{ "type": "URL", "indicator": "https://fonts.google.com/license/googlerestricted@font-face", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://fonts.google.com/license/googlerestricted@font-face", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #1", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #3", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3770767341, "indicator": "https://fonts.google.com/license/googlerestricted@font-face", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 21, "pulses": [ { "id": "6a1eb8b10286d8a660208d22", "name": "credit scoreblue title [ Oxypumper : Mustang Panda | Suspicious..\"] user note: There are too many similarities by ten+ researchers on here. united.", "description": "", "modified": "2026-06-02T12:38:38.917000", "created": "2026-06-02T11:04:17.633000", "tags": [ "historical ssl", "referrer", "june", "october", "july", "hacker", "pe resource", "mustang panda", "plugx", "cryptbot", "threat roundup", "december", "process32nextw", "regsetvalueexa", "x00x00", "regdword", "memcommit", "high", "regbinary", "okrnserver", "regsetvalueexw", "download", "copy", "as15169 google", "united", "aaaa", "unknown", "gmt path", "passive dns", "search", "cname", "showing", "cookie", "ascii text", "pattern match", "error", "null", "typeerror", "sha1", "mitre att", "et tor", "known tor", "date", "infinity", "onload", "trident", "android", "void", "hybrid", "local", "encrypt", "click", "strings", "generator", "third-party-cookies", "text/html", "trackers", "external-resources", "iframes", "entries", "status", "name servers", "urls", "next", "nxdomain", "susp", "a nxdomain", "domain", "win32", "as62597", "france unknown", "for privacy", "moved", "a domains", "meta", "gmt cache", "trojan", "creation date", "record value", "script urls", "as55293 a2", "as44273 host", "canada unknown", "scan endpoints", "all scoreblue", "pulse pulses", "files", "ip address", "location canada", "443 ma2592000", "code", "trojanspy", "type", "ipv4", "twitter", "trojandropper", "find", "form", "less see", "formbook cnc", "checkin", "a li", "li ul", "cycbot", "emails", "as20940", "as54113", "asnone denmark", "worm", "asnone", "as4230 claro", "refloadapihash", "salicode", "div div", "wi fi", "orion wi", "orion", "a div", "div section", "orion logo", "target", "fast", "contact", "open", "virtool", "content type", "found", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "ubuntu", "accept", "keepalive", "site", "find people", "numbers", "sptox", "utc google", "html info", "title spytox", "emails meta", "tags viewport", "spytox og", "type win32", "exe size", "mb first", "seen", "file name", "avg win32", "fortinet", "double click", "solutions", "domains", "sneaky server", "replacement", "unauthorized", "malware http", "core", "sim unlock", "emotet", "ta569", "critical", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 protector", "confuser", "confuserex", "checker", "samplename", "bonusbitcoin", "xslayer", "samplepath", "names", "details", "header intel", "name md5", "language", "contained", "rticon neutral", "ico rtgroupicon", "neutral", "assembly common", "clr version", "assembly name", "metadata header", "entry point", "rva entry", "strong name", "streams size", "entropy chi2", "ip detections", "country", "executable", "info header", "allmul vbaget4", "adjfprem ord", "data rtversion", "generic", "file type", "win32 exe", "kb file", "graph", "user", "windir", "downloads", "written c", "files deleted", "dropped c", "process", "logistics", "cyber defense", "brazzers", "tsara brashears", "gpt analyzer", "apple private", "data collection", "twitter andor", "snatch", "ransomware", "default", "rticon english", "type name", "data", "getfilesize", "getdc copyimage", "rticon russian", "pe32 executable", "borland delphi", "delphi generic", "dos borland", "hkcuclsid", "registry keys", "hkcrclsid", "file system", "settings c", "files c", "shared c", "sharedink c", "hostname", "as29791", "as8426 claranet", "malware", "network", "apple ios", "apple", "tmobile metro", "apeaksoft ios", "spybanker", "remcos", "adwind", "njrat", "guloader", "banload", "asyncrat", "arkeistealer", "danabot", "nordvpnsetup", "kb graph", "summary", "sharedinkarsa c", "sharedinkbgbg c", "sharedinkcscz c", "sharedinkdadk c", "gmt etag", "x amz", "body", "body html", "bq jul", "et trojan", "v4inhxvlhx0", "medium", "memreserve", "checks amount", "t1082", "module load", "e weowe64e", "edelepexe", "e rev", "weinedoewse net", "ransom", "show", "filehash", "related", "reverse dns", "haut", "servers", "pulse submit", "as3215 orange", "france", "backdoor", "paris", "honeypot", "python", "callback phishing", "teams", "porn related", "harassment" ], "references": [ "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?", "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread", "Antivirus Detections: Win.Malware.Oxypumper-6900445-0", "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile", "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)", "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7", "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1", "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ", "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/", "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622", "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")", "scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99", "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9", "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx", "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp", "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com", "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com", "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com", "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com", "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E", "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/", "DotNET_Crypto_Obfuscator", "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,", "Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,", "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA", "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,", "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...", "https://otx.alienvault.com/indicator/ip/216.40.34.41", "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97", "ns2.tsaratsovo.net", "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955", "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79", "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848", "DotNET_Crypto_Obfuscator", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]", "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator", "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx", "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger", "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE", "Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string", "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc", "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9", "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5", "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com", "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "https://www.YouTube.com/polebote" ], "public": 1, "adversary": "Mustang Panda", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Oxypumper-6900445-0", "display_name": "Win.Malware.Oxypumper-6900445-0", "target": null }, { "id": "Backdoor:Win32/Plugx", "display_name": "Backdoor:Win32/Plugx", "target": "/malware/Backdoor:Win32/Plugx" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDropper:Win32/Tofsee", "display_name": "TrojanDropper:Win32/Tofsee", "target": "/malware/TrojanDropper:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": "6692440efac39f5213329f13", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 568, "FileHash-SHA1": 537, "FileHash-SHA256": 4887, "URL": 4776, "domain": 2347, "hostname": 1885, "SSLCertFingerprint": 15, "email": 16, "CVE": 1 }, "indicator_count": 15032, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1eb89e870b00e5430358ca", "name": "credit scoreblue title [ Oxypumper : Mustang Panda | Suspicious..