{ "type": "URL", "indicator": "https://cutit.org/oxgBR", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cutit.org/oxgBR", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3001701301, "indicator": "https://cutit.org/oxgBR", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6a11c88ada0bba46c9ed1b04", "name": "pastebin", "description": "", "modified": "2026-05-23T15:32:26.758000", "created": "2026-05-23T15:32:26.758000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 6, "FileHash-SHA256": 224, "IPv4": 7, "URL": 49, "domain": 10, "hostname": 6 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c60b402cd173d2b4aed0c6", "name": "pastebin", "description": "", "modified": "2026-04-26T04:18:29.754000", "created": "2026-03-27T04:44:48.317000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "FileHash-MD5": 30, "FileHash-SHA1": 26, "FileHash-SHA256": 223, "domain": 17, "hostname": 2 }, "indicator_count": 347, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b63553f456643631f3e4a4", "name": "pastebin", "description": "", "modified": "2026-04-14T04:40:38.996000", "created": "2026-03-15T04:28:03.718000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 202, "FileHash-MD5": 55, "FileHash-SHA1": 52, "FileHash-SHA256": 414, "domain": 27, "hostname": 15 }, "indicator_count": 765, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "47 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a3a8ae8431d86167c319a9", "name": "connect wise", "description": "", "modified": "2026-01-05T08:34:33.983000", "created": "2025-08-18T22:26:54.405000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 371, "FileHash-MD5": 18, "FileHash-SHA1": 19, "FileHash-SHA256": 249, "domain": 61, "hostname": 26 }, "indicator_count": 744, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d912c0ef3c0720da1d72a0", "name": "Babax Stealer Ransomware - maxfehlinger.de- autodesk,com", "description": "Babax Stealer Ransomware and Samas Ransom Malware CnC Beacon. Remote system access, remote desktop, injection, ransomware, CnC Beacon found in both highly trusted and unsafe enterprises. Interesting strings. Initially found several months ago in 'high profile' breaches and systems. Another user discovered a single malicious 'AnyDesk Backdoor' link. Further research showed significant pattern matches. \nI posted my own Any.Desk Pulse after exploring from users single hash. I was surprised to find now whitelisted link [boot.net.anydesk.com] was removed from my and other pulses after an unknown modification.", "modified": "2024-10-05T00:03:06.235000", "created": "2024-09-05T02:09:04.339000", "tags": [ "all scoreblue", "pdf report", "injection", "malware", "ransomware", "maxfehlinger.de", "privacy badger", "swipper", "pegasystems", "crowdstrike", "autodesk.com", "autocad", "endgame", "crowdstrike.com", "write c", "delete c", "ascii text", "json", "as15169", "lredmond", "stwa", "write", "samas", "dynamicloader", "attempts", "contacted", "high security", "dynamic", "high", "t1063", "samas ransom", "cnc beacon", "stack pivoting", "discovery", "cloud provider", "reverse dns", "dublin", "ireland asn", "as16509", "dns resolutions", "pulses none", "related tags", "none indicator", "create c", "read c", "delete", "dock", "execution", "xport", "msie", "windows nt", "wow64", "slcc2", "media center", "memcommit", "code", "pecompact", "packer", "delphi", "persistence", "settingswpad", "moved", "gmt content", "0 report", "sea alt", "certificate", "passive dns", "server response", "google safe", "results aug", "avast avg", "ids", "showing", "click", "phishing", "remote access", "social engineering", "software", "tunneling", "yara", "united states", "service", "bot", "remote desktop", "relay", "loading captcha", "secure all" ], "references": [ "Samas Ransom - maxfehlinger.de, autodesk, #file #hash , 104.21.14.163 (CDN) 172.67.160.10 (CDN)", "Any.Desk Pulse . Cites ATOAlienVault for hash: https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d", ".NET Framework Error: https://otx.alienvault.com/otxapi/indicators/file/screenshot/089aa13becf38d8bc289b24f6844f6ab2ebfe8d7ea0836bb8d5a616ebca9a3cc", "Win.Packed.Msilperseus-9956591-0: FileHash-SHA256 2a2607260abf7f5bf4dd121b4dc758e7106668bb974c9f5977bf665d46063b1f", "Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot stealth_file cape_detected_threat", "Alerts: antiav_detectfile antiav_detectreg modify_proxy cape_extracted_content infostealer_cookies recon_fingerprint suricata_alert", "Yara Detections DotNET_Reactor : \"DynamicLoader\" : \"ADVAPI32.dll/CreateRestrictedToken\"", "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\u00bb 192.168.122.24 \u00abto\u00bb 172.64.41.3 Suspicious Activity DNS Query", "Samas Ransom CnC Beacon \u00bb Source: 192.168.122.24 Destination\u00bb 104.117.233.215 = \tMalware Beacon Samas", "Domains Contacted and Whitelisted: accounts.google.com | 142.250.147.84 | js.monitor.azure.com | 13.107.213.44 | clients2.googleusercontent.com\t142.251.9.132 Whitelisted\tchrome.cloudflare-dns.com", "PE Anomalies: checksum_header_zero ep_weird_location | Interesting Strings: https://api.ipify.org", "Win.Malware.Trojanx-9862538-0: FileHash-SHA256 f6b1e4c7c5d3e08828599fb7b268cac6444b3b750c0af81059d906b692a20ddd", "IDS Detections Samas Ransom CnC Beacon Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SN)", "Generickdz - Yara Detections: aPLib , PECompact_2xx , pecompact2 , PECompactv2xx , Delphi", "Generickdz - Yara Detections: PECompact2xxBitSumTechnologies , PECompactV2XBitsumTechnologies ,", "TrojanX Alerts: terminates_remote_process injection_rwx: modify_proxy infostealer_cookies recon_fingerprint", "TrojanX Alerts: procmem_yara injection_inter_process stack_pivot stealth_file antiav_detectfile antiav_detectreg createtool", "TrojanX Alerts: cape_extracted_content recon_fingerprint suricata_alert help32snapshot_module_enumeration", "TrojanX Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading ipc_namedpipe powershell_download", "Generickdz: https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "ALF:Ransom:Win32/Babax.SG!MTB - Yara Detections: MAL_Unknown_PWDumper_Apr18_3 , EnigmaProtector , Delphi", "ALF:Ransom:Win32/Babax.SG!MTB - Alerts: procmem_yara injection_inter_process stack_pivot stealth_file antiav_detectfile", "ALF:Ransom:Win32/Babax.SG!MTB - Alerts: cape_extracted_content infostealer_cookies recon_fingerprint suricata_alert", "ALF:Ransom:Win32/Babax.SG!MTB: 34.241.182.209 Reverse DNS ec2-34-241-182-209.eu-west-1.compute.amazonaws.com | edge-irl1.demdex.net", "Razy-Yara Detections: SUSP_Imphash_Mar23_3 , UPX", "Yara Detections: ConventionEngine_Keyword_Bot ConventionEngine_Keyword_Bot bot BoT Bot bOt RSDS_T~!F,ah\u0001C:\\Buildbot\\ad-windows-32\\build\\release\\app-32\\win_loader\\AnyDesk.pdb", "CDN 104.21.14.163-Associated: URL's: http://resources.mini-box.com/online/MBD-mini2440 NEC3.5 kit/mini2440-ARM9-Board-with-NEC3.5-kit-android.pdf", "CDN 104.21.14.163:-Associated: URL's: http://light.80371024.workers.dev/", "Microsoft Ignite: https://otx.alienvault.com/otxapi/indicators/file/screenshot/2a2607260abf7f5bf4dd121b4dc758e7106668bb974c9f5977bf665d46063b1f", "Merits further research: boot.net.anydesk.