32", "intel", "pejzasz", "ms windows", "plik dokumentu", "nie c", "win32 exe", "crt.sh", "ct", "certificate transparency", "certificate search", "ssl certificate", "sectigo", "comodo ca", "comodo", "tls web", "criteria id", "647257375", "timestamp entry", "log operator", "log url", "google https", "ca mechanism", "provider status", "error", "log id", "647257567", "summary leaf", "sectigo https", "expired", "certificate", "lets", "key usage", "identifier", "551852229", "digicert https", "479894151", "479896285", "tylne drzwi", "win32", "imphasz", "wirustotal", "emaile", "emaile pnewell", "emaile khunter", "emaile eooshea", "emaile regadmin", "microsoft excel", "wed jan", "submission", "vhash", "ssdeep", "file type", "ms excel", "xls magic", "file v2", "document", "number", "algorithm", "certum", "unizeto", "warszawa", "31915086", "nitro pro", "nitro sign", "nitro", "nitro pdf", "primopdf", "pdfs", "business nitro", "pdf nitro", "pdf pro", "desktop", "premium", "service", "ja3s", "mnie", "sysv", "lsb executable", "eabi4 version", "msb executable", "mips", "mipsi version", "trojan", "imphash", "pehash", "name type", "md5 process", "fault", "header", "bezterminowo", "adres url", "nazwa hosta", "ipv4", "ccie asnas8075", "nie mona", "trojandropper", "url skryptw", "domeny a", "kliknij", "prbka skrt", "uwzgldnij", "nieobecny", "procesu", "ascii z", "ascii bez", "mirai", "win32virut", "procesu zastpy", "tekst ascii", "z terminatorami" ], "references": [ "http://www.mf.gov.pl/tutaj/a./p/body/html", "https://www.mf.gov.pl/tutaj/a./p/body/html", "https://mdec.nelreports.net/api/report?cat=mdocs", "https://crt.sh/?id=647257375", "https://crt.sh/?id=647257567", "https://crt.sh/?id=551852229", "https://crt.sh/?id=479894151", "https://crt.sh/?id=479896285", "https://crt.sh/?d=49659844", "https://crt.sh/?id=31915086", "http://www.primopdf.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "e74755ff8b4927e257566302296e17e5d28cef17a6daf287cda9e63ce6c6f575 ELF :Mirai- MALWARE GH\\ [Trj] 23 pa\u017a 2016 bf0f346f4a51732e31d88eb47dcac82c7f7ed973312926819f1e1023b9c51121 23 pa\u017a 2016 5a92b73f354d54b9", "display_name": "e74755ff8b4927e257566302296e17e5d28cef17a6daf287cda9e63ce6c6f575 ELF :Mirai- MALWARE GH\\ [Trj] 23 pa\u017a 2016 bf0f346f4a51732e31d88eb47dcac82c7f7ed973312926819f1e1023b9c51121 23 pa\u017a 2016 5a92b73f354d54b9", "target": null } ], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 127, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 627, "email": 41, "FileHash-SHA1": 1565, "FileHash-SHA256": 5520, "URL": 1821, "FileHash-MD5": 1861, "SSLCertFingerprint": 10, "domain": 167, "IPv4": 31, "YARA": 7, "CVE": 7 }, "indicator_count": 11657, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66831f04ad169d3b685c9645", "name": "Win.exe , Bootstrapper.exe , pl.microsoft.com , microsoft.com/pki/certs/MicRooCerAut_2010", "description": "rule UPX { meta: author = \"kevoreilly\" description = \"UPX dump on OEP (original entry point)\" cape_options = \"bp0=$upx32+9,bp0=$upx64+11,action0=step2oep\" strings: $upx32 = {6A 00 39 C4 75 FA 83 EC ?? rule Windows_Generic_Threat_5c18a7f9 { meta: author = \"Elastic Security\" id = \"5c18a7f9-01af-468b-9a63-cfecbeb739d7\" fingerprint = \"68c9114ac342d527cf6f0cea96b63dfeb8e5d80060572fad2bbc7d287c752d4a\" creation_date = \"2024-01-21\" last_modified = \"2024-02-08\" threat_name = \"Windows.\ndca60557a1f47948d7158ba9f56ad8656bd0b343488264e23037fd66174e3cd5\nb4f7ace176d0eeba828e7c03f39befb30355223860d14e6ca4422fdb81778df7\nPr\u00f3bka Cuckoo-843b85c493b8a9048b2ab73a9d1a8.cab - polecenie Microsoft Office.