{ "type": "URL", "indicator": "https://d.symcb.com/rpa06", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://d.symcb.com/rpa06", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #246", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain symcb.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2987344256, "indicator": "https://d.symcb.com/rpa06", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "69d98d5e88461ed06547690c", "name": "CAPE ***** GRAMMERsoft. Love Letter ****", "description": "A Cuckoo has been running on Microsoft's Windows operating system for the past two years. the last time it did so, and the first time in the history of the Windows platform.\n\nUser Notes a Cryptic Message: Killing Eve, Vanishing Triangle. Recent Comment on Belasco Chain is of interest given spellbound.exe...\nUR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N4XT.txt", "modified": "2026-05-30T00:28:12.957000", "created": "2026-04-10T23:53:02.973000", "tags": [ "cname", "p2404", "accept", "default", "host", "strong", "library", "p11776139675", "gmt range", "p11776090280", "shutdown", "generic", "bits", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "next", "settings", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "revengerat", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "windows sandbox", "calls process", "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "@grammersoft", "calls clear", "ip address", "cape sandbox", "bootkit", "t1055", "t1497", "error", "back", "pe file", "network info", "processes extra", "sample", "aslr", "performs dns", "t1055 process", "overview", "mitre attack", "overview zenbox", "none rticon", "pattern", "none image", "file size", "entity", "winmm", "dword", "locale", "screensaver", "alexa", "stars", "crypt32", "ddraw", "winsta", "ip traffic", "lockfile" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp", "https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2", "https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t" ], "public": 1, "adversary": "@GRAMMERSoft", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 613, "FileHash-SHA1": 373, "FileHash-SHA256": 569, "URL": 469, "hostname": 582, "domain": 62, "email": 3, "CVE": 6, "JA3": 1, "IPv4": 2 }, "indicator_count": 2680, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a05ac967057c13623229fa4", "name": "Eternal Romance. InfinityRedRatLokiMeteorDownDropRemPetDCometRevenBRabbit[Ilu/txt> vbs]CAPE Sandbox", "description": "[A report on the discovery of a malicious script on a server at the University of California, Los Angeles, has been published by GRAMMERSoft Group, a security firm based in the Philippines.] s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader JavaDropper Remcos Petya DarkComet RevengeRAT BadRabbit Iloveyou[txt]vbs.\nMalware like this is almost never unintentional.", "modified": "2026-05-15T10:49:24.586000", "created": "2026-05-14T11:05:58.600000", "tags": [ "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "extra info", "next", "vbs script", "program", "attack network", "info processes", "zenbox verdict", "guest system", "ultimate file", "info file", "defense evasion", "windows sandbox", "calls clear", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "initial access", "settings", "default", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "accept", "revengerat", "shutdown", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader Java" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "FileHash-MD5": 245, "FileHash-SHA1": 109, "FileHash-SHA256": 224, "URL": 269, "domain": 51, "email": 3, "hostname": 189, "Mutex": 4 }, "indicator_count": 1130, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a05ac72028bf99f635f0ded", "name": "Eternal Romance. InfinityRedRatLokiMeteorDownDropRemPetDCometRevenBRabbit[Ilu/txt> vbs]CAPE Sandbox", "description": "[A report on the discovery of a malicious script on a server at the University of California, Los Angeles, has been published by GRAMMERSoft Group, a security firm based in the Philippines.] s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader JavaDropper Remcos Petya DarkComet RevengeRAT BadRabbit Iloveyou[txt]vbs.\nMalware like this is almost never unintentional.", "modified": "2026-05-14T11:05:22.932000", "created": "2026-05-14T11:05:22.932000", "tags": [ "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "extra info", "next", "vbs script", "program", "attack network", "info processes", "zenbox verdict", "guest system", "ultimate file", "info file", "defense evasion", "windows sandbox", "calls clear", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "initial access", "settings", "default", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "accept", "revengerat", "shutdown", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader Java" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "FileHash-MD5": 244, "FileHash-SHA1": 108, "FileHash-SHA256": 223, "URL": 269, "domain": 51, "email": 3, "hostname": 189 }, "indicator_count": 1123, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a05ac2c27730f972e8d9474", "name": "Eternal Romance. InfinityRedRatLokiMeteorDownDropRemPetDCometRevenBRabbit[Ilu/txt> vbs]CAPE Sandbox", "description": "[A report on the discovery of a malicious script on a server at the University of California, Los Angeles, has been published by GRAMMERSoft Group, a security firm based in the Philippines.] s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader JavaDropper Remcos Petya DarkComet RevengeRAT BadRabbit Iloveyou[txt]vbs.\nMalware like this is almost never unintentional.", "modified": "2026-05-14T11:04:12.425000", "created": "2026-05-14T11:04:12.425000", "tags": [ "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "extra info", "next", "vbs script", "program", "attack network", "info processes", "zenbox verdict", "guest system", "ultimate file", "info file", "defense evasion", "windows sandbox", "calls clear", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "initial access", "settings", "default", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "accept", "revengerat", "shutdown", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader Java" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "FileHash-MD5": 244, "FileHash-SHA1": 108, "FileHash-SHA256": 223, "URL": 269, "domain": 51, "email": 3, "hostname": 189 }, "indicator_count": 1123, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fea69182246b3dfd8cf790", "name": "CREDIT Q.VASHTI [clone: ET Malware Playtech Downloader for Online Gaming]", "description": "", "modified": "2026-05-09T05:16:24.802000", "created": "2026-05-09T03:14:25.220000", "tags": [ "installer.exe", "process32nextw", "regsetvalueexa", "regopenkeyexw", "regdword", "medium", "regbinary", "pupadware", "http header", "regsetvalueexw", "loader", "suspicious", "persistence", "execution", "malware", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "os2 executable", "pe32 compiler", "ltcgc", "techniques y", "none", "scripting inte", "registry", "elevati t1548", "hijack execut", "y none", "info", "abuse elevation", "control mec", "flow l", "plugins", "plugx", "backdoor", "trojan", "autoit", "crossrider", "modify", "bootkit", "abuse", "casino", "bet", "ah", "army", "sabey", "ahmann", "dora true", "persistence", "injection", "graham tech", "danger", "gambling", "intellectual property", "theft", "bonu$", "dago", "colorado" ], "references": [ "installer.exe | FileHash-SHA256 000002f7c809714f3dd89443c0b12d7f397c7dfe6108a448571e378b84c9f229", "Christopher P \u2018Buzz\u2019 Ahman | Brian Sabey | Tulach | Graham Tech", "Yara: Detections: stack_string | ConventionEngine_Keyword_Install |", "Yara: research_pe_signed_outside_timestamp [anomaly] xor_0x20_xord_javascript [Obfuscation]", "IDS Detections: Playtech Installer PUP/Adware | Playtech Downloader Online Gaming Checkin", "IDS Detections: Suspicious User-Agent containing Loader | Observed C: \\\\ filepath observed in HTTP header", "CS Yara: Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "CS IDS: Matches rule ET MALWARE Playtech Downloader Online Gaming Checkin", "CS IDS: Matches rule (http_inspect) HTTP Content-Length message body was truncated", "CS IDS: Matches rule SURICATA STREAM excessive retransmissions Unique rule identifier: This rule belongs to a private collection.", "http://fallback.playtech-installer.com/playtech_compressed_assets/casino_casinocom/index.7ze", "cache.download2.casino.com", "thebeautifulbet.com", "Trojan:Win32/Blihan.A -Yara Detections: KBysPacker028BetaShoooo", "http://geo.web-installer-assets.com/,onSuccessId:8,onFailureId:9", "http://geo.web-installer-assets.com/H", "http://geo.web-installer-assets.com/.hook_reg_dialog_skip_registration", "authrootstl.cab", "ET MALWARE Playtech Downloader Online Gaming Checkin Malware", "Command and Control Activity Detected", "Proofpoint Emerging Threats Open X Context for the matching alerts", "Rule references https://www.virustotal.com/gui/search/00740d7d15862efb3", "Destination IP: 157.185.156.194 Destination port: 80 Hostname: cache.download2.casino.com", "URL: http://cache.download2.casino.com/download/casino/client" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan.Playtech/Crossrider", "display_name": "Trojan.Playtech/Crossrider", "target": null }, { "id": "Trojan.Winterlove-28", "display_name": "Trojan.Winterlove-28", "target": null }, { "id": "TEL:Backdoor:Win32/PlugX", "display_name": "TEL:Backdoor:Win32/PlugX", "target": null }, { "id": "Trojan:Win32/Zbot.SIBG!MTB", "display_name": "Trojan:Win32/Zbot.SIBG!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBG!MTB" }, { "id": "#Lowfi:LUA:AutoItLargeFile", "display_name": "#Lowfi:LUA:AutoItLargeFile", "target": null }, { "id": "TELPER:HSTR:CLEAN:Ninite", "display_name": "TELPER:HSTR:CLEAN:Ninite", "target": null }, { "id": "#VirTool:Win32|Obfuscator.ADB", "display_name": "#VirTool:Win32|Obfuscator.ADB", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1067", "name": "Bootkit", "display_name": "T1067 - Bootkit" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": "6945800991b5d80bdbcd2168", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 7, "FileHash-SHA256": 338, "URL": 160, "hostname": 115, "domain": 82 }, "indicator_count": 710, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6945800991b5d80bdbcd2168", "name": "ET MALWARE Playtech Downloader Online Gaming Checkin Illegal Operations", "description": "Related to multiple illegal operations.\nAppears to be an illegal gambling operation with many fronts. (In this instance. This compromise is obviously not exclusive to the content I present)\n\nTip: by NPDJoke - Thank you! \nDangerous. Not fully confirmed by me- involvement of Colorado Mafia Families.\nConfirmed: Colorado has a very rich history of mafia crimes including gambling involving doctors to food manufacturers. Multiple fronts. The entire \u2018Family\u2019 associations, etc, is diversified, working in many roles such as medical professionals, lawyers, music , computer engineers, hackers. Colorado is beautiful but very corrupt.\nConfirmed: The wrong suspects jailed, jabbed, and sometimes murderd.", "modified": "2026-01-18T16:03:33.514000", "created": "2025-12-19T16:40:41.842000", "tags": [ "installer.exe", "process32nextw", "regsetvalueexa", "regopenkeyexw", "regdword", "medium", "regbinary", "pupadware", "http header", "regsetvalueexw", "loader", "suspicious", "persistence", "execution", "malware", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "os2 executable", "pe32 compiler", "ltcgc", "techniques y", "none", "scripting inte", "registry", "elevati t1548", "hijack execut", "y none", "info", "abuse elevation", "control mec", "flow l", "plugins", "plugx", "backdoor", "trojan", "autoit", "crossrider", "modify", "bootkit", "abuse", "casino", "bet", "ah", "army", "sabey", "ahmann", "dora true", "persistence", "injection", "graham tech", "danger", "gambling", "intellectual property", "theft", "bonu$", "dago", "colorado" ], "references": [ "installer.exe | FileHash-SHA256 000002f7c809714f3dd89443c0b12d7f397c7dfe6108a448571e378b84c9f229", "Christopher P \u2018Buzz\u2019 Ahman | Brian Sabey | Tulach | Graham Tech", "Yara: Detections: stack_string | ConventionEngine_Keyword_Install |", "Yara: research_pe_signed_outside_timestamp [anomaly] xor_0x20_xord_javascript [Obfuscation]", "IDS Detections: Playtech Installer PUP/Adware | Playtech Downloader Online Gaming Checkin", "IDS Detections: Suspicious User-Agent containing Loader | Observed C: \\\\ filepath observed in HTTP header", "CS Yara: Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "CS IDS: Matches rule ET MALWARE Playtech Downloader Online Gaming Checkin", "CS IDS: Matches rule (http_inspect) HTTP Content-Length message body was truncated", "CS IDS: Matches rule SURICATA STREAM excessive retransmissions Unique rule identifier: This rule belongs to a private collection.", "http://fallback.playtech-installer.com/playtech_compressed_assets/casino_casinocom/index.7ze", "cache.download2.casino.com", "thebeautifulbet.com", "Trojan:Win32/Blihan.A -Yara Detections: KBysPacker028BetaShoooo", "http://geo.web-installer-assets.com/,onSuccessId:8,onFailureId:9", "http://geo.web-installer-assets.com/H", "http://geo.web-installer-assets.com/.hook_reg_dialog_skip_registration", "authrootstl.cab", "ET MALWARE Playtech Downloader Online Gaming Checkin Malware", "Command and Control Activity Detected", "Proofpoint Emerging Threats Open X Context for the matching alerts", "Rule references https://www.virustotal.com/gui/search/00740d7d15862efb3", "Destination IP: 157.185.156.194 Destination port: 80 Hostname: cache.download2.casino.com", "URL: http://cache.download2.casino.com/download/casino/client" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan.Playtech/Crossrider", "display_name": "Trojan.Playtech/Crossrider", "target": null }, { "id": "Trojan.Winterlove-28", "display_name": "Trojan.Winterlove-28", "target": null }, { "id": "TEL:Backdoor:Win32/PlugX", "display_name": "TEL:Backdoor:Win32/PlugX", "target": null }, { "id": "Trojan:Win32/Zbot.SIBG!MTB", "display_name": "Trojan:Win32/Zbot.SIBG!