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Razy-9859339-0", "display_name": "Win.Malware.Razy-9859339-0", "target": null }, { "id": "Win.Malware.Trojanx-9862538-0", "display_name": "Win.Malware.Trojanx-9862538-0", "target": null }, { "id": "Win.Malware.Generickdz-9982080-0", "display_name": "Win.Malware.Generickdz-9982080-0", "target": null }, { "id": "Win.Packed.Msilperseus-9956591-0", "display_name": "Win.Packed.Msilperseus-9956591-0", "target": null }, { "id": "ALF:HeraklezEval:HackTool:Win32/DefenderControl", "display_name": "ALF:HeraklezEval:HackTool:Win32/DefenderControl", "target": null }, { "id": "ALF:Ransom:Win32/Babax.SG!MTB", "display_name": "ALF:Ransom:Win32/Babax.SG!MTB", "target": null }, { "id": "Samas-Samsam", "display_name": "Samas-Samsam", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1086", "name": "PowerShell", "display_name": "T1086 - PowerShell" } ], "industries": [ "Finance", "Technology", "Telecommunications", "Cyber Security", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 757, "FileHash-SHA1": 664, "FileHash-SHA256": 665, "SSLCertFingerprint": 6, "domain": 120, "URL": 114, "hostname": 95, "email": 3 }, "indicator_count": 2424, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "603 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62eb230323eff358effd7893", "name": "strteamdeck", "description": "The full list of people who have taken part in this year's BBC World Service has been released:..6f02.8m, 1.9m.3m; 1,935m", "modified": "2022-09-03T00:03:41.487000", "created": "2022-08-04T01:38:11.053000", "tags": [ "whois record", "whois", "ssl certificate", "collection", "vt graph", "trojan", "springshell", "findingevil", "steg icons", "group earth", "qakbot", "ursnif", "ryuk", "quasar" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AIDefenseNet", "id": "102874", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "URL": 73, "FileHash-MD5": 91, "FileHash-SHA1": 90, "FileHash-SHA256": 592, "hostname": 80 }, "indicator_count": 952, "is_author": false, "is_subscribing": null, "subscriber_count": 103, "modified_text": "1366 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Yara Detections DotNET_Reactor : \"DynamicLoader\" : \"ADVAPI32.dll/CreateRestrictedToken\"", "Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot stealth_file cape_detected_threat", "PE Anomalies: checksum_header_zero ep_weird_location | Interesting Strings: https://api.ipify.org", "ALF:Ransom:Win32/Babax.SG!MTB - Yara Detections: MAL_Unknown_PWDumper_Apr18_3 , EnigmaProtector , Delphi", "Generickdz: https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "Microsoft Ignite: https://otx.alienvault.com/otxapi/indicators/file/screenshot/2a2607260abf7f5bf4dd121b4dc758e7106668bb974c9f5977bf665d46063b1f", "Domains Contacted and Whitelisted: accounts.google.com | 142.250.147.84 | js.monitor.azure.com | 13.107.213.44 | clients2.googleusercontent.com\t142.251.9.132 Whitelisted\tchrome.cloudflare-dns.com", "CDN 104.21.14.163-Associated: URL's: http://resources.mini-box.com/online/MBD-mini2440 NEC3.5 kit/mini2440-ARM9-Board-with-NEC3.5-kit-android.pdf", "Generickdz - Yara Detections: aPLib , PECompact_2xx , pecompact2 , PECompactv2xx , Delphi", "ALF:Ransom:Win32/Babax.SG!MTB - Alerts: cape_extracted_content infostealer_cookies recon_fingerprint suricata_alert", "Samas Ransom CnC Beacon \u00bb Source: 192.168.122.24 Destination\u00bb 104.117.233.215 = \tMalware Beacon Samas", "Yara Detections: ConventionEngine_Keyword_Bot ConventionEngine_Keyword_Bot bot BoT Bot bOt RSDS_T~!F,ah\u0001C:\\Buildbot\\ad-windows-32\\build\\release\\app-32\\win_loader\\AnyDesk.pdb", "TrojanX Alerts: procmem_yara injection_inter_process stack_pivot stealth_file antiav_detectfile antiav_detectreg createtool", "TrojanX Alerts: cape_extracted_content recon_fingerprint suricata_alert help32snapshot_module_enumeration", ".NET Framework Error: https://otx.alienvault.com/otxapi/indicators/file/screenshot/089aa13becf38d8bc289b24f6844f6ab2ebfe8d7ea0836bb8d5a616ebca9a3cc", "Win.Packed.Msilperseus-9956591-0: FileHash-SHA256 2a2607260abf7f5bf4dd121b4dc758e7106668bb974c9f5977bf665d46063b1f", "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\u00bb 