\nResearchers have decoded a new set of data on how to store data in a safe and easy-to-use digital format, as well as the results of a series of tests on the subject.", "modified": "2024-10-14T20:36:07.924000", "created": "2024-07-01T21:26:27.623000", "tags": [ "no expiration", "filehashsha256", "hacktool", "expiration", "win32autokms no", "filehashmd5", "filehashsha1", "virus", "sha1", "win32", "trojan", "ransom", "pejzasz", "vhash", "imphash", "ssdeep", "hash", "skrt", "y pkmsauto", "crlf", "dodaj", "hostsettings", "v wczono", "t regdword", "powershell", "nowy", "pe32", "intel", "ms windows", "nazwa typ", "md5 nazwa", "procesu", "vs2013", "rticon neutral", "compiler", "submission", "file version", "chi2", "contained", "authentihash", "pehash", "uacme akagi", "cobalt strike", "detects", "roth", "sliver stagers", "highvol", "detects imphash", "zero", "virustotal", "detection rule", "license", "arnim rupp", "whasz", "github", "postpuj zgodnie", "przegld", "danie id", "github og", "url https", "error", "toast", "clientrender", "date", "promise", "65536", "client env", "alloy", "rangeerror", "staff", "upx dump", "security", "license v2", "e8 ff", "fc ff", "ff ff", "e8 f7", "c3 e8", "e8 db", "f0 c9", "c8 ff", "c9 c3", "c4 a8", "a7 ff", "f1 e8", "ec c7", "f0 c0", "c1 e9", "ec e8", "ff e8", "a3 a4", "db e2", "b0 e9", "e8 ba", "b9 f3", "e4 f8", "ff e9", "eb ed", "b6 b3", "b6 bb", "c8 f7", "c6 a8", "f6 c1", "b0 d7", "df e0", "c4 f0", "fc e8", "cf e5", "f8 ff", "f7 ff", "cc cc", "c3 b8", "b9 ff", "ff f3", "ab aa", "f7 f9", "b8 c7", "be ad", "ef be", "ad de", "e9 cd", "c4 f4", "fe ff", "d1 fa", "fa fc", "f3 a6", "fb ff", "fc c6", "fc eb", "e8 ed", "fb d1", "b6 f8", "c7 c7", "ec d0", "b6 d2", "ff e1", "c0 ac", "c1 e3", "c3 aa", "c2 c1", "d3 f7", "fc c7", "win32 cabinet", "selfextractor", "pecompact", "yarahub", "yara", "repository", "hub", "repo", "malware_onenote_delivery_jan23", "yara rule", "team", "sifalconteam", "yarahub entry", "rule details", "malpedia family", "rule matching", "content copy", "download rule", "malware", "cc by", "vbscript", "sub autoopen", "getobject", "batch" ], "references": [ "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23" ], "public": 1, "adversary": "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 361, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14732, "FileHash-MD5": 4316, "FileHash-SHA1": 3405, "YARA": 181, "URL": 4793, "domain": 1717, "hostname": 4354, "IPv4": 107, "IPv6": 845, "email": 26, "CVE": 13, "FilePath": 1 }, "indicator_count": 34490, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://www.primopdf.com/", "https://www.mf.gov.pl/tutaj/a./p/body/html", "https://crt.sh/?d=49659844", "https://crt.sh/?id=31915086", "https://mdec.nelreports.net/api/report?cat=mdocs", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23", "https://crt.sh/?id=479894151", "http://193.230.215.3", "http://www.sanselo.com", "http://audiostories.xyz/remote_config/similar_apps/kids_eng.json", "https://crt.sh/?id=551852229", "https://crt.sh/?id=647257375", "http://www.mf.gov.pl/tutaj/a./p/body/html", "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "https://crt.sh/?id=479896285", "https://crt.sh/?id=647257567" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri" ], "malware_families": [ "Mirai", "E74755ff8b4927e257566302296e17e5d28cef17a6daf287cda9e63ce6c6f575 elf :mirai- malware gh\\ [trj] 23 pa\u017a 2016 bf0f346f4a51732e31d88eb47dcac82c7f7ed973312926819f1e1023b9c51121 23 pa\u017a 2016 5a92b73f354d54b9" ], "industries": [], "unique_indicators": 75537 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/gstatic.com", "whois": "http://whois.domaintools.com/gstatic.com", "domain": "gstatic.com", "hostname": "csi.gstatic.