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBG!MTB" }, { "id": "#Lowfi:LUA:AutoItLargeFile", "display_name": "#Lowfi:LUA:AutoItLargeFile", "target": null }, { "id": "TELPER:HSTR:CLEAN:Ninite", "display_name": "TELPER:HSTR:CLEAN:Ninite", "target": null }, { "id": "#VirTool:Win32|Obfuscator.ADB", "display_name": "#VirTool:Win32|Obfuscator.ADB", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1067", "name": "Bootkit", "display_name": "T1067 - Bootkit" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 7, "FileHash-SHA256": 338, "URL": 159, "hostname": 115, "domain": 82 }, "indicator_count": 709, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "132 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d45dab14a189645153e8a6", "name": "Reverse WHOIS results for vgt.pl ( GANG VGT)", "description": "", "modified": "2024-12-17T14:47:57", "created": "2024-09-01T12:27:23.777000", "tags": [ "ipv4 domain", "ipv4 url", "domain", "sha1", "sha256", "pehash", "vhash", "ssdeep" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1286, "FileHash-SHA1": 1286, "FileHash-SHA256": 2722, "URL": 4729, "domain": 1909, "hostname": 2082, "IPv4": 97, "CVE": 4, "YARA": 1 }, "indicator_count": 14116, "is_author": false, "is_subscribing": null, "subscriber_count": 127, "modified_text": "529 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667af85fe8fea6365adaa65d", "name": "Norton & Norton Lifelock Products", "description": "Just taking a pak at some Norton-Related Problems\n(03.11.24): https://www.virustotal.com/graph/embed/g8619c830b2c24d849472aef95a362ce113e12cd6d68849e7a83c7eca387a378a?theme=dark", "modified": "2024-09-29T20:01:29.028000", "created": "2024-06-25T17:03:27.155000", "tags": [ "entity", "please", "javascript", "xwwmwh4cg2hpw" ], "references": [ "https://www.virustotal.com/graph/embed/g8619c830b2c24d849472aef95a362ce113e12cd6d68849e7a83c7eca387a378a?theme=dark", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/summary", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/iocs", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/graph", "08.30.24: e1ec7ebd4046143153dd28dd2b5a54cf34edd137c6288f4e56c6449f0753a986 (VT)", "08.30.24: Report ID: \t 6a27e451-df79-4f90-a022-9aa15cb58cea (Filescanio)" ], "public": 1, "adversary": "Norton Norton Lifelock Telus", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 50, "FileHash-SHA1": 54, "FileHash-SHA256": 831, "URL": 1120, "domain": 181, "hostname": 261 }, "indicator_count": 2497, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "608 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e1bcdc0a1e68182c252028", "name": "Activity Kotlin Extensions | Cryptor | Zombie Device | Network CnC", "description": "Remotely modified android device. Hidden users with full command and control. Network CnC Enables, microphone, camera, photos, screen recorder, login privileges, blocks and records calls, texts, forces updates, all services modified, Device is a zombie. \nAndroid phone behavior: Linux + Android over Chrome with Safari browser. Operated by a Lenovo K Tablet. Excessive Tracking . Pegasus relationships found. M. Brian Sabey related. Hidden users/user has all privileges of device owner. Threat actor possesses far more knowledge, uses device for malicious purposes, downloads porn in background. USA registrant. US target. DGA domains found. Evades detection.", "modified": "2024-03-31T11:04:36.813000", "created": "2024-03-01T11:32:44.504000", "tags": [ "communicating", "contacted", "android", "execution", "plugx", "threat", "iocs", "analyze", "urls http", "google llc", "server", "registrar abuse", "registrar iana", "us registrant", "date", "passive dns", "all octoseek", "http", "ip address", "related nids", "files location", "nsis", "network icmp", "read c", "entries", "search", "create c", "ddlr ltd", "write c", "sat may", "pe32", "intel", "write", "status", "urls", "creation date", "type", "hostname", "kotlin", "precreate read", "infotip read", "js user", "trojan", "ununtu", "linux", "module load", "t1129", "show", "copy", "win32", "malware", "as15169 google", "united", "unknown", "aaaa", "name servers", "showing", "error", "query", "default", "large dns", "malware dns", "msie", "windows nt", "february", "yara detections", "vbmod", "endpoints all", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "recon_fingerprint", "dead_host", "nolookup_communication", "antidbg_windows", "antivm_generic_bios", "browser_security", "modifies_certificates", "network_cnc_http", "network_http", "allocates_rwx", "antisandbox_sleep", "creates_exe", "exe_appdata", "dropper", "protection_rx", "antivm_network_adapters", "antivm_memory_available", "pe_features", "checks_debugger", "address", "domains ii", "servers", "set cookie", "next", "chrome", "record value", "body", "meta", "taiwan", "as3462", "as17421", "files", "dcbg", "direct search network", "spyware", "brian sabey", "norad tracking", "zombie", "scanning host", "apple", "ios", "lenovo", "cyber crime", "framing", "process32nextw", "regsetvalueexa", "tlsv1", "regopenkeyexw", "regdword", "loader", "suspicious", "persistence" ], "references": [ "xxx.developer.android.com", "Activity Kotlin Extensions (1.1.0) Tracking \u2022 Modification Privileges \u2022 Remote Install \u2022 Enable Camera \u2022 Enable Microphone \u2022 User w/Login Privileges \u2022 Picasa", "Package Manager: Maven Project URL: https://developer.android.com/jetpack/androidx/releases/activity#1.6.0-alpha01", "Win.Malware.Agent-6386296-0 FileHash-MD5: c7f6ed56312c8fbb58ae6ed445c38df4 | Win32:Adware-gen\\ [Adw]", "Win.Malware.Agent-6386296-0 FileHash-MD5: e02dbf5d1576e6c9d7d773a588b9b9ee", "Win.Malware.Agent-6386296-0 FileHash-SHA1: 466bbfcf0444b6406431f672aaa5ecfcca759379", "Win.Malware.Agent-6386296-0 FileHash-SHA1: e2dba94ef052db774478b9f7198c1a2298b334e5", "Win.Malware.Agent-6386296-0 FileHash-SHA256: 0000ada3e6821c011fd53a94e5a5d9a777a02b1c4cd087f1c51de9e0ad9023e3", "Win.Malware.Agent-6386296-0 FileHash-SHA256: fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24 | Win32:Adware-gen\\ [Adw] ,", "https://otx.alienvault.com/indicator/file/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "Large DNS Query possible covert channel\t192.168.56.101", "Yara Detections: MS_Visual_Basic_6_0 , vad_contains_network_strings , EXECryptor2223compressedcodewwwstrongbitcom , EXECryptor2223protectedIAT , EXECryptor224StrongbitSoftCompleteDevelopmenth3 , EXECryptor2xxmaxcompressedresources ,", "Yara Detections Nullsoft_NSIS | Yara Detections: EXECryptorV22Xsoftcompletecom", "114-45-52-152.dynamic-ip.hinet.net\u2192.hinet.net | Domain has its own nameserver", "track.adminresourceupdate.com \u2022 postracking100.online", "2.746.1.iphone.com.unicostudio.braintest.adsenseformobileapps.com", "http://ecm.mobileboost.me/wapnt.php?id=368&publisher=headway&trackingId=1812131619a57bf1c1da8138&canal=offportal&source=001640_155:::cf1a3fda0", "http://mobileboost.me/APIS/WAPNT/wapnt.php?pageId=174&sec=334779&carrier=11&publisher=headway&aff_sub=18040118a49dafc70f463df8&source=000325_339", "mobile.detectivesoliver.com \u2022 callback.mobileboost.me", "IDS Detections: Playtech Installer PUP/Adware Playtech Downloader Online Gaming Checkin Suspicious User-Agent containing Loader Observed C: \\\\ filepath observed in HTTP header", "Yara Detections: stack_string , ConventionEngine_Keyword_Install , research_pe_signed_outside_timestamp , xor_0x20_xord_javascript" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Agent-6386296-0", "display_name": "Win.Malware.Agent-6386296-0", "target": null }, { "id": "#Lowfi:Trojan:JS/Auto59", "display_name": "#Lowfi:Trojan:JS/Auto59", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "!EXECryptor_2.x.x", "display_name": "!EXECryptor_2.x.x", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "Win.Trojan.5229994-1", "display_name": "Win.Trojan.5229994-1", "target": null }, { "id": "Taiwan", "display_name": "Taiwan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [ "Civil Society", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 636, "FileHash-SHA1": 402, "FileHash-SHA256": 1126, "URL": 3482, "domain": 1192, "hostname": 1324, "email": 7, "SSLCertFingerprint": 2 }, "indicator_count": 8171, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658cebdb940830a62e78a0db", "name": "Maui Ransomware | Virus Network", "description": "", "modified": "2024-01-27T03:00:49.486000", "created": "2023-12-28T03:30:35.847000", "tags": [ "write c", "read c", "process32nextw", "search", "regsetvalueexa", "show", "regdword", "png