{ "type": "URL", "indicator": "https://daneden.github.io/animate.css/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://daneden.github.io/animate.css/", "type": "url", "type_title": "URL", "validation": [ { "source": "whitelist", "message": "Whitelisted domain github.io", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain github.io", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3155078690, "indicator": "https://daneden.github.io/animate.css/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "6583e3a2d1432cbf9054d26d", "name": "Qkbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip found in Reddit Honeypot link: https://www.reddit.com/user\nbackdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware, malvertizing, fraud services, full control of badly compromised digital profiles which have been discovered.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T07:05:06.936000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip", "https://tulach.cc/ [phishing, exploits, malware spreader]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 98, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8343, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3565, "domain": 1494, "hostname": 2218, "CVE": 6 }, "indicator_count": 17068, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6583e3acc7f464d48a3503d1", "name": "Qkbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip found in Reddit Honeypot link: https://www.reddit.com/user\nbackdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware, malvertizing, fraud services, full control of badly compromised digital profiles which have been discovered.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T07:05:16.695000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip", "https://tulach.cc/ [phishing, exploits, malware spreader]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8343, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3565, "domain": 1494, "hostname": 2218, "CVE": 6 }, "indicator_count": 17068, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658449d3f6ec1af2f3aace46", "name": "Qakbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip Qbot zip found in Reddit Honeypot link: https://www.reddit.com/user backdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware malvertizing, fraud services, leads to full control of badly compromised digital profile.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T14:21:07.435000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach", "password stealer", "active threat", "apple", "pinkslipbot", "icloud", "free", "apple" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip. [Qbot zip]", "https://tulach.cc/ [Botnet phishing]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user [honeypot]", "beacons.bcp.gvt.com [tracking]", "https://www.norad.mil/ [tracking]", "www.norad.mil [tracking]", "www.apple.com [API property call]", "https://www.apple.com/qtactivex/qtplugin.cab [https://www.icloud.com .cab]", "yesporn.fun", "http://114.114.114.114:90/p/cdbdd4a09a64909694281aec503746fd/mobile_index.html?MTE0LjExNC4xMTQuMTE0L2xvZ2luP2hhc19vcmlfdXJp [Tulach | Malicious]", "114.114.114.114 [Tulach | Virus Network IP]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Pinkslipbot", "display_name": "Pinkslipbot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 124, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8736, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3566, "domain": 1516, "hostname": 2221, "CVE": 6 }, "indicator_count": 17487, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d7ac217661e4bc37f4d", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:22.356000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d89b33758a190399f39", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:37.838000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6edffd3910161c2ad1a2", "name": "D26A | DNSpionage| Qbot | Tulach Malaware | https://theanimallawfirm.com/ | FakeAlert", "description": "", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:25:19.843000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655f6d89b33758a190399f39", "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657081b63e54107a19bbe58c", "name": "www.scytl.com/en/\", ~ 09.16.2020", "description": "", "modified": "2023-12-06T14:14:14.965000", "created": "2023-12-06T14:14:14.965000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 754, "domain": 66, "hostname": 190, "URL": 574, "CIDR": 4, "FileHash-MD5": 9 }, "indicator_count": 