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69fb42e924f3890f5aed52dc", "name": "Habo Analysis System", "description": "", "modified": "2026-05-06T13:55:26.102000", "created": "2026-05-06T13:32:25.127000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 169, "domain": 31, "hostname": 199, "FileHash-SHA1": 221, "URL": 100, "FileHash-MD5": 185, "IPv4": 105 }, "indicator_count": 1010, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bbc441983dff57f6ec0df7", "name": "VirusTotal report\n for base.apk", "description": "", "modified": "2026-04-18T09:01:28.947000", "created": "2026-03-19T09:39:13.279000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 23, "domain": 6, "hostname": 13 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bb44d6cf2d4aeed93b9758", "name": "VirusTotal report\n for base.apk", "description": "", "modified": "2026-04-18T00:09:29.223000", "created": "2026-03-19T00:35:34.729000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 4, "URL": 46, "domain": 12, "hostname": 25 }, "indicator_count": 91, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a8f62801f99b53e543cc45", "name": "8d17053b7abddb0cdea433a89fc9359d7a89cb645b2f22a23c58773ec686190e.exe dttcodexgigas.364c151c29cba5a640a69f63e7d86e507d5b4c7f", "description": "Malware/trojan", "modified": "2026-04-04T03:09:54.908000", "created": "2026-03-05T03:19:04.585000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1011, "FileHash-SHA1": 105, "URL": 305, "domain": 108, "hostname": 191, "FileHash-MD5": 63, "email": 2 }, "indicator_count": 1785, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "57 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6608aaf7ca0e965e593ed1d4", "name": "MUI programu Microsoft Office Access (w j\u0119zyku angielskim) zosta\u0142o u\u017cyte do wys\u0142ania z\u0142o\u015bliwego oprogramowania na serwer w Czechach jest to pierwszy tego typu atak na komputer. e", "description": "A look back at some of the key words and phrases used to describe the situation in Italy, as \"probacja\" (or \"democrata), as they were translated into English.", "modified": "2025-10-17T11:03:07.034000", "created": "2024-03-31T00:14:47.183000", "tags": [ "sha256", "ssdeep", "reputacja", "tworzy pliki", "informacje", "bardzo duga", "tworzy", "adresy url", "tworzy katalog", "win64", "ameryki", "typ pliku", "serwer nazw", "san jose", "adres", "digital", "data wyganicia", "csc corporate", "domains", "ca data", "data utworzenia", "dnssec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6432, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2140, "hostname": 5874, "FileHash-SHA256": 12539, "FileHash-MD5": 3686, "FileHash-SHA1": 2751, "IPv4": 503, "URL": 10770, "email": 26, "CVE": 88, "YARA": 6, "JA3": 2, "IPv6": 28, "SSLCertFingerprint": 5, "BitcoinAddress": 3, "CIDR": 1 }, "indicator_count": 38422, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6811d6fa4e56b78ea0f083f4", "name": "ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)", "description": "Source IP: 212.1.211.209\nJA3 Client hashes: d8c87b9bfde38897979e41242626c2f3\nJA3 Server hashes: 2e721a91f6a6db92f1622699c895d2d4\nhttps://www.virustotal.com/gui/file/7d09dfde4593a882172047308b701611ff9fd4c10d753fe89cb093965fbe67de/detection", "modified": "2025-04-30T07:53:30.459000", "created": "2025-04-30T07:53:30.459000", "tags": [ "sha256", "ssdeep", "submission", "modification", "version", "minsk", "common name", "country code", "by locality", "android" ], "references": [ "http://193.230.215.3", "http://www.sanselo.com", "http://audiostories.xyz/remote_config/similar_apps/kids_eng.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 9, "FileHash-SHA256": 58, "URL": 23, "hostname": 1 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "395 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "668bfcb0b48a387b9d2c8562", "name": "Ministerstwo Finans\u00f3w - Portal Gov.pl", "description": "Pliki cookie zosta\u0142y ju\u017c zapisane i wydrukowane.