\"] user note: There are too many similarities by ten+ researchers on here. united.", "description": "", "modified": "2026-06-02T11:31:42.087000", "created": "2026-06-02T11:03:58.997000", "tags": [ "historical ssl", "referrer", "june", "october", "july", "hacker", "pe resource", "mustang panda", "plugx", "cryptbot", "threat roundup", "december", "process32nextw", "regsetvalueexa", "x00x00", "regdword", "memcommit", "high", "regbinary", "okrnserver", "regsetvalueexw", "download", "copy", "as15169 google", "united", "aaaa", "unknown", "gmt path", "passive dns", "search", "cname", "showing", "cookie", "ascii text", "pattern match", "error", "null", "typeerror", "sha1", "mitre att", "et tor", "known tor", "date", "infinity", "onload", "trident", "android", "void", "hybrid", "local", "encrypt", "click", "strings", "generator", "third-party-cookies", "text/html", "trackers", "external-resources", "iframes", "entries", "status", "name servers", "urls", "next", "nxdomain", "susp", "a nxdomain", "domain", "win32", "as62597", "france unknown", "for privacy", "moved", "a domains", "meta", "gmt cache", "trojan", "creation date", "record value", "script urls", "as55293 a2", "as44273 host", "canada unknown", "scan endpoints", "all scoreblue", "pulse pulses", "files", "ip address", "location canada", "443 ma2592000", "code", "trojanspy", "type", "ipv4", "twitter", "trojandropper", "find", "form", "less see", "formbook cnc", "checkin", "a li", "li ul", "cycbot", "emails", "as20940", "as54113", "asnone denmark", "worm", "asnone", "as4230 claro", "refloadapihash", "salicode", "div div", "wi fi", "orion wi", "orion", "a div", "div section", "orion logo", "target", "fast", "contact", "open", "virtool", "content type", "found", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "ubuntu", "accept", "keepalive", "site", "find people", "numbers", "sptox", "utc google", "html info", "title spytox", "emails meta", "tags viewport", "spytox og", "type win32", "exe size", "mb first", "seen", "file name", "avg win32", "fortinet", "double click", "solutions", "domains", "sneaky server", "replacement", "unauthorized", "malware http", "core", "sim unlock", "emotet", "ta569", "critical", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 protector", "confuser", "confuserex", "checker", "samplename", "bonusbitcoin", "xslayer", "samplepath", "names", "details", "header intel", "name md5", "language", "contained", "rticon neutral", "ico rtgroupicon", "neutral", "assembly common", "clr version", "assembly name", "metadata header", "entry point", "rva entry", "strong name", "streams size", "entropy chi2", "ip detections", "country", "executable", "info header", "allmul vbaget4", "adjfprem ord", "data rtversion", "generic", "file type", "win32 exe", "kb file", "graph", "user", "windir", "downloads", "written c", "files deleted", "dropped c", "process", "logistics", "cyber defense", "brazzers", "tsara brashears", "gpt analyzer", "apple private", "data collection", "twitter andor", "snatch", "ransomware", "default", "rticon english", "type name", "data", "getfilesize", "getdc copyimage", "rticon russian", "pe32 executable", "borland delphi", "delphi generic", "dos borland", "hkcuclsid", "registry keys", "hkcrclsid", "file system", "settings c", "files c", "shared c", "sharedink c", "hostname", "as29791", "as8426 claranet", "malware", "network", "apple ios", "apple", "tmobile metro", "apeaksoft ios", "spybanker", "remcos", "adwind", "njrat", "guloader", "banload", "asyncrat", "arkeistealer", "danabot", "nordvpnsetup", "kb graph", "summary", "sharedinkarsa c", "sharedinkbgbg c", "sharedinkcscz c", "sharedinkdadk c", "gmt etag", "x amz", "body", "body html", "bq jul", "et trojan", "v4inhxvlhx0", "medium", "memreserve", "checks amount", "t1082", "module load", "e weowe64e", "edelepexe", "e rev", "weinedoewse net", "ransom", "show", "filehash", "related", "reverse dns", "haut", "servers", "pulse submit", "as3215 orange", "france", "backdoor", "paris", "honeypot", "python", "callback phishing", "teams", "porn related", "harassment" ], "references": [ "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?", "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread", "Antivirus Detections: Win.Malware.Oxypumper-6900445-0", "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile", "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)", "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7", "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1", "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ", "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/", "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622", "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")", "scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99", "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9", "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx", "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp", "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com", "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com", "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com", "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com", "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E", "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/", "DotNET_Crypto_Obfuscator", "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,", "Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,", "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA", "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,", "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...", "https://otx.alienvault.com/indicator/ip/216.40.34.41", "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97", "ns2.tsaratsovo.net", "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955", "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79", "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848", "DotNET_Crypto_Obfuscator", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]", "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator", "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx", "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger", "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE", "Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string", "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc", "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9", "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5", "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com", "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "https://www.YouTube.com/polebote" ], "public": 1, "adversary": "Mustang Panda", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Oxypumper-6900445-0", "display_name": "Win.Malware.Oxypumper-6900445-0", "target": null }, { "id": "Backdoor:Win32/Plugx", "display_name": "Backdoor:Win32/Plugx", "target": "/malware/Backdoor:Win32/Plugx" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDropper:Win32/Tofsee", "display_name": "TrojanDropper:Win32/Tofsee", "target": "/malware/TrojanDropper:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": "6692440efac39f5213329f13", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 568, "FileHash-SHA1": 537, "FileHash-SHA256": 4887, "URL": 4775, "domain": 2346, "hostname": 1884, "SSLCertFingerprint": 15, "email": 16, "CVE": 1 }, "indicator_count": 15029, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1eb89f53c0a70219dddefb", "name": "credit scoreblue title [ Oxypumper : Mustang Panda | Suspicious..\"] user note: There are too many similarities by ten+ researchers on here. united.", "description": "", "modified": "2026-06-02T11:31:40.987000", "created": "2026-06-02T11:03:59.936000", "tags": [ "historical ssl", "referrer", "june", "october", "july", "hacker", "pe resource", "mustang panda", "plugx", "cryptbot", "threat roundup", "december", "process32nextw", "regsetvalueexa", "x00x00", "regdword", "memcommit", "high", "regbinary", "okrnserver", "regsetvalueexw", "download", "copy", "as15169 google", "united", "aaaa", "unknown", "gmt path", "passive dns", "search", "cname", "showing", "cookie", "ascii text", "pattern match", "error", "null", "typeerror", "sha1", "mitre att", "et tor", "known tor", "date", "infinity", "onload", "trident", "android", "void", "hybrid", "local", "encrypt", "click", "strings", "generator", "third-party-cookies", "text/html", "trackers", "external-resources", "iframes", "entries", "status", "name servers", "urls", "next", "nxdomain", "susp", "a nxdomain", "domain", "win32", "as62597", "france unknown", "for privacy", "moved", "a domains", "meta", "gmt cache", "trojan", "creation date", "record value", "script urls", "as55293 a2", "as44273 host", "canada unknown", "scan endpoints", "all scoreblue", "pulse pulses", "files", "ip address", "location canada", "443 ma2592000", "code", "trojanspy", "type", "ipv4", "twitter", "trojandropper", "find", "form", "less see", "formbook cnc", "checkin", "a li", "li ul", "cycbot", "emails", "as20940", "as54113", "asnone denmark", "worm", "asnone", "as4230 claro", "refloadapihash", "salicode", "div div", "wi fi", "orion wi", "orion", "a div", "div section", "orion logo", "target", "fast", "contact", "open", "virtool", "content type", "found", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "ubuntu", "accept", "keepalive", "site", "find people", "numbers", "sptox", "utc google", "html info", "title spytox", "emails meta", "tags viewport", "spytox og", "type win32", "exe size", "mb first", "seen", "file name", "avg win32", "fortinet", "double click", "solutions", "domains", "sneaky server", "replacement", "unauthorized", "malware http", "core", "sim unlock", "emotet", "ta569", "critical", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 protector", "confuser", "confuserex", "checker", "samplename", "bonusbitcoin", "xslayer", "samplepath", "names", "details", "header