1597, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708189dea82839ffe4be99", "name": "www.scytl.com:en:%22,.", "description": "", "modified": "2023-12-06T14:13:29.953000", "created": "2023-12-06T14:13:29.953000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 753, "domain": 66, "hostname": 190, "URL": 572, "CIDR": 4, "FileHash-MD5": 9 }, "indicator_count": 1594, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622f4724c965841ea9d2e83e", "name": "www.scytl.com/en/\", ~ 09.16.2020", "description": "", "modified": "2022-04-13T00:01:48.292000", "created": "2022-03-14T13:46:12.626000", "tags": [], "references": [ "www.scytl.com:en:%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 190, "URL": 575, "domain": 66, "FileHash-SHA256": 754, "CIDR": 4, "FileHash-MD5": 9 }, "indicator_count": 1598, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1467 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622cd4c75d6cbdce06473fd1", "name": "www.scytl.com:en:%22,.", "description": "", "modified": "2022-04-11T00:04:29.819000", "created": "2022-03-12T17:13:43.521000", "tags": [], "references": [ "www.scytl.com:en:%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 190, "URL": 573, "domain": 66, "FileHash-SHA256": 753, "CIDR": 4, "FileHash-MD5": 9 }, "indicator_count": 1595, "is_author": false, "is_subscribing": null, "subscriber_count": 408, "modified_text": "1469 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622ce70ccdcd2c582be8b5ff", "name": "essvote.com 10.20.20", "description": "", "modified": "2022-04-11T00:04:29.819000", "created": "2022-03-12T18:31:40.309000", "tags": [], "references": [ "essvote.com 10.20.20.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 143, "URL": 388, "domain": 46, "FileHash-SHA256": 516, "FileHash-MD5": 64 }, "indicator_count": 1157, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1469 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "gahyqah.com [command_and_control]", "https://tulach.cc/ [phishing, exploits, malware spreader]", "http://114.114.114.114:90/p/cdbdd4a09a64909694281aec503746fd/mobile_index.html?MTE0LjExNC4xMTQuMTE0L2xvZ2luP2hhc19vcmlfdXJp [Tulach | Malicious]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "https://seedbeej.pk/tin/index.php?QBOT.zip", "malicious.high.ml [dropper]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "gadyniw.com [command_and_control]", "www.scytl.com:en:%22,.pdf", "*otc.greatcall.com [Botnetwork]", "www.apple.com [API property call]", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "puzylyp.com [command_and_control]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://seedbeej.pk/tin/index.php?QBOT.zip. [Qbot zip]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [Botnet phishing]", "https://www.reddit.com/user [honeypot]", "www.norad.mil [tracking]", "114.114.114.114 [Tulach | Virus Network IP]", "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "essvote.com 10.20.20.pdf", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]", "198.54.115.46 [exploit_source]", "https://www.apple.com/qtactivex/qtplugin.cab [https://www.icloud.com .cab]", "https://tulach.cc/ [phishing]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "yesporn.fun", "https://www.norad.mil/ [tracking]", "https://www.reddit.com/user", "beacons.bcp.gvt.com [tracking]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Qbot" ], "malware_families": [ "Artemis", "Gregory", "Nsis", "Hawkeye", "Neutrino", "Redline stealer", "Andromeda", "Cutwail", "Ascii", "Vawtrak", "Tulach", "Covid19", "Quasar", "Grandcrab", "Bondat", "Zeus", "Dexter", "Virut", "Hydra", "Pony", "Matsnu", "Qakbot", "Trojanspy", "Dorkbot", "Roblox", "Athena", "Plasma rat", "Vskimmer", "Alinaos", "Zbot", "Installcore", "Bambernek", "Maltiverse", "Spyeye", "Slingshot", "Kraken", "Xrat", "Betabot", "Citadel", "Emotet", "Nymaim", "Tulach malware", "Solar", "Suppobox", "Ramnit", "Pinkslipbot", "Spitmo", "Infy", "Pykspa", "Hidelink", "Simda" ], "industries": [ "Government" ], "unique_indicators": 36195 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/github.io", "whois": "http://whois.domaintools.com/github.io", "domain": "github.io", "hostname": "daneden.github.io" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "6583e3a2d1432cbf9054d26d", "name": "Qkbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip found in Reddit Honeypot link: https://www.reddit.com/user\nbackdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware, malvertizing, fraud services, full control of badly compromised digital profiles which have been discovered.