\n5852be629358e18160c5483bfc8c9f0023b974565f2d59ce7f4497cc734b4ecd 30 pa\u017a 2022 b8a2476b55132fdf0531d6cd48126b759dc08a8f5b019917b62373e536a0b8c9 26 pa\u017a 2022 2700fbe4001e27ba55d72841817b0b9454954b496f21e4259c88919027172694 6 wrze\u015bnia 2022 r. 91da570586b7c04e3012215469ed8b8c5aa036068cc48ba7a7ac0d8cce34290e 5 wrze\u015bnia 2022 r. 1757d8363e28b35b9e29c44d0bc87e2a03d90ca50dadd780924528e0a13d49e1 31 sierpnia 2022 r. fe5744ed48406b90eae1747aab5386645406ad61cdc629ebc7ded97aa099ae28 30 lipca 2022 r. c730bac7a1da3b6263e7672c85cb4deb229c45479bd64bc7194a9a8bb16b8cb6 16 lipca 2022 r. 177b428ac63ad3b6c606ed11b33c9fc4d79f6ff5e6b3ac3ee849f1e2d1f2c903 16 lipca 2022 r. a35121637b79b7d926b63afceae409fdb35c14ad5431ecd199179622e1711ca6", "modified": "2024-10-17T05:28:49.118000", "created": "2024-07-08T14:50:24.496000", "tags": [ "polskiej", "przejd", "usugi dla", "logowanie", "profil zaufany", "skarbowa", "zobacz", "ksef", "zastpca szefa", "stopka", "rada", "inquest labs", "vba project", "vbaproject", "kopiuj md5", "kopiuj sha1", "skopiuj sha256", "sha1", "sha256", "typ tekst", "opis tekst", "ascii md5", "rozmiar", "typ dane", "pdf c", "text c", "ounizeto", "validation ca", "sha2", "odigicert inc", "cusa", "authority", "rsa ca", "cncertum domain", "cngeotrust ev", "oglobalsign", "unicode", "z bom", "crlf", "rgba", "dane obrazu", "tekst utf8", "v2 dokument", "dane", "dokument html", "jpeg", "skrt", "opis", "poczenie", "wifi", "start", "nazwa typ", "md5 nazwa", "procesu plik", "pe32", "intel", "pejzasz", "ms windows", "plik dokumentu", "nie c", "win32 exe", "crt.sh", "ct", "certificate transparency", "certificate search", "ssl certificate", "sectigo", "comodo ca", "comodo", "tls web", "criteria id", "647257375", "timestamp entry", "log operator", "log url", "google https", "ca mechanism", "provider status", "error", "log id", "647257567", "summary leaf", "sectigo https", "expired", "certificate", "lets", "key usage", "identifier", "551852229", "digicert https", "479894151", "479896285", "tylne drzwi", "win32", "imphasz", "wirustotal", "emaile", "emaile pnewell", "emaile khunter", "emaile eooshea", "emaile regadmin", "microsoft excel", "wed jan", "submission", "vhash", "ssdeep", "file type", "ms excel", "xls magic", "file v2", "document", "number", "algorithm", "certum", "unizeto", "warszawa", "31915086", "nitro pro", "nitro sign", "nitro", "nitro pdf", "primopdf", "pdfs", "business nitro", "pdf nitro", "pdf pro", "desktop", "premium", "service", "ja3s", "mnie", "sysv", "lsb executable", "eabi4 version", "msb executable", "mips", "mipsi version", "trojan", "imphash", "pehash", "name type", "md5 process", "fault", "header", "bezterminowo", "adres url", "nazwa hosta", "ipv4", "ccie asnas8075", "nie mona", "trojandropper", "url skryptw", "domeny a", "kliknij", "prbka skrt", "uwzgldnij", "nieobecny", "procesu", "ascii z", "ascii bez", "mirai", "win32virut", "procesu zastpy", "tekst ascii", "z terminatorami" ], "references": [ "http://www.mf.gov.pl/tutaj/a./p/body/html", "https://www.mf.gov.pl/tutaj/a./p/body/html", "https://mdec.nelreports.net/api/report?cat=mdocs", "https://crt.sh/?id=647257375", "https://crt.sh/?id=647257567", "https://crt.sh/?id=551852229", "https://crt.sh/?id=479894151", "https://crt.sh/?id=479896285", "https://crt.sh/?d=49659844", "https://crt.sh/?id=31915086", "http://www.primopdf.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "e74755ff8b4927e257566302296e17e5d28cef17a6daf287cda9e63ce6c6f575 ELF :Mirai- MALWARE GH\\ [Trj] 23 pa\u017a 2016 bf0f346f4a51732e31d88eb47dcac82c7f7ed973312926819f1e1023b9c51121 23 pa\u017a 2016 5a92b73f354d54b9", "display_name": "e74755ff8b4927e257566302296e17e5d28cef17a6daf287cda9e63ce6c6f575 ELF :Mirai- MALWARE GH\\ [Trj] 23 pa\u017a 2016 bf0f346f4a51732e31d88eb47dcac82c7f7ed973312926819f1e1023b9c51121 23 pa\u017a 2016 5a92b73f354d54b9", "target": null } ], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 127, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 627, "email": 41, "FileHash-SHA1": 1565, "FileHash-SHA256": 5520, "URL": 1821, "FileHash-MD5": 1861, "SSLCertFingerprint": 10, "domain": 167, "IPv4": 