intel", "name md5", "language", "contained", "rticon neutral", "ico rtgroupicon", "neutral", "assembly common", "clr version", "assembly name", "metadata header", "entry point", "rva entry", "strong name", "streams size", "entropy chi2", "ip detections", "country", "executable", "info header", "allmul vbaget4", "adjfprem ord", "data rtversion", "generic", "file type", "win32 exe", "kb file", "graph", "user", "windir", "downloads", "written c", "files deleted", "dropped c", "process", "logistics", "cyber defense", "brazzers", "tsara brashears", "gpt analyzer", "apple private", "data collection", "twitter andor", "snatch", "ransomware", "default", "rticon english", "type name", "data", "getfilesize", "getdc copyimage", "rticon russian", "pe32 executable", "borland delphi", "delphi generic", "dos borland", "hkcuclsid", "registry keys", "hkcrclsid", "file system", "settings c", "files c", "shared c", "sharedink c", "hostname", "as29791", "as8426 claranet", "malware", "network", "apple ios", "apple", "tmobile metro", "apeaksoft ios", "spybanker", "remcos", "adwind", "njrat", "guloader", "banload", "asyncrat", "arkeistealer", "danabot", "nordvpnsetup", "kb graph", "summary", "sharedinkarsa c", "sharedinkbgbg c", "sharedinkcscz c", "sharedinkdadk c", "gmt etag", "x amz", "body", "body html", "bq jul", "et trojan", "v4inhxvlhx0", "medium", "memreserve", "checks amount", "t1082", "module load", "e weowe64e", "edelepexe", "e rev", "weinedoewse net", "ransom", "show", "filehash", "related", "reverse dns", "haut", "servers", "pulse submit", "as3215 orange", "france", "backdoor", "paris", "honeypot", "python", "callback phishing", "teams", "porn related", "harassment" ], "references": [ "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?", "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread", "Antivirus Detections: Win.Malware.Oxypumper-6900445-0", "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile", "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)", "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7", "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1", "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ", "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/", "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622", "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")", "scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99", "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9", "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx", "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp", "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com", "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com", "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com", "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com", "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E", "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/", "DotNET_Crypto_Obfuscator", "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,", "Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,", "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA", "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,", "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...", "https://otx.alienvault.com/indicator/ip/216.40.34.41", "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97", "ns2.tsaratsovo.net", "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955", "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79", "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848", "DotNET_Crypto_Obfuscator", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]", "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator", "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx", "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger", "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE", "Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string", "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc", "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9", "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5", "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com", "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "https://www.YouTube.com/polebote" ], "public": 1, "adversary": "Mustang Panda", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Oxypumper-6900445-0", "display_name": "Win.Malware.Oxypumper-6900445-0", "target": null }, { "id": "Backdoor:Win32/Plugx", "display_name": "Backdoor:Win32/Plugx", "target": "/malware/Backdoor:Win32/Plugx" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDropper:Win32/Tofsee", "display_name": "TrojanDropper:Win32/Tofsee", "target": "/malware/TrojanDropper:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": "6692440efac39f5213329f13", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 568, "FileHash-SHA1": 537, "FileHash-SHA256": 4887, "URL": 4778, "domain": 2347, "hostname": 1888, "SSLCertFingerprint": 15, "email": 16, "CVE": 1, "IPv4": 1 }, "indicator_count": 15038, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68930449988277cd29c25cb7", "name": "https://firebase.google.com/ - Ransom \u2022 Wiper\u2022 Trojan dropper", "description": "", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:29:13.136000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": "6893032410060f658d862c60", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6893032410060f658d862c60", "name": "Hosting App - Partial research | Emotet Worm", "description": "#firebase #google #dark_web_hosting #ransom #tracking #locate #monitored_targets #worm #emotet #malware #remoted_devices #trojan #reputation\n\n\u2022 Targets likely unaware.\n\n[m.pornsexer.xxx.3.1.adiosfil.roksit.net - reputation tool]", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:24:20.645000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652a901fe2dbea9024b3d614", "name": "Black Tech", "description": "Found in a malicious Apple iTunes link. Lists several independent artists. Music \"producer\" is potentially highly dependent on use of AI generated instrumentation and conception. Hacking seems to target a single target and associates.", "modified": "2024-09-24T00:01:38.502000", "created": "2023-10-14T12:57:03.183000", "tags": [ "referrer", "historical ssl", "ssl certificate", "whois record", "whois ssl", "whois", "historical", "siblings parent", "network", "number", "label shanghai", "blue cloud", "ltd regional", "apnic country", "cn continent", "algorithm", "data", "v3 serial", "cus cndigicert", "basic rsa", "cn ca", "g2 odigicert", "inc validity", "oshanghai blue", "road", "beijing country", "beijing", "please", "apnic person", "cn phone", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "cnnic", "whois lookups", "updated date", "apnic netname", "beijing abusec", "abuse cnniccn", "liu registrant", "country", "dns replication", "date", "domain", "first", "blacklist https", "heur", "html", "malware", "alexa top", "site", "filerepmetagen", "suspected", "adware", "cisco umbrella", "malware site", "win64", "opencandy", "cleaner", "artemis", "iframe", "agent", "unsafe", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "genkryptik", "exploit", "presenoker", "filetour", "conduit", "wacatac", "softcnapp", "xtrat", "cve201711882", "memscan", "phishing", "maltiverse", "zbot", "webtoolbar", "trojanspy", "million", "united", "phishing site", "malicious site", "proxy", "firehol", "detection list", "ip address", "blacklist", "safe site", "team", "fusioncore", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "alexa", "adposhel", "installpack", "xrat", "azorult", "service", "runescape", "facebook", "download", "gamehack", "verdict", "falcon sandbox", "pattern match", "show", "file", "indicator", "ascii text", "appdata", "mitre att", "et tor", "known tor", "severity", "hybrid", "general", "misc attack", "beginstring", "script", "relayrouter", "exit", "node traffic", "null", "error", "unknown", "span", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "click", "strings", "meta", "anonymizer", "team proxy", "host", "control server", "meterpreter", "dnspionage", "filerepmalware", "fakealert", "pony", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "patcher", "adload", "webcompanion", "seraph", "downloader", "generic", "dapato", "redline stealer", "beach research", "blacklist http", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "bundled", "dropped", "contacted", "most malicious", "server", "parent parent" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2449, "FileHash-SHA1": 217, "FileHash-SHA256": 3441, "URL": 2044, "domain": 258, "hostname": 1100, "CIDR": 1, "email": 4, "CVE": 37 }, "indicator_count": 9551, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "617 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6692440efac39f5213329f13", "name": "Mustang Panda: Oxypumper | Ransom Suspicious verifier SpyTox", "description": "Mustang Panda is an alleged;China-based' non-governmental cyber espionage threat actor that was first observed in 2017. Targeting non-governmental civilians. Likely target is in many bot networks. Potential HoneyPot, this tool makes itself visible to target when researching the validity of an email or phone number. Notable for Gand Crane ransomware text embedded in SpyTox page image. Injection process observed. Affects most types of devices including iOS and Android. Critical issues found. IP's registrar's, domains 'not' contacted.