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T07:05:06.936000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip", "https://tulach.cc/ [phishing, exploits, malware spreader]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 98, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8343, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3565, "domain": 1494, "hostname": 2218, "CVE": 6 }, "indicator_count": 17068, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6583e3acc7f464d48a3503d1", "name": "Qkbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip found in Reddit Honeypot link: https://www.reddit.com/user\nbackdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware, malvertizing, fraud services, full control of badly compromised digital profiles which have been discovered.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T07:05:16.695000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip", "https://tulach.cc/ [phishing, exploits, malware spreader]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8343, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3565, "domain": 1494, "hostname": 2218, "CVE": 6 }, "indicator_count": 17068, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658449d3f6ec1af2f3aace46", "name": "Qakbot | Reddit", "description": "Qbot URL: https://seedbeej.pk/tin/index.php?QBOT.zip Qbot zip found in Reddit Honeypot link: https://www.reddit.com/user backdoor second stage developed for distribution as a password stealer. Qbot, seemingly common; is a large botnetwork with many capabilities, attack methods and demands. An unsuspecting victim always be in botnetwork. Qbot encompasses many other bot networks, trojans, network rats, spyware malvertizing, fraud services, leads to full control of badly compromised digital profile.", "modified": "2024-01-20T02:02:19.559000", "created": "2023-12-21T14:21:07.435000", "tags": [ "ssl certificate", "iocs", "ioc search", "new ioc", "teams api", "contact", "search", "threat", "paste", "blacklist https", "qakbot", "site", "cisco umbrella", "alexa top", "million", "ascii text", "pattern match", "file", "windows nt", "appdata", "indicator", "crlf line", "unicode text", "jpeg image", "mitre att", "hybrid", "general", "local", "error", "click", "strings", "microsoft", "threat analyzer", "urls https", "no data", "tag count", "threat report", "ip summary", "url summary", "summary", "heur", "malware site", "malicious site", "safe site", "malware", "html", "phishing site", "site top", "riskware", "unsafe", "artemis", "quasar rat", "downldr", "agent", "presenoker", "applicunwnt", "crack", "cve201711882", "win64", "iframe", "quasar", "trojanspy", "exit", "node tcp", "tor known", "tor relayrouter", "traffic", "anonymizer", "brasil", "phishing three", "united", "phishing bank", "virustotal", "tech", "bank", "maltiverse", "hidelink", "samples", "spyware", "injector", "mon jan", "tld count", "wed dec", "download", "first", "team", "simda", "bambernek", "simda simda", "infy", "alexa", "gregory", "cyber threat", "phishing", "engineering", "covid19", "telefonica co", "malicious", "zbot", "zeus", "betabot", "suppobox", "citadel", "pony", "kraken", "redline stealer", "ransomware", "vawtrak", "athena", "neutrino", "alina", "andromeda", "dexter", "unknown", "keylogger", "hawkeye", "phase", "jackpos", "plasma", "spyeye", "spitmo", "slingshot", "ramnit", "emotet", "pykspa", "virut", "installcore", "dorkbot", "bondat", "union", "vskimmer", "xtrat", "solar", "grandcrab", "nymaim", "matsnu", "cutwail", "cobalt strike", "hydra", "tinba", "nsis", "memscan", "deepscan", "runescape", "backdoor", "reddit", "tulach", "password stealer", "active threat", "apple", "pinkslipbot", "icloud", "free", "apple" ], "references": [ "https://seedbeej.pk/tin/index.php?QBOT.zip. [Qbot zip]", "https://tulach.cc/ [Botnet phishing]", "https://www.hybrid-analysis.com/sample/a8decf589e5ec26f1e994a3923fc245db98f681f951d2bb8e1fcce1d8fef5293", "https://www.virustotal.com/gui/url/000c01d40db51f156933c624f23e776cb2c1fd60b8f1840b13b9622886a8e918/community", "198.54.115.46 [exploit_source]", "gadyniw.com [command_and_control]", "gahyqah.com [command_and_control]", "galyqaz.com [command_and_control]", "lyvyxor.com [command_and_control]", "puzylyp.com [command_and_control]", "malicious.high.ml [dropper]", "https://www.reddit.com/user [honeypot]", "beacons.bcp.gvt.com [tracking]", "https://www.norad.mil/ [tracking]", "www.norad.mil [tracking]", "www.apple.com [API property call]", "https://www.apple.com/qtactivex/qtplugin.cab [https://www.icloud.com .cab]", "yesporn.fun", "http://114.114.114.114:90/p/cdbdd4a09a64909694281aec503746fd/mobile_index.html?MTE0LjExNC4xMTQuMTE0L2xvZ2luP2hhc19vcmlfdXJp [Tulach | Malicious]", "114.114.114.114 [Tulach | Virus Network