192.168.122.24 \u00abto\u00bb 172.64.41.3 Suspicious Activity DNS Query", "TrojanX Alerts: terminates_remote_process injection_rwx: modify_proxy infostealer_cookies recon_fingerprint", "ALF:Ransom:Win32/Babax.SG!MTB: 34.241.182.209 Reverse DNS ec2-34-241-182-209.eu-west-1.compute.amazonaws.com | edge-irl1.demdex.net", "Generickdz - Yara Detections: PECompact2xxBitSumTechnologies , PECompactV2XBitsumTechnologies ,", "IDS Detections Samas Ransom CnC Beacon Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SN)", "Razy-Yara Detections: SUSP_Imphash_Mar23_3 , UPX", "Alerts: antiav_detectfile antiav_detectreg modify_proxy cape_extracted_content infostealer_cookies recon_fingerprint suricata_alert", "TrojanX Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading ipc_namedpipe powershell_download", "Any.Desk Pulse . Cites ATOAlienVault for hash: https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d", "Win.Malware.Trojanx-9862538-0: FileHash-SHA256 f6b1e4c7c5d3e08828599fb7b268cac6444b3b750c0af81059d906b692a20ddd", "ALF:Ransom:Win32/Babax.SG!MTB - Alerts: procmem_yara injection_inter_process stack_pivot stealth_file antiav_detectfile", "CDN 104.21.14.163:-Associated: URL's: http://light.80371024.workers.dev/", "Merits further research: boot.net.anydesk.com", "Samas Ransom - maxfehlinger.de, autodesk, #file #hash , 104.21.14.163 (CDN) 172.67.160.10 (CDN)" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Alf:ransom:win32/babax.sg!mtb", "Win.malware.razy-9859339-0", "Samas-samsam", "Win.malware.generickdz-9982080-0", "Win.malware.trojanx-9862538-0", "Alf:heraklezeval:hacktool:win32/defendercontrol", "Win.packed.msilperseus-9956591-0" ], "industries": [ "Cyber security", "Civilian society", "Technology", "Telecommunications", "Finance" ], "unique_indicators": 5855 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cutit.org", "whois": "http://whois.domaintools.com/cutit.org", "domain": "cutit.org", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6a11c88ada0bba46c9ed1b04", "name": "pastebin", "description": "", "modified": "2026-05-23T15:32:26.758000", "created": "2026-05-23T15:32:26.758000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 6, "FileHash-SHA256": 224, "IPv4": 7, "URL": 49, "domain": 10, "hostname": 6 }, "indicator_count": 311, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c60b402cd173d2b4aed0c6", "name": "pastebin", "description": "", "modified": "2026-04-26T04:18:29.754000", "created": "2026-03-27T04:44:48.317000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "FileHash-MD5": 30, "FileHash-SHA1": 26, "FileHash-SHA256": 223, "domain": 17, "hostname": 2 }, "indicator_count": 347, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b63553f456643631f3e4a4", "name": "pastebin", "description": "", "modified": "2026-04-14T04:40:38.996000", "created": "2026-03-15T04:28:03.718000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 202, "FileHash-MD5": 55, "FileHash-SHA1": 52, "FileHash-SHA256": 414, "domain": 27, "hostname": 15 }, "indicator_count": 765, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "47 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a3a8ae8431d86167c319a9", "name": "connect wise", "description": "", "modified": "2026-01-05T08:34:33.983000", "created": "2025-08-18T22:26:54.405000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 371, "FileHash-MD5": 18, "FileHash-SHA1": 19, "FileHash-SHA256": 249, "domain": 61, "hostname": 26 }, "indicator_count": 744, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d912c0ef3c0720da1d72a0", "name": "Babax Stealer Ransomware - maxfehlinger.de- autodesk,com", "description": "Babax Stealer Ransomware and Samas Ransom Malware CnC Beacon. Remote system access, remote desktop, injection, ransomware, CnC Beacon found in both highly trusted