\n\nHackers, harassment, cybercrime, cyber espionage.", "modified": "2024-08-12T08:04:00.041000", "created": "2024-07-13T09:08:30.431000", "tags": [ "historical ssl", "referrer", "june", "october", "july", "hacker", "pe resource", "mustang panda", "plugx", "cryptbot", "threat roundup", "december", "process32nextw", "regsetvalueexa", "x00x00", "regdword", "memcommit", "high", "regbinary", "okrnserver", "regsetvalueexw", "download", "copy", "as15169 google", "united", "aaaa", "unknown", "gmt path", "passive dns", "search", "cname", "showing", "cookie", "ascii text", "pattern match", "error", "null", "typeerror", "sha1", "mitre att", "et tor", "known tor", "date", "infinity", "onload", "trident", "android", "void", "hybrid", "local", "encrypt", "click", "strings", "generator", "third-party-cookies", "text/html", "trackers", "external-resources", "iframes", "entries", "status", "name servers", "urls", "next", "nxdomain", "susp", "a nxdomain", "domain", "win32", "as62597", "france unknown", "for privacy", "moved", "a domains", "meta", "gmt cache", "trojan", "creation date", "record value", "script urls", "as55293 a2", "as44273 host", "canada unknown", "scan endpoints", "all scoreblue", "pulse pulses", "files", "ip address", "location canada", "443 ma2592000", "code", "trojanspy", "type", "ipv4", "twitter", "trojandropper", "find", "form", "less see", "formbook cnc", "checkin", "a li", "li ul", "cycbot", "emails", "as20940", "as54113", "asnone denmark", "worm", "asnone", "as4230 claro", "refloadapihash", "salicode", "div div", "wi fi", "orion wi", "orion", "a div", "div section", "orion logo", "target", "fast", "contact", "open", "virtool", "content type", "found", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "ubuntu", "accept", "keepalive", "site", "find people", "numbers", "sptox", "utc google", "html info", "title spytox", "emails meta", "tags viewport", "spytox og", "type win32", "exe size", "mb first", "seen", "file name", "avg win32", "fortinet", "double click", "solutions", "domains", "sneaky server", "replacement", "unauthorized", "malware http", "core", "sim unlock", "emotet", "ta569", "critical", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 protector", "confuser", "confuserex", "checker", "samplename", "bonusbitcoin", "xslayer", "samplepath", "names", "details", "header intel", "name md5", "language", "contained", "rticon neutral", "ico rtgroupicon", "neutral", "assembly common", "clr version", "assembly name", "metadata header", "entry point", "rva entry", "strong name", "streams size", "entropy chi2", "ip detections", "country", "executable", "info header", "allmul vbaget4", "adjfprem ord", "data rtversion", "generic", "file type", "win32 exe", "kb file", "graph", "user", "windir", "downloads", "written c", "files deleted", "dropped c", "process", "logistics", "cyber defense", "brazzers", "tsara brashears", "gpt analyzer", "apple private", "data collection", "twitter andor", "snatch", "ransomware", "default", "rticon english", "type name", "data", "getfilesize", "getdc copyimage", "rticon russian", "pe32 executable", "borland delphi", "delphi generic", "dos borland", "hkcuclsid", "registry keys", "hkcrclsid", "file system", "settings c", "files c", "shared c", "sharedink c", "hostname", "as29791", "as8426 claranet", "malware", "network", "apple ios", "apple", "tmobile metro", "apeaksoft ios", "spybanker", "remcos", "adwind", "njrat", "guloader", "banload", "asyncrat", "arkeistealer", "danabot", "nordvpnsetup", "kb graph", "summary", "sharedinkarsa c", "sharedinkbgbg c", "sharedinkcscz c", "sharedinkdadk c", "gmt etag", "x amz", "body", "body html", "bq jul", "et trojan", "v4inhxvlhx0", "medium", "memreserve", "checks amount", "t1082", "module load", "e weowe64e", "edelepexe", "e rev", "weinedoewse net", "ransom", "show", "filehash", "related", "reverse dns", "haut", "servers", "pulse submit", "as3215 orange", "france", "backdoor", "paris", "honeypot", "python", "callback phishing", "teams", "porn related", "harassment" ], "references": [ "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?", "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread", "Antivirus Detections: Win.Malware.Oxypumper-6900445-0", "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile", "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)", "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7", "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1", "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ", "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/", "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622", "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")", "scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99", "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9", "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx", "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp", "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com", "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com", "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com", "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com", "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E", "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/", "DotNET_Crypto_Obfuscator", "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,", "Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,", "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA", "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,", "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...", "https://otx.alienvault.com/indicator/ip/216.40.34.41", "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97", "ns2.tsaratsovo.net", "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955", "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79", "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848", "DotNET_Crypto_Obfuscator", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]", "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator", "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx", "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger", "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE", "Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string", "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc", "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9", "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5", "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com", "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "https://www.YouTube.com/polebote" ], "public": 1, "adversary": "Mustang Panda", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Oxypumper-6900445-0", "display_name": "Win.Malware.Oxypumper-6900445-0", "target": null }, { "id": "Backdoor:Win32/Plugx", "display_name": "Backdoor:Win32/Plugx", "target": "/malware/Backdoor:Win32/Plugx" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDropper:Win32/Tofsee", "display_name": "TrojanDropper:Win32/Tofsee", "target": "/malware/TrojanDropper:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 71, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 568, "FileHash-SHA1": 537, "FileHash-SHA256": 4887, "URL": 4773, "domain": 2346, "hostname": 1884, "SSLCertFingerprint": 15, "email": 16, "CVE": 1 }, "indicator_count": 15027, "is_author": false, "is_subscribing": null, "subscriber_count": 238, "modified_text": "660 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a9123acb8410d1158f8a", "name": "DNSpionage", "description": "", "modified": "2023-12-06T17:02:10.861000", "created": "2023-12-06T17:02:10.861000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 27, "FileHash-SHA256": 3307, "hostname": 1083, "FileHash-MD5": 2420, "FileHash-SHA1": 189, "domain": 255, "URL": 1933, "CIDR": 1, "email": 4 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "910 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a90bc683765a535061dc", "name": "27 CVE Talley | GameHack l Beach Research", "description": "", "modified": "2023-12-06T17:02:03.119000", "created": "2023-12-06T17:02:03.119000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 27, "FileHash-SHA256": 3307, "hostname": 1083, "FileHash-MD5": 2420, "FileHash-SHA1": 189, "domain": 255, "URL": 1933, "CIDR": 1, "email": 4 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "910 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a903fc0836f148fa45c9", "name": "Oshanghai Blue", "description": "", "modified": "2023-12-06T17:01:55.465000", "created": "2023-12-06T17:01:55.465000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 