image", "showing", "entries", "loader", "write", "suspicious", "ghost rat", "webtoolbar", "nanocore rat", "persistence", "execution", "malware", "copy", "xport", "next", "unknown", "create c", "tlsv1", "united", "pupadware", "malware install", "default", "http header", "http requests", "stack_string", "allocates rwx", "network http", "injection process search", "dumped buffer", "antivm network adapters", "antisandbox", "foregroundwindows", "queries programs", "privilege luid check", "infostealer browser", "creates exe", "network icmp", "reads user agent", "modifies proxy wpad", "modifies certificates", "xor 0x20 xord javascript", "js", "stack string", "locates browser", "loader agent", "yara", "ids", "hallrender", "hijacker", "frigostInjector", "inject", "teams", "cp", "cyber", "monitoring", "cyber stalking", "brian sabey", "mark sabey", "load casino.com", "fallback playback intaller", "modify registry", "abuse", "revenge", "grayware", "installer", "win32 exe", "pe32", "intel", "ms windows", "windows control", "panel item", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "code signing", "assured id", "algorithm", "serial number", "issuer digicert", "name digicert", "thumbprint", "playtech plc", "original name", "internal name", "installer file", "version", "english us", "rticon english", "sections", "data english", "png png", "ico rtgroupicon", "struct", "et", "http method", "get http", "dns resolutions", "traffic", "get https", "get dns", "ip traffic", "hashes", "userprofile", "user", "file system", "files written", "files deleted", "files dropped", "urls", "contacted", "ip detections", "country", "files", "file type", "javascript", "shell", "kb file", "graph", "tsara brashears", "quasar", "relacionada", "emotet", "virus network", "maui ransomware", "agent tesla", "omnipoint", "cyberstalking", "lolkek", "attack", "core", "stealer", "remcos", "critical", "evilnum", "ursnif", "djvu", "asyncrat", "project", "redline stealer", "hacktool", "whois record", "ssl certificate", "pe resource", "collections", "communicating", "malicious", "apple", "family", "scoreblue" ], "references": [ "FILEHASH - MD5 3ce9d145f7e596bfdadd1d809cb78347", "Alerts", "Playtech Installer PUP/Adware", "Playtech Downloader Online Gaming Checkin" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Trojan.Playtech/CrossRider", "display_name": "Trojan.Playtech/CrossRider", "target": null }, { "id": "Redline Stealer", "display_name": "Redline Stealer", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Hacktool", "display_name": "Hacktool", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "EVILNUM", "display_name": "EVILNUM", "target": null }, { "id": "Djvu", "display_name": "Djvu", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 136, "FileHash-SHA1": 88, "FileHash-SHA256": 424, "SSLCertFingerprint": 1, "URL": 149, "hostname": 241, "domain": 31, "email": 1, "CVE": 1 }, "indicator_count": 1072, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "627a43a7c8ff93929ea9bfa7", "name": "BootTime.exe x.symcb.com = CVE-2021-22941", "description": "Pattern match: \"http://sf.symcb.com/sf.crl0a\"\nPattern match: \"https://d.symcb.com/cps0%\"\nPattern match: \"https://d.symcb.com/rpa0\"\nPattern match: \"http://sf.symcd.com0&\"\nPattern match: \"http://sf.symcb.com/sf.crt0\"", "modified": "2022-06-09T00:00:13.607000", "created": "2022-05-10T10:51:19.919000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "memoryfile scan", "ansi", "unicode", "runtime data", "pattern match", "ck id", "show stream", "verisign", "service", "raw size", "error", "suspicious", "path", "delphi", "class", "dcom", "write", "hybrid", "close", "click", "form", "stack", "win32", "general", "strings", "malicious", "team", "february" ], "references": [ "https://hybrid-analysis.com/sample/656485427e26f58123770c5796281f4544f9381962b1d89f9d3c6bffe41bb814/5c271c687ca3e1086f44e819", "BootTime.exe", "656485427e26f58123770c5796281f4544f9381962b1d89f9d3c6bffe41bb814" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1002", "name": "Data Compressed", "display_name": "T1002 - Data Compressed" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1076", "name": "Remote Desktop Protocol", "display_name": "T1076 - Remote Desktop Protocol" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1215", "name": "Kernel Modules and Extensions", "display_name": "T1215 - Kernel Modules and Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12, "hostname": 4, "FileHash-SHA256": 57, "CVE": 1, "FileHash-MD5": 11, "FileHash-SHA1": 1, "SSLCertFingerprint": 4 }, "indicator_count": 90, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1452 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I", "IDS Detections: Suspicious User-Agent containing Loader | Observed C: \\\\ filepath observed in HTTP header", "https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8", "http://fallback.playtech-installer.com/playtech_compressed_assets/casino_casinocom/index.7ze", "thebeautifulbet.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "Destination IP: 157.185.156.194 Destination port: 80 Hostname: cache.download2.casino.com", "CS IDS: Matches rule ET MALWARE Playtech Downloader Online Gaming Checkin", "mobile.detectivesoliver.com \u2022 callback.mobileboost.me", "http://geo.web-installer-assets.com/,onSuccessId:8,onFailureId:9", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "CS IDS: Matches rule (http_inspect) HTTP Content-Length message body was truncated", "ET MALWARE Playtech Downloader Online Gaming Checkin Malware", "Yara Detections: MS_Visual_Basic_6_0 , vad_contains_network_strings , EXECryptor2223compressedcodewwwstrongbitcom , EXECryptor2223protectedIAT , EXECryptor224StrongbitSoftCompleteDevelopmenth3 , EXECryptor2xxmaxcompressedresources ,", "http://geo.web-installer-assets.com/H", "Yara Detections Nullsoft_NSIS | Yara Detections: EXECryptorV22Xsoftcompletecom", "Large DNS Query possible covert channel\t192.168.56.101", "cache.download2.casino.com", "08.30.24: e1ec7ebd4046143153dd28dd2b5a54cf34edd137c6288f4e56c6449f0753a986 (VT)", "Trojan:Win32/Blihan.A -Yara Detections: KBysPacker028BetaShoooo", "Yara: research_pe_signed_outside_timestamp [anomaly] xor_0x20_xord_javascript [Obfuscation]", "Yara Detections: stack_string , ConventionEngine_Keyword_Install , research_pe_signed_outside_timestamp , xor_0x20_xord_javascript", "Win.Malware.Agent-6386296-0 FileHash-MD5: c7f6ed56312c8fbb58ae6ed445c38df4 | Win32:Adware-gen\\ [Adw]", "URL: http://cache.download2.casino.com/download/casino/client", "656485427e26f58123770c5796281f4544f9381962b1d89f9d3c6bffe41bb814", "IDS Detections: Playtech Installer PUP/Adware | Playtech Downloader Online Gaming Checkin", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij", "CS Yara: Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L", "authrootstl.cab", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/summary", "2.746.1.iphone.com.unicostudio.braintest.adsenseformobileapps.com", "installer.exe | FileHash-SHA256 000002f7c809714f3dd89443c0b12d7f397c7dfe6108a448571e378b84c9f229", "http://geo.web-installer-assets.com/.hook_reg_dialog_skip_registration", "IDS Detections: Playtech Installer PUP/Adware Playtech Downloader Online Gaming Checkin Suspicious User-Agent containing Loader Observed C: \\\\ filepath observed in HTTP header", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "Alerts", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT", "CS IDS: Matches rule SURICATA STREAM excessive retransmissions Unique rule identifier: This rule belongs to a private