and unsafe enterprises. Interesting strings. Initially found several months ago in 'high profile' breaches and systems. Another user discovered a single malicious 'AnyDesk Backdoor' link. Further research showed significant pattern matches. \nI posted my own Any.Desk Pulse after exploring from users single hash. I was surprised to find now whitelisted link [boot.net.anydesk.com] was removed from my and other pulses after an unknown modification.", "modified": "2024-10-05T00:03:06.235000", "created": "2024-09-05T02:09:04.339000", "tags": [ "all scoreblue", "pdf report", "injection", "malware", "ransomware", "maxfehlinger.de", "privacy badger", "swipper", "pegasystems", "crowdstrike", "autodesk.com", "autocad", "endgame", "crowdstrike.com", "write c", "delete c", "ascii text", "json", "as15169", "lredmond", "stwa", "write", "samas", "dynamicloader", "attempts", "contacted", "high security", "dynamic", "high", "t1063", "samas ransom", "cnc beacon", "stack pivoting", "discovery", "cloud provider", "reverse dns", "dublin", "ireland asn", "as16509", "dns resolutions", "pulses none", "related tags", "none indicator", "create c", "read c", "delete", "dock", "execution", "xport", "msie", "windows nt", "wow64", "slcc2", "media center", "memcommit", "code", "pecompact", "packer", "delphi", "persistence", "settingswpad", "moved", "gmt content", "0 report", "sea alt", "certificate", "passive dns", "server response", "google safe", "results aug", "avast avg", "ids", "showing", "click", "phishing", "remote access", "social engineering", "software", "tunneling", "yara", "united states", "service", "bot", "remote desktop", "relay", "loading captcha", "secure all" ], "references": [ "Samas Ransom - maxfehlinger.de, autodesk, #file #hash , 104.21.14.163 (CDN) 172.67.160.10 (CDN)", "Any.Desk Pulse . Cites ATOAlienVault for hash: https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d", ".NET Framework Error: https://otx.alienvault.com/otxapi/indicators/file/screenshot/089aa13becf38d8bc289b24f6844f6ab2ebfe8d7ea0836bb8d5a616ebca9a3cc", "Win.Packed.Msilperseus-9956591-0: FileHash-SHA256 2a2607260abf7f5bf4dd121b4dc758e7106668bb974c9f5977bf665d46063b1f", "Alerts: procmem_yara injection_inter_process ransomware_file_modifications stack_pivot stealth_file cape_detected_threat", "Alerts: antiav_detectfile antiav_detectreg modify_proxy cape_extracted_content infostealer_cookies recon_fingerprint suricata_alert", "Yara Detections DotNET_Reactor : \"DynamicLoader\" : \"ADVAPI32.dll/CreateRestrictedToken\"", "Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\u00bb 192.168.122.24 \u00abto\u00bb 172.64.41.3 Suspicious Activity DNS Query", "Samas Ransom CnC Beacon \u00bb Source: 192.168.122.24 Destination\u00bb 104.117.233.215 = \tMalware Beacon Samas", "Domains Contacted and Whitelisted: accounts.google.com | 142.250.147.84 | js.monitor.azure.com | 13.107.213.44 | clients2.googleusercontent.com\t142.251.9.132 Whitelisted\tchrome.cloudflare-dns.com", "PE Anomalies: checksum_header_zero ep_weird_location | Interesting Strings: https://api.ipify.org", "Win.Malware.Trojanx-9862538-0: FileHash-SHA256 f6b1e4c7c5d3e08828599fb7b268cac6444b3b750c0af81059d906b692a20ddd", "IDS Detections Samas Ransom CnC Beacon Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SN)", "Generickdz - Yara Detections: aPLib , PECompact_2xx , pecompact2 , PECompactv2xx , Delphi", "Generickdz - Yara Detections: PECompact2xxBitSumTechnologies , PECompactV2XBitsumTechnologies ,", "TrojanX Alerts: terminates_remote_process injection_rwx: modify_proxy infostealer_cookies recon_fingerprint", "TrojanX Alerts: procmem_yara injection_inter_process stack_pivot stealth_file antiav_detectfile antiav_detectreg createtool", "TrojanX Alerts: cape_extracted_content recon_fingerprint suricata_alert