IP]" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qakbot", "display_name": "Qakbot", "target": null }, { "id": "Quasar", "display_name": "Quasar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Gregory", "display_name": "Gregory", "target": null }, { "id": "Cutwail", "display_name": "Cutwail", "target": null }, { "id": "Matsnu", "display_name": "Matsnu", "target": null }, { "id": "Vawtrak", "display_name": "Vawtrak", "target": null }, { "id": "XRat", "display_name": "XRat", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "Virut", "display_name": "Virut", "target": null }, { "id": "ZeuS", "display_name": "ZeuS", "target": null }, { "id": "vSkimmer", "display_name": "vSkimmer", "target": null }, { "id": "SuppoBox", "display_name": "SuppoBox", "target": null }, { "id": "Simda", "display_name": "Simda", "target": null }, { "id": "Pykspa", "display_name": "Pykspa", "target": null }, { "id": "SpyEye", "display_name": "SpyEye", "target": null }, { "id": "Spitmo", "display_name": "Spitmo", "target": null }, { "id": "Solar", "display_name": "Solar", "target": null }, { "id": "Nymaim", "display_name": "Nymaim", "target": null }, { "id": "DorkBot", "display_name": "DorkBot", "target": null }, { "id": "Slingshot", "display_name": "Slingshot", "target": null }, { "id": "Pony", "display_name": "Pony", "target": null }, { "id": "Plasma RAT", "display_name": "Plasma RAT", "target": null }, { "id": "Neutrino", "display_name": "Neutrino", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "NSIS", "display_name": "NSIS", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null }, { "id": "GrandCrab", "display_name": "GrandCrab", "target": null }, { "id": "Andromeda", "display_name": "Andromeda", "target": null }, { "id": "Alinaos", "display_name": "Alinaos", "target": null }, { "id": "HawkEye", "display_name": "HawkEye", "target": null }, { "id": "Kraken", "display_name": "Kraken", "target": null }, { "id": "Infy", "display_name": "Infy", "target": null }, { "id": "Dexter", "display_name": "Dexter", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Artemis", "display_name": "Artemis", "target": null }, { "id": "ASCII", "display_name": "ASCII", "target": null }, { "id": "Athena", "display_name": "Athena", "target": null }, { "id": "Bambernek", "display_name": "Bambernek", "target": null }, { "id": "BetaBot", "display_name": "BetaBot", "target": null }, { "id": "COVID19", "display_name": "COVID19", "target": null }, { "id": "Citadel", "display_name": "Citadel", "target": null }, { "id": "Bondat", "display_name": "Bondat", "target": null }, { "id": "HideLink", "display_name": "HideLink", "target": null }, { "id": "Hydra", "display_name": "Hydra", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null }, { "id": "Pinkslipbot", "display_name": "Pinkslipbot", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 124, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8736, "FileHash-MD5": 953, "FileHash-SHA1": 489, "FileHash-SHA256": 3566, "domain": 1516, "hostname": 2221, "CVE": 6 }, "indicator_count": 17487, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "820 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d7ac217661e4bc37f4d", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:22.356000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 82, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6d89b33758a190399f39", "name": "Qbot | Miscellaneous Attacks", "description": "The following is a full list of links between malware and cyber-attackers, following a series of alerts from Phishtank, the UK-based cyber security firm, and the US government.", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:19:37.838000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655f6edffd3910161c2ad1a2", "name": "D26A | DNSpionage| Qbot | Tulach Malaware | https://theanimallawfirm.com/ | FakeAlert", "description": "", "modified": "2023-12-23T07:03:55.171000", "created": "2023-11-23T15:25:19.843000", "tags": [ "pattern match", "ascii text", "file", "jpeg image", "exif standard", "tiff image", "png image", "united", "baseline", "rgba", "date", "class", "unknown", "hybrid", "accept", "local", "click", "strings", "generator", "critical", "error", "firehol", "detection list", "ip address", "blacklist", "botnet command", "control server", "noname057", "facebook", "phishtank", "blacklist http", "organization", "ssl certificate", "whois record", "contacted", "historical ssl", "n64xtx0vpihxzc", "whois whois", "qpyrn6pd http", "referrer", "execution", "communicating", "core", "discord", "hiddentear", "metro", "probe", "ransomexx", "quasar", "asyncrat", "bleachgap", "formbook", "nanocore", "roblox", "heur", "cyber