collection.", "Win.Malware.Agent-6386296-0 FileHash-SHA1: 466bbfcf0444b6406431f672aaa5ecfcca759379", "Playtech Downloader Online Gaming Checkin", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD", "08.30.24: Report ID: \t 6a27e451-df79-4f90-a022-9aa15cb58cea (Filescanio)", "Command and Control Activity Detected", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/iocs", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2", "https://hybrid-analysis.com/sample/656485427e26f58123770c5796281f4544f9381962b1d89f9d3c6bffe41bb814/5c271c687ca3e1086f44e819", "BootTime.exe", "http://ecm.mobileboost.me/wapnt.php?id=368&publisher=headway&trackingId=1812131619a57bf1c1da8138&canal=offportal&source=001640_155:::cf1a3fda0", "https://www.virustotal.com/graph/embed/g8619c830b2c24d849472aef95a362ce113e12cd6d68849e7a83c7eca387a378a?theme=dark", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/graph", "Win.Malware.Agent-6386296-0 FileHash-MD5: e02dbf5d1576e6c9d7d773a588b9b9ee", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp", "Yara: Detections: stack_string | ConventionEngine_Keyword_Install |", "Playtech Installer PUP/Adware", "FILEHASH - MD5 3ce9d145f7e596bfdadd1d809cb78347", "Package Manager: Maven Project URL: https://developer.android.com/jetpack/androidx/releases/activity#1.6.0-alpha01", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2", "xxx.developer.android.com", "Proofpoint Emerging Threats Open X Context for the matching alerts", "Rule references https://www.virustotal.com/gui/search/00740d7d15862efb3", "Win.Malware.Agent-6386296-0 FileHash-SHA1: e2dba94ef052db774478b9f7198c1a2298b334e5", "114-45-52-152.dynamic-ip.hinet.net\u2192.hinet.net | Domain has its own nameserver", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7", "Activity Kotlin Extensions (1.1.0) Tracking \u2022 Modification Privileges \u2022 Remote Install \u2022 Enable Camera \u2022 Enable Microphone \u2022 User w/Login Privileges \u2022 Picasa", "https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0", "Win.Malware.Agent-6386296-0 FileHash-SHA256: fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24 | Win32:Adware-gen\\ [Adw] ,", "Win.Malware.Agent-6386296-0 FileHash-SHA256: 0000ada3e6821c011fd53a94e5a5d9a777a02b1c4cd087f1c51de9e0ad9023e3", "https://otx.alienvault.com/indicator/file/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "Christopher P \u2018Buzz\u2019 Ahman | Brian Sabey | Tulach | Graham Tech", "track.adminresourceupdate.com \u2022 postracking100.online", "http://mobileboost.me/APIS/WAPNT/wapnt.php?pageId=174&sec=334779&carrier=11&publisher=headway&aff_sub=18040118a49dafc70f463df8&source=000325_339" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Norton Norton Lifelock Telus", "[Unnamed group]", "@GRAMMERSoft" ], "malware_families": [ "Evilnum", "Redline stealer", "Trojan.playtech/crossrider", "Worm:win32/mofksys.rnd!mtb", "Hallrender", "Agent tesla", "#lowfi:lua:autoitlargefile", "#virtool:win32|obfuscator.adb", "Emotet", "Ascii", "Win.trojan.5229994-1", "Djvu", "Sabey", "Remcos", "Lolkek", "Trojan.winterlove-28", "Win32:vbmod\\ [trj]", "Webtoolbar", "Telper:hstr:clean:ninite", "Ghost rat", "Nanocore rat", "Trojan:win32/zbot.sibg!mtb", "Win.malware.agent-6386296-0", "Asyncrat", "#lowfi:trojan:js/auto59", "Maui ransomware", "Quasar rat", "!execryptor_2.x.x", "Tel:backdoor:win32/plugx", "Trojan:win32/blihan.a", "Taiwan", "Hacktool" ], "industries": [ "Telecommunications", "Technology", "Civil society" ], "unique_indicators": 27862 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/symcb.com", "whois": "http://whois.domaintools.com/symcb.com", "domain": "symcb.com", "hostname": "d.symcb.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "69d98d5e88461ed06547690c", "name": "CAPE ***** GRAMMERsoft. Love Letter ****", "description": "A Cuckoo has been running on Microsoft's Windows operating system for the past two years. the last time it did so, and the first time in the history of the Windows platform.\n\nUser Notes a Cryptic Message: Killing Eve, Vanishing Triangle. Recent Comment on Belasco Chain is of interest given spellbound.exe...\nUR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N4XT.txt", "modified": "2026-05-30T00:28:12.957000", "created": "2026-04-10T23:53:02.973000", "tags": [ "cname", "p2404", "accept", "default", "host", "strong", "library", "p11776139675", "gmt range", "p11776090280", "shutdown", "generic", "bits", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "next", "settings", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "revengerat", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "windows sandbox", "calls process", "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "@grammersoft", "calls clear", "ip address", "cape sandbox", "bootkit", "t1055", "t1497", "error", "back", "pe file", "network info", "processes extra", "sample", "aslr", "performs dns", "t1055 process", "overview", "mitre attack", "overview zenbox", "none rticon", "pattern", "none image", "file size", "entity", "winmm", "dword", "locale", "screensaver", "alexa", "stars", "crypt32", "ddraw", "winsta", "ip traffic", "lockfile" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2", "https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp", "https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0", "https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2", "https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t" ], "public": 1, "adversary": "@GRAMMERSoft", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 613, "FileHash-SHA1": 373, "FileHash-SHA256": 569, "URL": 469, "hostname": 582, "domain": 62, "email": 3, "CVE": 6, "JA3": 1, "IPv4": 2 }, "indicator_count": 2680, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a05ac967057c13623229fa4", "name": "Eternal Romance. InfinityRedRatLokiMeteorDownDropRemPetDCometRevenBRabbit[Ilu/txt> vbs]CAPE Sandbox", "description": "[A report on the discovery of a malicious script on a server at the University of California, Los Angeles, has been published by GRAMMERSoft Group, a security firm based in the Philippines.] s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader JavaDropper Remcos Petya DarkComet RevengeRAT BadRabbit Iloveyou[txt]vbs.\nMalware like this is almost never unintentional.", "modified": "2026-05-15T10:49:24.586000", "created": "2026-05-14T11:05:58.600000", "tags": [ "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "extra info", "next", "vbs script", "program", "attack network", "info processes", "zenbox verdict", "guest system", "ultimate file", "info file", "defense evasion", "windows sandbox", "calls clear", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "initial access", "settings", "default", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "accept", "revengerat", "shutdown", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader Java" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "FileHash-MD5": 245, "FileHash-SHA1": 109, "FileHash-SHA256": 224, "URL": 269, "domain": 51, "email": 3, "hostname": 189, "Mutex": 4 }, "indicator_count": 1130, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a05ac72028bf99f635f0ded", "name": "Eternal Romance. InfinityRedRatLokiMeteorDownDropRemPetDCometRevenBRabbit[Ilu/txt> vbs]CAPE Sandbox", "description": "[A report on the discovery of a malicious script on a server at the University of California, Los Angeles, has been published by GRAMMERSoft Group, a security firm based in the Philippines.] s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader JavaDropper Remcos Petya DarkComet RevengeRAT BadRabbit Iloveyou[txt]vbs.