help32snapshot_module_enumeration", "TrojanX Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading ipc_namedpipe powershell_download", "Generickdz: https://otx.alienvault.com/otxapi/indicators/file/screenshot/233e5b27962a141061eff04ae07699d1a2faa8d47077a2da31770a5f59327ee3", "ALF:Ransom:Win32/Babax.SG!MTB - Yara Detections: MAL_Unknown_PWDumper_Apr18_3 , EnigmaProtector , Delphi", "ALF:Ransom:Win32/Babax.SG!MTB - Alerts: procmem_yara injection_inter_process stack_pivot stealth_file antiav_detectfile", "ALF:Ransom:Win32/Babax.SG!MTB - Alerts: cape_extracted_content infostealer_cookies recon_fingerprint suricata_alert", "ALF:Ransom:Win32/Babax.SG!MTB: 34.241.182.209 Reverse DNS ec2-34-241-182-209.eu-west-1.compute.amazonaws.com | edge-irl1.demdex.net", "Razy-Yara Detections: SUSP_Imphash_Mar23_3 , UPX", "Yara Detections: ConventionEngine_Keyword_Bot ConventionEngine_Keyword_Bot bot BoT Bot bOt RSDS_T~!F,ah\u0001C:\\Buildbot\\ad-windows-32\\build\\release\\app-32\\win_loader\\AnyDesk.pdb", "CDN 104.21.14.163-Associated: URL's: http://resources.mini-box.com/online/MBD-mini2440 NEC3.5 kit/mini2440-ARM9-Board-with-NEC3.5-kit-android.pdf", "CDN 104.21.14.163:-Associated: URL's: http://light.80371024.workers.dev/", "Microsoft Ignite: https://otx.alienvault.com/otxapi/indicators/file/screenshot/2a2607260abf7f5bf4dd121b4dc758e7106668bb974c9f5977bf665d46063b1f", "Merits further research: boot.net.anydesk.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Razy-9859339-0", "display_name": "Win.Malware.Razy-9859339-0", "target": null }, { "id": "Win.Malware.Trojanx-9862538-0", "display_name": "Win.Malware.Trojanx-9862538-0", "target": null }, { "id": "Win.Malware.Generickdz-9982080-0", "display_name": "Win.Malware.Generickdz-9982080-0", "target": null }, { "id": "Win.Packed.Msilperseus-9956591-0", "display_name": "Win.Packed.Msilperseus-9956591-0", "target": null }, { "id": "ALF:HeraklezEval:HackTool:Win32/DefenderControl", "display_name": "ALF:HeraklezEval:HackTool:Win32/DefenderControl", "target": null }, { "id": "ALF:Ransom:Win32/Babax.SG!MTB", "display_name": "ALF:Ransom:Win32/Babax.SG!MTB", "target": null }, { "id": "Samas-Samsam", "display_name": "Samas-Samsam", "target": null } ], "attack_ids": [ { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1086", "name": "PowerShell", "display_name": "T1086 - PowerShell" } ], "industries": [ "Finance", "Technology", "Telecommunications", "Cyber Security", "Civilian Society" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 757, "FileHash-SHA1": 664, "FileHash-SHA256": 665, "SSLCertFingerprint": 6, "domain": 120, "URL": 114, "hostname": 95, "email": 3 }, "indicator_count": 2424, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "603 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62eb230323eff358effd7893", "name": "strteamdeck", "description": "The full list of people who have taken part in this year's BBC World Service has been released:..6f02.8m, 1.9m.3m; 1,935m", "modified": "2022-09-03T00:03:41.487000", "created": "2022-08-04T01:38:11.053000", "tags": [ "whois record", "whois", "ssl certificate", "collection", "vt graph", "trojan", "springshell", "findingevil", "steg icons", "group earth", "qakbot", "ursnif", "ryuk", "quasar" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AIDefenseNet", "id": "102874", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "URL": 73, "FileHash-MD5": 91, "FileHash-SHA1": 90, "FileHash-SHA256": 592, "hostname": 80 }, "indicator_count": 952, "is_author": false, "is_subscribing": null, "subscriber_count": 103, "modified_text": "1366 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cutit.org/oxgBR", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cutit.org/oxgBR", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780241651.9852064 }