27, "FileHash-SHA256": 3307, "hostname": 1083, "FileHash-MD5": 2420, "FileHash-SHA1": 189, "domain": 255, "URL": 1933, "CIDR": 1, "email": 4 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "910 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8fb83452e1699674c37", "name": "Black Tech", "description": "", "modified": "2023-12-06T17:01:47.488000", "created": "2023-12-06T17:01:47.488000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 27, "FileHash-SHA256": 3307, "hostname": 1083, "FileHash-MD5": 2420, "FileHash-SHA1": 189, "domain": 255, "URL": 1933, "CIDR": 1, "email": 4 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "910 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8d167202b93ee502ff8", "name": "Apple iTunes| Malicious site | Anonyization | Siphoning | Trojan Downloader", "description": "", "modified": "2023-12-06T17:01:05.291000", "created": "2023-12-06T17:01:05.291000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 12, "URL": 3839, "hostname": 1331, "FileHash-SHA256": 2976, "domain": 757, "FileHash-MD5": 250, "FileHash-SHA1": 80 }, "indicator_count": 9245, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "910 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a8bf416a1c314819ea53", "name": "Remote Access Related | APK attack targets independent artists", "description": "", "modified": "2023-12-06T17:00:47.888000", "created": "2023-12-06T17:00:47.888000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-SHA256": 2385, "hostname": 1054, "domain": 713, "URL": 3595, "FileHash-MD5": 1104, "FileHash-SHA1": 585, "FilePath": 1 }, "indicator_count": 9442, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "910 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f19afc40e663452f60260", "name": "DNSpionage", "description": "", "modified": "2023-11-13T12:00:59.446000", "created": "2023-10-30T02:49:19.586000", "tags": [ "referrer", "historical ssl", "ssl certificate", "whois record", "whois ssl", "whois", "historical", "siblings parent", "network", "number", "label shanghai", "blue cloud", "ltd regional", "apnic country", "cn continent", "algorithm", "data", "v3 serial", "cus cndigicert", "basic rsa", "cn ca", "g2 odigicert", "inc validity", "oshanghai blue", "road", "beijing country", "beijing", "please", "apnic person", "cn phone", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "cnnic", "whois lookups", "updated date", "apnic netname", "beijing abusec", "abuse cnniccn", "liu registrant", "country", "dns replication", "date", "domain", "first", "blacklist https", "heur", "html", "malware", "alexa top", "site", "filerepmetagen", "suspected", "adware", "cisco umbrella", "malware site", "win64", "opencandy", "cleaner", "artemis", "iframe", "agent", "unsafe", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "genkryptik", "exploit", "presenoker", "filetour", "conduit", "wacatac", "softcnapp", "xtrat", "cve201711882", "memscan", "phishing", "maltiverse", "zbot", "webtoolbar", "trojanspy", "million", "united", "phishing site", "malicious site", "proxy", "firehol", "detection list", "ip address", "blacklist", "safe site", "team", "fusioncore", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "alexa", "adposhel", "installpack", "xrat", "azorult", "service", "runescape", "facebook", "download", "gamehack", "verdict", "falcon sandbox", "pattern match", "show", "file", "indicator", "ascii text", "appdata", "mitre att", "et tor", "known tor", "severity", "hybrid", "general", "misc attack", "beginstring", "script", "relayrouter", "exit", "node traffic", "null", "error", "unknown", "span", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "click", "strings", "meta", "anonymizer", "team proxy", "host", "control server", "meterpreter", "dnspionage", "filerepmalware", "fakealert", "pony", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "patcher", "adload", "webcompanion", "seraph", "downloader", "generic", "dapato", "redline stealer", "beach research", "blacklist http", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "bundled", "dropped", "contacted", "most malicious", "server", "parent parent" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": "652a9637ba159a3febc414c4", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2420, "FileHash-SHA1": 189, "FileHash-SHA256": 3307, "URL": 1933, "domain": 255, "hostname": 1083, "CIDR": 1, "email": 4, "CVE": 27 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "933 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652a9637ba159a3febc414c4", "name": "DNSpionage", "description": "", "modified": "2023-11-13T12:00:59.446000", "created": "2023-10-14T13:23:03.558000", "tags": [ "referrer", "historical ssl", "ssl certificate", "whois record", "whois ssl", "whois", "historical", "siblings parent", "network", "number", "label shanghai", "blue cloud", "ltd regional", "apnic country", "cn continent", "algorithm", "data", "v3 serial", "cus cndigicert", "basic rsa", "cn ca", "g2 odigicert", "inc validity", "oshanghai blue", "road", "beijing country", "beijing", "please", "apnic person", "cn phone", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "cnnic", "whois lookups", "updated date", "apnic netname", "beijing abusec", "abuse cnniccn", "liu registrant", "country", "dns replication", "date", "domain", "first", "blacklist https", "heur", "html", "malware", "alexa top", "site", "filerepmetagen", "suspected", "adware", "cisco umbrella", "malware site", "win64", "opencandy", "cleaner", "artemis", "iframe", "agent", "unsafe", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "genkryptik", "exploit", "presenoker", "filetour", "conduit", "wacatac", "softcnapp", "xtrat", "cve201711882", "memscan", "phishing", "maltiverse", "zbot", "webtoolbar", "trojanspy", "million", "united", "phishing site", "malicious site", "proxy", "firehol", "detection list", "ip address", "blacklist", "safe site", "team", "fusioncore", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "alexa", "adposhel", "installpack", "xrat", "azorult", "service", "runescape", "facebook", "download", "gamehack", "verdict", "falcon sandbox", "pattern match", "show", "file", "indicator", "ascii text", "appdata", "mitre att", "et tor", "known tor", "severity", "hybrid", "general", "misc attack", "beginstring", "script", "relayrouter", "exit", "node traffic", "null", "error", "unknown", "span", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "click", "strings", "meta", "anonymizer", "team proxy", "host", "control server", "meterpreter", "dnspionage", "filerepmalware", "fakealert", "pony", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "patcher", "adload", "webcompanion", "seraph", "downloader", "generic", "dapato", "redline stealer", "beach research", "blacklist http", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "bundled", "dropped", "contacted", "most malicious", "server", "parent parent" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": "652a9441becbdf690c095816", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2420, "FileHash-SHA1": 189, "FileHash-SHA256": 3307, "URL": 1933, "domain": 255, "hostname": 1083, "CIDR": 1, "email": 4, "CVE": 27 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "933 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652a9441becbdf690c095816", "name": "27 CVE Talley | GameHack l Beach Research", "description": "", "modified": "2023-11-13T12:00:59.446000", "created": "2023-10-14T13:14:41.530000", "tags": [ "referrer", "historical ssl", "ssl certificate", "whois record", "whois ssl", "whois", "historical", "siblings parent", "network", "number", "label shanghai", "blue cloud", "ltd regional", "apnic country", "cn continent", "algorithm", "data", "v3 serial", "cus cndigicert", "basic rsa", "cn ca", "g2 odigicert", "inc validity", "oshanghai blue", "road", "beijing country", "beijing", "please", "apnic person", "cn phone", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "cnnic", "whois lookups", "updated date", "apnic netname", "beijing abusec", "abuse cnniccn", "liu registrant", "country", "dns replication", "date", "domain", "first", "blacklist https", "heur", "html", "malware", "alexa top", "site", "filerepmetagen", "suspected", "adware", "cisco umbrella", "malware site", "win64", "opencandy", "cleaner", "artemis", "iframe", "agent", "unsafe", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "genkryptik", "exploit", "presenoker", "filetour", "conduit", "wacatac", "softcnapp", "xtrat", "cve201711882", "memscan", "phishing", "maltiverse", "zbot", "webtoolbar", "trojanspy", "million", "united", "phishing site", "malicious site", "proxy", "firehol", "detection list", "ip address", "blacklist", "safe site", "team", "fusioncore", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "alexa", "adposhel", "installpack", "xrat", "azorult", "service", "runescape", "facebook", "download", "gamehack", "verdict", "falcon sandbox", "pattern match", "show", "file", "indicator", "ascii text", "appdata", "mitre att", "et tor", "known tor", "severity", "hybrid", "general", "misc attack", "beginstring", "script", "relayrouter", "exit", "node