\nMalware like this is almost never unintentional.", "modified": "2026-05-14T11:05:22.932000", "created": "2026-05-14T11:05:22.932000", "tags": [ "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "extra info", "next", "vbs script", "program", "attack network", "info processes", "zenbox verdict", "guest system", "ultimate file", "info file", "defense evasion", "windows sandbox", "calls clear", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "initial access", "settings", "default", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "accept", "revengerat", "shutdown", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader Java" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "FileHash-MD5": 244, "FileHash-SHA1": 108, "FileHash-SHA256": 223, "URL": 269, "domain": 51, "email": 3, "hostname": 189 }, "indicator_count": 1123, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a05ac2c27730f972e8d9474", "name": "Eternal Romance. InfinityRedRatLokiMeteorDownDropRemPetDCometRevenBRabbit[Ilu/txt> vbs]CAPE Sandbox", "description": "[A report on the discovery of a malicious script on a server at the University of California, Los Angeles, has been published by GRAMMERSoft Group, a security firm based in the Philippines.] s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader JavaDropper Remcos Petya DarkComet RevengeRAT BadRabbit Iloveyou[txt]vbs.\nMalware like this is almost never unintentional.", "modified": "2026-05-14T11:04:12.425000", "created": "2026-05-14T11:04:12.425000", "tags": [ "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "extra info", "next", "vbs script", "program", "attack network", "info processes", "zenbox verdict", "guest system", "ultimate file", "info file", "defense evasion", "windows sandbox", "calls clear", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "initial access", "settings", "default", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "accept", "revengerat", "shutdown", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader Java" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "FileHash-MD5": 244, "FileHash-SHA1": 108, "FileHash-SHA256": 223, "URL": 269, "domain": 51, "email": 3, "hostname": 189 }, "indicator_count": 1123, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fea69182246b3dfd8cf790", "name": "CREDIT Q.VASHTI [clone: ET Malware Playtech Downloader for Online Gaming]", "description": "", "modified": "2026-05-09T05:16:24.802000", "created": "2026-05-09T03:14:25.220000", "tags": [ "installer.exe", "process32nextw", "regsetvalueexa", "regopenkeyexw", "regdword", "medium", "regbinary", "pupadware", "http header", "regsetvalueexw", "loader", "suspicious", "persistence", "execution", "malware", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "os2 executable", "pe32 compiler", "ltcgc", "techniques y", "none", "scripting inte", "registry", "elevati t1548", "hijack execut", "y none", "info", "abuse elevation", "control mec", "flow l", "plugins", "plugx", "backdoor", "trojan", "autoit", "crossrider", "modify", "bootkit", "abuse", "casino", "bet", "ah", "army", "sabey", "ahmann", "dora true", "persistence", "injection", "graham tech", "danger", "gambling", "intellectual property", "theft", "bonu$", "dago", "colorado" ], "references": [ "installer.exe | FileHash-SHA256 000002f7c809714f3dd89443c0b12d7f397c7dfe6108a448571e378b84c9f229", "Christopher P \u2018Buzz\u2019 Ahman | Brian Sabey | Tulach | Graham Tech", "Yara: Detections: stack_string | ConventionEngine_Keyword_Install |", "Yara: research_pe_signed_outside_timestamp [anomaly] xor_0x20_xord_javascript [Obfuscation]", "IDS Detections: Playtech Installer PUP/Adware | Playtech Downloader Online Gaming Checkin", "IDS Detections: Suspicious User-Agent containing Loader | Observed C: \\\\ filepath observed in HTTP header", "CS Yara: Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "CS IDS: Matches rule ET MALWARE Playtech Downloader Online Gaming Checkin", "CS IDS: Matches rule (http_inspect) HTTP Content-Length message body was truncated", "CS IDS: Matches rule SURICATA STREAM excessive retransmissions Unique rule identifier: This rule belongs to a private collection.", "http://fallback.playtech-installer.com/playtech_compressed_assets/casino_casinocom/index.7ze", "cache.download2.casino.com", "thebeautifulbet.com", "Trojan:Win32/Blihan.A -Yara Detections: KBysPacker028BetaShoooo", "http://geo.web-installer-assets.com/,onSuccessId:8,onFailureId:9", "http://geo.web-installer-assets.com/H", "http://geo.web-installer-assets.com/.hook_reg_dialog_skip_registration", "authrootstl.cab", "ET MALWARE Playtech Downloader Online Gaming Checkin Malware", "Command and Control Activity Detected", "Proofpoint Emerging Threats Open X Context for the matching alerts", "Rule references https://www.virustotal.com/gui/search/00740d7d15862efb3", "Destination IP: 157.185.156.194 Destination port: 80 Hostname: cache.download2.casino.com", "URL: http://cache.download2.casino.com/download/casino/client" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan.Playtech/Crossrider", "display_name": "Trojan.Playtech/Crossrider", "target": null }, { "id": "Trojan.Winterlove-28", "display_name": "Trojan.Winterlove-28", "target": null }, { "id": "TEL:Backdoor:Win32/PlugX", "display_name": "TEL:Backdoor:Win32/PlugX", "target": null }, { "id": "Trojan:Win32/Zbot.SIBG!MTB", "display_name": "Trojan:Win32/Zbot.SIBG!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBG!MTB" }, { "id": "#Lowfi:LUA:AutoItLargeFile", "display_name": "#Lowfi:LUA:AutoItLargeFile", "target": null }, { "id": "TELPER:HSTR:CLEAN:Ninite", "display_name": "TELPER:HSTR:CLEAN:Ninite", "target": null }, { "id": "#VirTool:Win32|Obfuscator.ADB", "display_name": "#VirTool:Win32|Obfuscator.ADB", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1067", "name": "Bootkit", "display_name": "T1067 - Bootkit" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": "6945800991b5d80bdbcd2168", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 7, "FileHash-SHA256": 338, "URL": 160, "hostname": 115, "domain": 82 }, "indicator_count": 710, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6945800991b5d80bdbcd2168", "name": "ET MALWARE Playtech Downloader Online Gaming Checkin Illegal Operations", "description": "Related to multiple illegal operations.\nAppears to be an illegal gambling operation with many fronts. (In this instance. This compromise is obviously not exclusive to the content I present)\n\nTip: by NPDJoke - Thank you! \nDangerous. Not fully confirmed by me- involvement of Colorado Mafia Families.\nConfirmed: Colorado has a very rich history of mafia crimes including gambling involving doctors to food manufacturers. Multiple fronts. The entire \u2018Family\u2019 associations, etc, is diversified, working in many roles such as medical professionals, lawyers, music , computer engineers, hackers. Colorado is beautiful but very corrupt.