threat", "engineering", "malware", "phishing", "malicious site", "phishing site", "covid19", "team", "bank", "cobalt strike", "artemis", "download", "zbot", "suppobox", "service", "downloader", "virut", "malicious", "emotet", "stealer", "exploit", "generic", "dropper", "unruy", "agent", "unsafe", "ramnit", "redline stealer", "smsspy", "bradesco", "fakealert", "qakbot", "outbreak", "qbot", "bankerx", "riskware", "nimda", "swrort", "adwind", "trojanx", "crack", "win64", "squirrelwaffle", "pony", "binder", "virustotal", "azorult", "zeus", "nymaim", "matsnu", "simda", "runescape", "cutwail", "dnspionage", "redirector", "fusioncore", "iframe", "killav", "raccoon", "daum", "installcore", "ransomware", "cisco umbrella", "site", "safe site", "alexa top", "million", "presenoker", "downldr", "alexa", "applicunwnt", "opencandy", "cleaner", "wacatac", "xrat", "xtrat", "dbatloader", "infy", "psexec", "occamy", "brontok", "zpevdo", "startpage", "keygen", "fareit", "secrisk", "phish", "deepscan", "trojanspy", "maltiverse", "qpyrn6pd", "spyware", "injector", "jul jan", "tag count", "tue jan", "threat report", "ip summary", "url summary", "summary", "sample" ], "references": [ "https://www.hybrid-analysis.com/sample/d4e0619008da0bf555fd1d9af2797eaed02c89512239cbdaf64c08e795bb9658", "http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16132c66b562a3---dewubomojagorekijufuruni [ Malicious Plugins]", "*otc.greatcall.com [Botnetwork]", "https://www.norad.mil/ [ Modified by others| Parking Crew - is a Tracker]", "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [ Malware Server | iTunes path hacktool]", "tulach.cc. [Malevolent | Modified description]", "https://tulach.cc/ [phishing]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ [ ELF - Descriptions modified by others]", "https://www.pornhub.com/video/search?search=tsara+brashears [NORAD.mil phone tracking. Description modified]", "s3.amazonaws.com [Virut Tsara Brashears Botnetwork | Modified description]" ], "public": 1, "adversary": "Qbot", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Roblox", "display_name": "Roblox", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null } ], "attack_ids": [ { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1100", "name": "Web Shell", "display_name": "T1100 - Web Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "655f6d89b33758a190399f39", "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 897, "FileHash-SHA1": 479, "URL": 9847, "domain": 2344, "hostname": 2398, "CVE": 22, "FileHash-SHA256": 4712 }, "indicator_count": 20699, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "848 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657081b63e54107a19bbe58c", "name": "www.scytl.com/en/\", ~ 09.16.2020", "description": "", "modified": "2023-12-06T14:14:14.965000", "created": "2023-12-06T14:14:14.965000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 754, "domain": 66, "hostname": 190, "URL": 574, "CIDR": 4, "FileHash-MD5": 9 }, "indicator_count": 1597, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708189dea82839ffe4be99", "name": "www.scytl.com:en:%22,.", "description": "", "modified": "2023-12-06T14:13:29.953000", "created": "2023-12-06T14:13:29.953000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 753, "domain": 66, "hostname": 190, "URL": 572, "CIDR": 4, "FileHash-MD5": 9 }, "indicator_count": 1594, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622f4724c965841ea9d2e83e", "name": "www.scytl.com/en/\", ~ 09.16.2020", "description": "", "modified": "2022-04-13T00:01:48.292000", "created": "2022-03-14T13:46:12.626000", "tags": [], "references": [ "www.scytl.com:en:%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 190, "URL": 575, "domain": 66, "FileHash-SHA256": 754, "CIDR": 4, "FileHash-MD5": 9 }, "indicator_count": 1598, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1467 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622cd4c75d6cbdce06473fd1", "name": "www.scytl.com:en:%22,.", "description": "", "modified": "2022-04-11T00:04:29.819000", "created": "2022-03-12T17:13:43.521000", "tags": [], "references": [ "www.scytl.com:en:%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 190, "URL": 573, "domain": 66, "FileHash-SHA256": 753, "CIDR": 4, "FileHash-MD5": 9 }, "indicator_count": 1595, "is_author": false, "is_subscribing": null, "subscriber_count": 408, "modified_text": "1469 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://daneden.github.io/animate.css/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://daneden.github.io/animate.css/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776631691.2625833 }