traffic", "null", "error", "unknown", "span", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "click", "strings", "meta", "anonymizer", "team proxy", "host", "control server", "meterpreter", "dnspionage", "filerepmalware", "fakealert", "pony", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "patcher", "adload", "webcompanion", "seraph", "downloader", "generic", "dapato", "redline stealer", "beach research", "blacklist http", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "bundled", "dropped", "contacted", "most malicious", "server", "parent parent" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": "652a901fe2dbea9024b3d614", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2420, "FileHash-SHA1": 189, "FileHash-SHA256": 3307, "URL": 1933, "domain": 255, "hostname": 1083, "CIDR": 1, "email": 4, "CVE": 27 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "933 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652a913f48809612f1bd7deb", "name": "Oshanghai Blue ", "description": "", "modified": "2023-11-13T12:00:59.446000", "created": "2023-10-14T13:01:51.164000", "tags": [ "referrer", "historical ssl", "ssl certificate", "whois record", "whois ssl", "whois", "historical", "siblings parent", "network", "number", "label shanghai", "blue cloud", "ltd regional", "apnic country", "cn continent", "algorithm", "data", "v3 serial", "cus cndigicert", "basic rsa", "cn ca", "g2 odigicert", "inc validity", "oshanghai blue", "road", "beijing country", "beijing", "please", "apnic person", "cn phone", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "cnnic", "whois lookups", "updated date", "apnic netname", "beijing abusec", "abuse cnniccn", "liu registrant", "country", "dns replication", "date", "domain", "first", "blacklist https", "heur", "html", "malware", "alexa top", "site", "filerepmetagen", "suspected", "adware", "cisco umbrella", "malware site", "win64", "opencandy", "cleaner", "artemis", "iframe", "agent", "unsafe", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "genkryptik", "exploit", "presenoker", "filetour", "conduit", "wacatac", "softcnapp", "xtrat", "cve201711882", "memscan", "phishing", "maltiverse", "zbot", "webtoolbar", "trojanspy", "million", "united", "phishing site", "malicious site", "proxy", "firehol", "detection list", "ip address", "blacklist", "safe site", "team", "fusioncore", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "alexa", "adposhel", "installpack", "xrat", "azorult", "service", "runescape", "facebook", "download", "gamehack", "verdict", "falcon sandbox", "pattern match", "show", "file", "indicator", "ascii text", "appdata", "mitre att", "et tor", "known tor", "severity", "hybrid", "general", "misc attack", "beginstring", "script", "relayrouter", "exit", "node traffic", "null", "error", "unknown", "span", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "click", "strings", "meta", "anonymizer", "team proxy", "host", "control server", "meterpreter", "dnspionage", "filerepmalware", "fakealert", "pony", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "patcher", "adload", "webcompanion", "seraph", "downloader", "generic", "dapato", "redline stealer", "beach research", "blacklist http", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "bundled", "dropped", "contacted", "most malicious", "server", "parent parent" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": "652a901fe2dbea9024b3d614", "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2420, "FileHash-SHA1": 189, "FileHash-SHA256": 3307, "URL": 1933, "domain": 255, "hostname": 1083, "CIDR": 1, "email": 4, "CVE": 27 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "933 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f19f703614354a606c382", "name": "Apple iTunes| Malicious site | Anonyization | Siphoning | Trojan Downloader", "description": "", "modified": "2023-11-12T17:01:15.222000", "created": "2023-10-30T02:50:31.950000", "tags": [ "ssl certificate", "historical ssl", "referrer", "communicating", "unlocker", "legal entities", "using ip", "amazon aws", "apple ios", "passcode", "attack", "verified", "cyber criminal", "name verdict", "falcon sandbox", "united", "flag", "date", "name server", "markmonitor", "contains", "external", "new relic", "logo", "av detection", "hybrid", "general", "click", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "proxy", "firehol", "malware", "heur", "cisco umbrella", "site", "safe site", "million", "alexa top", "malicious site", "malware site", "adware", "artemis", "iframe", "cleaner", "unsafe", "riskware", "opencandy", "downldr", "nircmd", "swrort", "presenoker", "wacatac", "phishing", "xtrat", "crack", "tiggre", "exploit", "agent", "filetour", "conduit", "acint", "systweak", "behav", "genkryptik", "softcnapp", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "xrat", "gamehack", "webtoolbar", "trojanspy", "maltiverse", "urls", "detection list", "blacklist https", "path", "maxage31536000", "expiressat", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "pragma", "html info", "title kedence", "official apk", "meta tags", "apk download", "android", "google tag", "utc google", "utc na", "phishing site", "anonymizer", "malicious host", "driverpack", "ransomware", "installcore", "suppobox", "patcher", "generic", "dropper", "fakealert", "quasar rat", "applicunwnt", "mimikatz", "team", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Verified", "display_name": "Verified", "target": null }, { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "65298a6839a49a9aa732bcac", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 250, "FileHash-SHA1": 80, "FileHash-SHA256": 2976, "domain": 757, "hostname": 1331, "URL": 3839, "CVE": 12 }, "indicator_count": 9245, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "934 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65298a6839a49a9aa732bcac", "name": "Apple iTunes| Malicious site | Anonyization | Siphoning | Trojan Downloader", "description": "IC3 attached to links, apple , messaging, Skype.\nIC3 CN?\nChina? Unclear. Possibly intercepting IC3 complaints or linking to FBI to frame targets. Links show attack is Attorney orchestrated. \nSame group of Apple iTune links affected by Java.Trojan.GenericGB, Apple NetWorm Trojan.Buzus, Dropper.Mudrop, GenPack:Trojan.Generic, Worm.Mytob ,Phishing site, Anonymizer , netsky ,worm and other vulnerabilities over time. \u200eSign of the Times \u2013 Album par Dembiak Music \u2013 Apple Music Autonomous Systems: AS714 Apple Inc AS14061 Digital Ocean Inc AS8560 1 1 Internet SE Anonymizer: Proxy - FireHol malicious url, evasive, pua, worm, network, attack, bad actor, targeting", "modified": "2023-11-12T17:01:15.222000", "created": "2023-10-13T18:20:24.042000", "tags": [ "ssl certificate", "historical ssl", "referrer", "communicating", "unlocker", "legal entities", "using ip", "amazon aws", "apple ios", "passcode", "attack", "verified", "cyber criminal", "name verdict", "falcon sandbox", "united", "flag", "date", "name server", "markmonitor", "contains", "external", "new relic", "logo", "av detection", "hybrid", "general", "click", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "proxy", "firehol", "malware", "heur", "cisco umbrella", "site", "safe site", "million", "alexa top", "malicious site", "malware site", "adware", "artemis", "iframe", "cleaner", "unsafe", "riskware", "opencandy", "downldr", "nircmd", "swrort", "presenoker", "wacatac", "phishing", "xtrat", "crack", "tiggre", "exploit", "agent", "filetour", "conduit", "acint", "systweak", "behav", "genkryptik", "softcnapp", "fusioncore", "azorult", "service", "runescape", "facebook", "bank", "download", "xrat", "gamehack", "webtoolbar", "trojanspy", "maltiverse", "urls", "detection list", "blacklist https", "path", "maxage31536000", "expiressat", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "pragma", "html info", "title kedence", "official apk", "meta tags", "apk download", "android", "google tag", "utc google", "utc na", "phishing site", "anonymizer", "malicious host", "driverpack", "ransomware", "installcore", "suppobox", "patcher", "generic", "dropper", "fakealert", "quasar rat", "applicunwnt", "mimikatz", "team", "blacklist" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Verified", "display_name": "Verified", "target": null }, { "id": "Cyber Criminal", "display_name": "Cyber Criminal", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Maltiverse", "display_name": "Maltiverse", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 250, "FileHash-SHA1": 80, "FileHash-SHA256": 2976, "domain": 757, "hostname": 1331, "URL": 3839, "CVE": 12 }, "indicator_count": 9245, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "934 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6528fa2179cc1554d7f434c6", "name": "Remote Access Related | APK attack targets independent artists", "description": "Suppression, malware,\nPassword,Exploit/Shellcode *Defacement *Unsafe.AI_Score_ * FileRepMetagen [PUP]\nrevenge-rat,stealer,, Steganos Software GmbH Privacy