\nConfirmed: The wrong suspects jailed, jabbed, and sometimes murderd.", "modified": "2026-01-18T16:03:33.514000", "created": "2025-12-19T16:40:41.842000", "tags": [ "installer.exe", "process32nextw", "regsetvalueexa", "regopenkeyexw", "regdword", "medium", "regbinary", "pupadware", "http header", "regsetvalueexw", "loader", "suspicious", "persistence", "execution", "malware", "win32 exe", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "os2 executable", "pe32 compiler", "ltcgc", "techniques y", "none", "scripting inte", "registry", "elevati t1548", "hijack execut", "y none", "info", "abuse elevation", "control mec", "flow l", "plugins", "plugx", "backdoor", "trojan", "autoit", "crossrider", "modify", "bootkit", "abuse", "casino", "bet", "ah", "army", "sabey", "ahmann", "dora true", "persistence", "injection", "graham tech", "danger", "gambling", "intellectual property", "theft", "bonu$", "dago", "colorado" ], "references": [ "installer.exe | FileHash-SHA256 000002f7c809714f3dd89443c0b12d7f397c7dfe6108a448571e378b84c9f229", "Christopher P \u2018Buzz\u2019 Ahman | Brian Sabey | Tulach | Graham Tech", "Yara: Detections: stack_string | ConventionEngine_Keyword_Install |", "Yara: research_pe_signed_outside_timestamp [anomaly] xor_0x20_xord_javascript [Obfuscation]", "IDS Detections: Playtech Installer PUP/Adware | Playtech Downloader Online Gaming Checkin", "IDS Detections: Suspicious User-Agent containing Loader | Observed C: \\\\ filepath observed in HTTP header", "CS Yara: Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "CS IDS: Matches rule ET MALWARE Playtech Downloader Online Gaming Checkin", "CS IDS: Matches rule (http_inspect) HTTP Content-Length message body was truncated", "CS IDS: Matches rule SURICATA STREAM excessive retransmissions Unique rule identifier: This rule belongs to a private collection.", "http://fallback.playtech-installer.com/playtech_compressed_assets/casino_casinocom/index.7ze", "cache.download2.casino.com", "thebeautifulbet.com", "Trojan:Win32/Blihan.A -Yara Detections: KBysPacker028BetaShoooo", "http://geo.web-installer-assets.com/,onSuccessId:8,onFailureId:9", "http://geo.web-installer-assets.com/H", "http://geo.web-installer-assets.com/.hook_reg_dialog_skip_registration", "authrootstl.cab", "ET MALWARE Playtech Downloader Online Gaming Checkin Malware", "Command and Control Activity Detected", "Proofpoint Emerging Threats Open X Context for the matching alerts", "Rule references https://www.virustotal.com/gui/search/00740d7d15862efb3", "Destination IP: 157.185.156.194 Destination port: 80 Hostname: cache.download2.casino.com", "URL: http://cache.download2.casino.com/download/casino/client" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan.Playtech/Crossrider", "display_name": "Trojan.Playtech/Crossrider", "target": null }, { "id": "Trojan.Winterlove-28", "display_name": "Trojan.Winterlove-28", "target": null }, { "id": "TEL:Backdoor:Win32/PlugX", "display_name": "TEL:Backdoor:Win32/PlugX", "target": null }, { "id": "Trojan:Win32/Zbot.SIBG!MTB", "display_name": "Trojan:Win32/Zbot.SIBG!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBG!MTB" }, { "id": "#Lowfi:LUA:AutoItLargeFile", "display_name": "#Lowfi:LUA:AutoItLargeFile", "target": null }, { "id": "TELPER:HSTR:CLEAN:Ninite", "display_name": "TELPER:HSTR:CLEAN:Ninite", "target": null }, { "id": "#VirTool:Win32|Obfuscator.ADB", "display_name": "#VirTool:Win32|Obfuscator.ADB", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1067", "name": "Bootkit", "display_name": "T1067 - Bootkit" }, { "id": "T1037", "name": "Boot or Logon Initialization Scripts", "display_name": "T1037 - Boot or Logon Initialization Scripts" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1401", "name": "Device Administrator Permissions", "display_name": "T1401 - Device Administrator Permissions" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 7, "FileHash-SHA256": 338, "URL": 159, "hostname": 115, "domain": 82 }, "indicator_count": 709, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "132 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d45dab14a189645153e8a6", "name": "Reverse WHOIS results for vgt.pl ( GANG VGT)", "description": "", "modified": "2024-12-17T14:47:57", "created": "2024-09-01T12:27:23.777000", "tags": [ "ipv4 domain", "ipv4 url", "domain", "sha1", "sha256", "pehash", "vhash", "ssdeep" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1286, "FileHash-SHA1": 1286, "FileHash-SHA256": 2722, "URL": 4729, "domain": 1909, "hostname": 2082, "IPv4": 97, "CVE": 4, "YARA": 1 }, "indicator_count": 14116, "is_author": false, "is_subscribing": null, "subscriber_count": 127, "modified_text": "529 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667af85fe8fea6365adaa65d", "name": "Norton & Norton Lifelock Products", "description": "Just taking a pak at some Norton-Related Problems\n(03.11.24): https://www.virustotal.com/graph/embed/g8619c830b2c24d849472aef95a362ce113e12cd6d68849e7a83c7eca387a378a?theme=dark", "modified": "2024-09-29T20:01:29.028000", "created": "2024-06-25T17:03:27.155000", "tags": [ "entity", "please", "javascript", "xwwmwh4cg2hpw" ], "references": [ "https://www.virustotal.com/graph/embed/g8619c830b2c24d849472aef95a362ce113e12cd6d68849e7a83c7eca387a378a?theme=dark", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/summary", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/iocs", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188/graph", "08.30.24: e1ec7ebd4046143153dd28dd2b5a54cf34edd137c6288f4e56c6449f0753a986 (VT)", "08.30.24: Report ID: \t 6a27e451-df79-4f90-a022-9aa15cb58cea (Filescanio)" ], "public": 1, "adversary": "Norton Norton Lifelock Telus", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 50, "FileHash-SHA1": 54, "FileHash-SHA256": 831, "URL": 1120, "domain": 181, "hostname": 261 }, "indicator_count": 2497, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "608 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65e1bcdc0a1e68182c252028", "name": "Activity Kotlin Extensions | Cryptor | Zombie Device | Network CnC", "description": "Remotely modified android device. Hidden users with full command and control. Network CnC Enables, microphone, camera, photos, screen recorder, login privileges, blocks and records calls, texts, forces updates, all services modified, Device is a zombie. \nAndroid phone behavior: Linux + Android over Chrome with Safari browser. Operated by a Lenovo K Tablet. Excessive Tracking . Pegasus relationships found. M. Brian Sabey related. Hidden users/user has all privileges of device owner. Threat actor possesses far more knowledge, uses device for malicious purposes, downloads porn in background. USA registrant. US target. DGA domains found. Evades detection.", "modified": "2024-03-31T11:04:36.813000", "created": "2024-03-01T11:32:44.504000", "tags": [ "communicating", "contacted", "android", "execution", "plugx", "threat", "iocs", "analyze", "urls http", "google llc", "server", "registrar abuse", "registrar iana", "us registrant", "date", "passive dns", "all octoseek", "http", "ip address", "related nids", "files location", "nsis", "network icmp", "read c", "entries", "search", "create c", "ddlr ltd", "write c", "sat may", "pe32", "intel", "write", "status", "urls", "creation date", "type", "hostname", "kotlin", "precreate read", "infotip read", "js user", "trojan", "ununtu", "linux", "module load", "t1129", "show", "copy", "win32", "malware", "as15169 google", "united", "unknown", "aaaa", "name servers", "showing", "error", "query", "default", "large dns", "malware dns", "msie", "windows nt", "february", "yara detections", "vbmod", "endpoints all", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "recon_fingerprint", "dead_host", "nolookup_communication", "antidbg_windows", "antivm_generic_bios", "browser_security", "modifies_certificates", "network_cnc_http", "network_http", "allocates_rwx", "antisandbox_sleep", "creates_exe", "exe_appdata", "dropper", "protection_rx", "antivm_network_adapters", "antivm_memory_available", "pe_features", "checks_debugger", "address", "domains ii", "servers", "set cookie", "next", "chrome", "record