31, "YARA": 7, "CVE": 7 }, "indicator_count": 11657, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "591 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66831f04ad169d3b685c9645", "name": "Win.exe , Bootstrapper.exe , pl.microsoft.com , microsoft.com/pki/certs/MicRooCerAut_2010", "description": "rule UPX { meta: author = \"kevoreilly\" description = \"UPX dump on OEP (original entry point)\" cape_options = \"bp0=$upx32+9,bp0=$upx64+11,action0=step2oep\" strings: $upx32 = {6A 00 39 C4 75 FA 83 EC ?? rule Windows_Generic_Threat_5c18a7f9 { meta: author = \"Elastic Security\" id = \"5c18a7f9-01af-468b-9a63-cfecbeb739d7\" fingerprint = \"68c9114ac342d527cf6f0cea96b63dfeb8e5d80060572fad2bbc7d287c752d4a\" creation_date = \"2024-01-21\" last_modified = \"2024-02-08\" threat_name = \"Windows.\ndca60557a1f47948d7158ba9f56ad8656bd0b343488264e23037fd66174e3cd5\nb4f7ace176d0eeba828e7c03f39befb30355223860d14e6ca4422fdb81778df7\nPr\u00f3bka Cuckoo-843b85c493b8a9048b2ab73a9d1a8.cab - polecenie Microsoft Office.\nResearchers have decoded a new set of data on how to store data in a safe and easy-to-use digital format, as well as the results of a series of tests on the subject.", "modified": "2024-10-14T20:36:07.924000", "created": "2024-07-01T21:26:27.623000", "tags": [ "no expiration", "filehashsha256", "hacktool", "expiration", "win32autokms no", "filehashmd5", "filehashsha1", "virus", "sha1", "win32", "trojan", "ransom", "pejzasz", "vhash", "imphash", "ssdeep", "hash", "skrt", "y pkmsauto", "crlf", "dodaj", "hostsettings", "v wczono", "t regdword", "powershell", "nowy", "pe32", "intel", "ms windows", "nazwa typ", "md5 nazwa", "procesu", "vs2013", "rticon neutral", "compiler", "submission", "file version", "chi2", "contained", "authentihash", "pehash", "uacme akagi", "cobalt strike", "detects", "roth", "sliver stagers", "highvol", "detects imphash", "zero", "virustotal", "detection rule", "license", "arnim rupp", "whasz", "github", "postpuj zgodnie", "przegld", "danie id", "github og", "url https", "error", "toast", "clientrender", "date", "promise", "65536", "client env", "alloy", "rangeerror", "staff", "upx dump", "security", "license v2", "e8 ff", "fc ff", "ff ff", "e8 f7", "c3 e8", "e8 db", "f0 c9", "c8 ff", "c9 c3", "c4 a8", "a7 ff", "f1 e8", "ec c7", "f0 c0", "c1 e9", "ec e8", "ff e8", "a3 a4", "db e2", "b0 e9", "e8 ba", "b9 f3", "e4 f8", "ff e9", "eb ed", "b6 b3", "b6 bb", "c8 f7", "c6 a8", "f6 c1", "b0 d7", "df e0", "c4 f0", "fc e8", "cf e5", "f8 ff", "f7 ff", "cc cc", "c3 b8", "b9 ff", "ff f3", "ab aa", "f7 f9", "b8 c7", "be ad", "ef be", "ad de", "e9 cd", "c4 f4", "fe ff", "d1 fa", "fa fc", "f3 a6", "fb ff", "fc c6", "fc eb", "e8 ed", "fb d1", "b6 f8", "c7 c7", "ec d0", "b6 d2", "ff e1", "c0 ac", "c1 e3", "c3 aa", "c2 c1", "d3 f7", "fc c7", "win32 cabinet", "selfextractor", "pecompact", "yarahub", "yara", "repository", "hub", "repo", "malware_onenote_delivery_jan23", "yara rule", "team", "sifalconteam", "yarahub entry", "rule details", "malpedia family", "rule matching", "content copy", "download rule", "malware", "cc by", "vbscript", "sub autoopen", "getobject", "batch" ], "references": [ "https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js", "https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23" ], "public": 1, "adversary": "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 361, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14732, "FileHash-MD5": 4316, "FileHash-SHA1": 3405, "YARA": 181, "URL": 4793, "domain": 1717, "hostname": 4354, "IPv4": 107, "IPv6": 845, "email": 26, "CVE": 13, "FilePath": 1 }, "indicator_count": 34490, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://csi.gstatic.com/csi", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://csi.gstatic.com/csi", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780206489.9956949 }