Suite, Ransom_WannaCrypt.R002C0DJO20,\nWacatac.B, Trojan.HideLink, SuppoBox,Trojan.Downloader.Generic, TrojWare.JS.Obfuscated, Phish.HHH, Phishing_Netflix.EVT, Phishing.Microsoft,Trojan.AvsHepter, HTML:PhishingBank, Phishing.fz, Probably, Heur.HTMLUnescapeF, BehavesLike.HTML.SMSSendPhishing.S23, Gen:Variant.Zbot, BehavesLike.HTML.Faceliker", "modified": "2023-11-12T07:01:14.580000", "created": "2023-10-13T08:04:49.722000", "tags": [ "alexa top", "blacklist", "phishing", "million", "site", "cisco umbrella", "path", "maxage31536000", "expiressat", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "pragma", "html info", "title kedence", "official apk", "meta tags", "apk download", "android", "google tag", "utc google", "utc na", "whois record", "contacted", "ssl certificate", "communicating", "referrer", "historical ssl", "bundled", "resolutions", "contacted urls", "hackers install", "malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "united", "phishing site", "malware site", "malicious site", "heur", "anonymizer", "malicious host", "crack", "maltiverse", "driverpack", "ransomware", "opencandy", "artemis", "riskware", "installcore", "suppobox", "bank", "agent", "patcher", "generic", "t", "safe site", "iframe", "downldr", "presenoker", "exploit", "genkryptik", "dropper", "fakealert", "quasar rat", "xtrat", "softcnapp", "cleaner", "xrat", "applicunwnt", "mimikatz", "team", "azorult", "service", "runescape", "facebook", "download", "logo analysis", "size81b type", "mime", "scan10132023", "results", "multi scan", "analysis", "update", "view details", "na visit", "sansx22", "3px 3px", "indicator", "file", "general", "email address", "pattern match", "ck id", "t1114", "show technique", "mitre att", "ck matrix", "script", "antivirus", "svg scalable", "vector graphics", "span", "twitter", "hybrid", "ascii text", "appdata", "windows nt", "png image", "jpeg image", "jfif", "date", "flag", "markmonitor", "name server", "server", "enom", "whois privacy", "cloudflare", "domain address", "show", "osint", "f8f9fa", "eeeeee", "click", "unknown", "open", "error", "body", "hosts", "strings", "class", "critical", "meta", "scroll", "atom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "T", "display_name": "T", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 713, "FileHash-MD5": 1104, "FileHash-SHA1": 585, "FileHash-SHA256": 2385, "hostname": 1054, "URL": 3596, "CVE": 5, "FilePath": 1 }, "indicator_count": 9443, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "934 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f1d23d050527b7aa07cfd", "name": "Remote Access Related | APK attack targets independent artists", "description": "", "modified": "2023-11-12T07:01:14.580000", "created": "2023-10-30T03:04:03.323000", "tags": [ "alexa top", "blacklist", "phishing", "million", "site", "cisco umbrella", "path", "maxage31536000", "expiressat", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "pragma", "html info", "title kedence", "official apk", "meta tags", "apk download", "android", "google tag", "utc google", "utc na", "whois record", "contacted", "ssl certificate", "communicating", "referrer", "historical ssl", "bundled", "resolutions", "contacted urls", "hackers install", "malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "united", "phishing site", "malware site", "malicious site", "heur", "anonymizer", "malicious host", "crack", "maltiverse", "driverpack", "ransomware", "opencandy", "artemis", "riskware", "installcore", "suppobox", "bank", "agent", "patcher", "generic", "t", "safe site", "iframe", "downldr", "presenoker", "exploit", "genkryptik", "dropper", "fakealert", "quasar rat", "xtrat", "softcnapp", "cleaner", "xrat", "applicunwnt", "mimikatz", "team", "azorult", "service", "runescape", "facebook", "download", "logo analysis", "size81b type", "mime", "scan10132023", "results", "multi scan", "analysis", "update", "view details", "na visit", "sansx22", "3px 3px", "indicator", "file", "general", "email address", "pattern match", "ck id", "t1114", "show technique", "mitre att", "ck matrix", "script", "antivirus", "svg scalable", "vector graphics", "span", "twitter", "hybrid", "ascii text", "appdata", "windows nt", "png image", "jpeg image", "jfif", "date", "flag", "markmonitor", "name server", "server", "enom", "whois privacy", "cloudflare", "domain address", "show", "osint", "f8f9fa", "eeeeee", "click", "unknown", "open", "error", "body", "hosts", "strings", "class", "critical", "meta", "scroll", "atom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "T", "display_name": "T", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": "6528fa2179cc1554d7f434c6", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 713, "FileHash-MD5": 1104, "FileHash-SHA1": 585, "FileHash-SHA256": 2385, "hostname": 1054, "URL": 3596, "CVE": 5, "FilePath": 1 }, "indicator_count": 9443, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "934 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7", "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com", "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com", "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a", "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...", "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile", "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger", "Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string", "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848", "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1", "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp", "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79", "ns2.tsaratsovo.net", "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9", "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9", "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)", "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955", "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5", "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread", "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc", "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622", "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,", "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29", "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,", "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE", "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com", "scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99", "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/", "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8", "https://otx.alienvault.com/indicator/ip/216.40.34.41", "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA", "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")", "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/", "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx", "Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,", "https://www.YouTube.com/polebote", "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com", "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx", "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator", "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E", "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,", "DotNET_Crypto_Obfuscator", "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?", "Antivirus Detections: Win.Malware.Oxypumper-6900445-0", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Mustang Panda" ], "malware_families": [ "Win.malware.oxypumper-6900445-0", "Generic", "T", "Cycbot", "Trojandropper:win32/tofsee", "Gamehack", "Backdoor:win32/tofsee.t", "Verified", "Zbot", "Trojanspy", "Maltiverse", "Cyber criminal", "Backdoor:win32/plugx", "Webtoolbar", "Ransom:win32/gandcrab.ae", "Beach research", "Behav" ], "industries": [], "unique_indicators": 45221 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/google.com", "whois": "http://whois.domaintools.com/google.com", "domain": "google.com", "hostname": "fonts.google.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 21, "pulses": [ { "id": "6a1eb8b10286d8a660208d22", "name": "credit scoreblue title [ Oxypumper : Mustang Panda | Suspicious..