value", "body", "meta", "taiwan", "as3462", "as17421", "files", "dcbg", "direct search network", "spyware", "brian sabey", "norad tracking", "zombie", "scanning host", "apple", "ios", "lenovo", "cyber crime", "framing", "process32nextw", "regsetvalueexa", "tlsv1", "regopenkeyexw", "regdword", "loader", "suspicious", "persistence" ], "references": [ "xxx.developer.android.com", "Activity Kotlin Extensions (1.1.0) Tracking \u2022 Modification Privileges \u2022 Remote Install \u2022 Enable Camera \u2022 Enable Microphone \u2022 User w/Login Privileges \u2022 Picasa", "Package Manager: Maven Project URL: https://developer.android.com/jetpack/androidx/releases/activity#1.6.0-alpha01", "Win.Malware.Agent-6386296-0 FileHash-MD5: c7f6ed56312c8fbb58ae6ed445c38df4 | Win32:Adware-gen\\ [Adw]", "Win.Malware.Agent-6386296-0 FileHash-MD5: e02dbf5d1576e6c9d7d773a588b9b9ee", "Win.Malware.Agent-6386296-0 FileHash-SHA1: 466bbfcf0444b6406431f672aaa5ecfcca759379", "Win.Malware.Agent-6386296-0 FileHash-SHA1: e2dba94ef052db774478b9f7198c1a2298b334e5", "Win.Malware.Agent-6386296-0 FileHash-SHA256: 0000ada3e6821c011fd53a94e5a5d9a777a02b1c4cd087f1c51de9e0ad9023e3", "Win.Malware.Agent-6386296-0 FileHash-SHA256: fdb8452173a4f116f6e362ab5466c3c16bf6697502fe3d01db0d82f0e339de24 | Win32:Adware-gen\\ [Adw] ,", "https://otx.alienvault.com/indicator/file/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/73d0f23d79d145dbf612290930ce092a01fe0acf73255628967abff7b5a8c9b5", "Large DNS Query possible covert channel\t192.168.56.101", "Yara Detections: MS_Visual_Basic_6_0 , vad_contains_network_strings , EXECryptor2223compressedcodewwwstrongbitcom , EXECryptor2223protectedIAT , EXECryptor224StrongbitSoftCompleteDevelopmenth3 , EXECryptor2xxmaxcompressedresources ,", "Yara Detections Nullsoft_NSIS | Yara Detections: EXECryptorV22Xsoftcompletecom", "114-45-52-152.dynamic-ip.hinet.net\u2192.hinet.net | Domain has its own nameserver", "track.adminresourceupdate.com \u2022 postracking100.online", "2.746.1.iphone.com.unicostudio.braintest.adsenseformobileapps.com", "http://ecm.mobileboost.me/wapnt.php?id=368&publisher=headway&trackingId=1812131619a57bf1c1da8138&canal=offportal&source=001640_155:::cf1a3fda0", "http://mobileboost.me/APIS/WAPNT/wapnt.php?pageId=174&sec=334779&carrier=11&publisher=headway&aff_sub=18040118a49dafc70f463df8&source=000325_339", "mobile.detectivesoliver.com \u2022 callback.mobileboost.me", "IDS Detections: Playtech Installer PUP/Adware Playtech Downloader Online Gaming Checkin Suspicious User-Agent containing Loader Observed C: \\\\ filepath observed in HTTP header", "Yara Detections: stack_string , ConventionEngine_Keyword_Install , research_pe_signed_outside_timestamp , xor_0x20_xord_javascript" ], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Agent-6386296-0", "display_name": "Win.Malware.Agent-6386296-0", "target": null }, { "id": "#Lowfi:Trojan:JS/Auto59", "display_name": "#Lowfi:Trojan:JS/Auto59", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "!EXECryptor_2.x.x", "display_name": "!EXECryptor_2.x.x", "target": null }, { "id": "Win32:VBMod\\ [Trj]", "display_name": "Win32:VBMod\\ [Trj]", "target": null }, { "id": "Win.Trojan.5229994-1", "display_name": "Win.Trojan.5229994-1", "target": null }, { "id": "Taiwan", "display_name": "Taiwan", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1399", "name": "Modify Trusted Execution Environment", "display_name": "T1399 - Modify Trusted Execution Environment" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [ "Civil Society", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 636, "FileHash-SHA1": 402, "FileHash-SHA256": 1126, "URL": 3482, "domain": 1192, "hostname": 1324, "email": 7, "SSLCertFingerprint": 2 }, "indicator_count": 8171, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "791 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658cebdb940830a62e78a0db", "name": "Maui Ransomware | Virus Network", "description": "", "modified": "2024-01-27T03:00:49.486000", "created": "2023-12-28T03:30:35.847000", "tags": [ "write c", "read c", "process32nextw", "search", "regsetvalueexa", "show", "regdword", "png image", "showing", "entries", "loader", "write", "suspicious", "ghost rat", "webtoolbar", "nanocore rat", "persistence", "execution", "malware", "copy", "xport", "next", "unknown", "create c", "tlsv1", "united", "pupadware", "malware install", "default", "http header", "http requests", "stack_string", "allocates rwx", "network http", "injection process search", "dumped buffer", "antivm network adapters", "antisandbox", "foregroundwindows", "queries programs", "privilege luid check", "infostealer browser", "creates exe", "network icmp", "reads user agent", "modifies proxy wpad", "modifies certificates", "xor 0x20 xord javascript", "js", "stack string", "locates browser", "loader agent", "yara", "ids", "hallrender", "hijacker", "frigostInjector", "inject", "teams", "cp", "cyber", "monitoring", "cyber stalking", "brian sabey", "mark sabey", "load casino.com", "fallback playback intaller", "modify registry", "abuse", "revenge", "grayware", "installer", "win32 exe", "pe32", "intel", "ms windows", "windows control", "panel item", "win32 dynamic", "link library", "win16 ne", "pe32 compiler", "code signing", "assured id", "algorithm", "serial number", "issuer digicert", "name digicert", "thumbprint", "playtech plc", "original name", "internal name", "installer file", "version", "english us", "rticon english", "sections", "data english", "png png", "ico rtgroupicon", "struct", "et", "http method", "get http", "dns resolutions", "traffic", "get https", "get dns", "ip traffic", "hashes", "userprofile", "user", "file system", "files written", "files deleted", "files dropped", "urls", "contacted", "ip detections", "country", "files", "file type", "javascript", "shell", "kb file", "graph", "tsara brashears", "quasar", "relacionada", "emotet", "virus network", "maui ransomware", "agent tesla", "omnipoint", "cyberstalking", "lolkek", "attack", "core", "stealer", "remcos", "critical", "evilnum", "ursnif", "djvu", "asyncrat", "project", "redline stealer", "hacktool", "whois record", "ssl certificate", "pe resource", "collections", "communicating", "malicious", "apple", "family", "scoreblue" ], "references": [ "FILEHASH - MD5 3ce9d145f7e596bfdadd1d809cb78347", "Alerts", "Playtech Installer PUP/Adware", "Playtech Downloader Online Gaming Checkin" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nanocore RAT", "display_name": "Nanocore RAT", "target": null }, { "id": "WebToolBar", "display_name": "WebToolBar", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Trojan.Playtech/CrossRider", "display_name": "Trojan.Playtech/CrossRider", "target": null }, { "id": "Redline Stealer", "display_name": "Redline Stealer", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Maui Ransomware", "display_name": "Maui Ransomware", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Hacktool", "display_name": "Hacktool", "target": null }, { "id": "Ghost RAT", "display_name": "Ghost RAT", "target": null }, { "id": "EVILNUM", "display_name": "EVILNUM", "target": null }, { "id": "Djvu", "display_name": "Djvu", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 136, "FileHash-SHA1": 88, "FileHash-SHA256": 424, "SSLCertFingerprint": 1, "URL": 149, "hostname": 241, "domain": 31, "email": 1, "CVE": 1 }, "indicator_count": 1072, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://d.symcb.com/rpa06", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://d.symcb.com/rpa06", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780238027.6984699 }