\"] user note: There are too many similarities by ten+ researchers on here. united.", "description": "", "modified": "2026-06-02T12:38:38.917000", "created": "2026-06-02T11:04:17.633000", "tags": [ "historical ssl", "referrer", "june", "october", "july", "hacker", "pe resource", "mustang panda", "plugx", "cryptbot", "threat roundup", "december", "process32nextw", "regsetvalueexa", "x00x00", "regdword", "memcommit", "high", "regbinary", "okrnserver", "regsetvalueexw", "download", "copy", "as15169 google", "united", "aaaa", "unknown", "gmt path", "passive dns", "search", "cname", "showing", "cookie", "ascii text", "pattern match", "error", "null", "typeerror", "sha1", "mitre att", "et tor", "known tor", "date", "infinity", "onload", "trident", "android", "void", "hybrid", "local", "encrypt", "click", "strings", "generator", "third-party-cookies", "text/html", "trackers", "external-resources", "iframes", "entries", "status", "name servers", "urls", "next", "nxdomain", "susp", "a nxdomain", "domain", "win32", "as62597", "france unknown", "for privacy", "moved", "a domains", "meta", "gmt cache", "trojan", "creation date", "record value", "script urls", "as55293 a2", "as44273 host", "canada unknown", "scan endpoints", "all scoreblue", "pulse pulses", "files", "ip address", "location canada", "443 ma2592000", "code", "trojanspy", "type", "ipv4", "twitter", "trojandropper", "find", "form", "less see", "formbook cnc", "checkin", "a li", "li ul", "cycbot", "emails", "as20940", "as54113", "asnone denmark", "worm", "asnone", "as4230 claro", "refloadapihash", "salicode", "div div", "wi fi", "orion wi", "orion", "a div", "div section", "orion logo", "target", "fast", "contact", "open", "virtool", "content type", "found", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "ubuntu", "accept", "keepalive", "site", "find people", "numbers", "sptox", "utc google", "html info", "title spytox", "emails meta", "tags viewport", "spytox og", "type win32", "exe size", "mb first", "seen", "file name", "avg win32", "fortinet", "double click", "solutions", "domains", "sneaky server", "replacement", "unauthorized", "malware http", "core", "sim unlock", "emotet", "ta569", "critical", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 protector", "confuser", "confuserex", "checker", "samplename", "bonusbitcoin", "xslayer", "samplepath", "names", "details", "header intel", "name md5", "language", "contained", "rticon neutral", "ico rtgroupicon", "neutral", "assembly common", "clr version", "assembly name", "metadata header", "entry point", "rva entry", "strong name", "streams size", "entropy chi2", "ip detections", "country", "executable", "info header", "allmul vbaget4", "adjfprem ord", "data rtversion", "generic", "file type", "win32 exe", "kb file", "graph", "user", "windir", "downloads", "written c", "files deleted", "dropped c", "process", "logistics", "cyber defense", "brazzers", "tsara brashears", "gpt analyzer", "apple private", "data collection", "twitter andor", "snatch", "ransomware", "default", "rticon english", "type name", "data", "getfilesize", "getdc copyimage", "rticon russian", "pe32 executable", "borland delphi", "delphi generic", "dos borland", "hkcuclsid", "registry keys", "hkcrclsid", "file system", "settings c", "files c", "shared c", "sharedink c", "hostname", "as29791", "as8426 claranet", "malware", "network", "apple ios", "apple", "tmobile metro", "apeaksoft ios", "spybanker", "remcos", "adwind", "njrat", "guloader", "banload", "asyncrat", "arkeistealer", "danabot", "nordvpnsetup", "kb graph", "summary", "sharedinkarsa c", "sharedinkbgbg c", "sharedinkcscz c", "sharedinkdadk c", "gmt etag", "x amz", "body", "body html", "bq jul", "et trojan", "v4inhxvlhx0", "medium", "memreserve", "checks amount", "t1082", "module load", "e weowe64e", "edelepexe", "e rev", "weinedoewse net", "ransom", "show", "filehash", "related", "reverse dns", "haut", "servers", "pulse submit", "as3215 orange", "france", "backdoor", "paris", "honeypot", "python", "callback phishing", "teams", "porn related", "harassment" ], "references": [ "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?", "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread", "Antivirus Detections: Win.Malware.Oxypumper-6900445-0", "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile", "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)", "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7", "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1", "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ", "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/", "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622", "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")", "scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99", "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9", "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx", "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp", "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com", "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com", "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com", "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com", "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E", "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/", "DotNET_Crypto_Obfuscator", "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,", "Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,", "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA", "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,", "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...", "https://otx.alienvault.com/indicator/ip/216.40.34.41", "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97", "ns2.tsaratsovo.net", "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955", "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79", "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848", "DotNET_Crypto_Obfuscator", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]", "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator", "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx", "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger", "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE", "Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string", "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc", "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9", "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5", "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com", "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "https://www.YouTube.com/polebote" ], "public": 1, "adversary": "Mustang Panda", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Oxypumper-6900445-0", "display_name": "Win.Malware.Oxypumper-6900445-0", "target": null }, { "id": "Backdoor:Win32/Plugx", "display_name": "Backdoor:Win32/Plugx", "target": "/malware/Backdoor:Win32/Plugx" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDropper:Win32/Tofsee", "display_name": "TrojanDropper:Win32/Tofsee", "target": "/malware/TrojanDropper:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": "6692440efac39f5213329f13", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 568, "FileHash-SHA1": 537, "FileHash-SHA256": 4887, "URL": 4776, "domain": 2347, "hostname": 1885, "SSLCertFingerprint": 15, "email": 16, "CVE": 1 }, "indicator_count": 15032, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1eb89e870b00e5430358ca", "name": "credit scoreblue title [ Oxypumper : Mustang Panda | Suspicious..\"] user note: There are too many similarities by ten+ researchers on here. united.", "description": "", "modified": "2026-06-02T11:31:42.087000", "created": "2026-06-02T11:03:58.997000", "tags": [ "historical ssl", "referrer", "june", "october", "july", "hacker", "pe resource", "mustang panda", "plugx", "cryptbot", "threat roundup", "december", "process32nextw", "regsetvalueexa", "x00x00", "regdword", "memcommit", "high", "regbinary", "okrnserver", "regsetvalueexw", "download", "copy", "as15169 google", "united", "aaaa", "unknown", "gmt path", "passive dns", "search", "cname", "showing", "cookie", "ascii text", "pattern match", "error", "null", "typeerror", "sha1", "mitre att", "et tor", "known tor", "date", "infinity", "onload", "trident", "android", "void", "hybrid", "local", "encrypt", "click", "strings", "generator", "third-party-cookies", "text/html", "trackers", "external-resources", "iframes", "entries", "status", "name servers", "urls", "next", "nxdomain", "susp", "a nxdomain", "domain", "win32", "as62597", "france unknown", "for privacy", "moved", "a domains", "meta", "gmt cache", "trojan", "creation date", "record value", "script urls", "as55293 a2", "as44273 host", "canada unknown", "scan endpoints", "all scoreblue", "pulse pulses", "files", "ip address", "location canada", "443 ma2592000", "code", "trojanspy", "type", "ipv4", "twitter", "trojandropper", "find", "form", "less see", "formbook cnc", "checkin", "a li", "li ul", "cycbot", "emails", "as20940", "as54113", "asnone denmark", "worm", "asnone", "as4230 claro", "refloadapihash", "salicode", "div div", "wi fi", "orion wi", "orion", "a div", "div section", "orion logo", "target", "fast", "contact", "open", "virtool", "content type", "found", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "ubuntu", "accept", "keepalive", "site", "find people", "numbers", "sptox", "utc google", "html info", "title spytox", "emails meta", "tags viewport", "spytox og", "type win32", "exe size", "mb first", "seen", "file name", "avg win32", "fortinet", "double click", "solutions", "domains", "sneaky server", "replacement", "unauthorized", "malware http", "core", "sim unlock", "emotet", "ta569", "critical", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 protector", "confuser", "confuserex", "checker", "samplename", "bonusbitcoin", "xslayer", "samplepath", "names", "details", "header intel", "name md5", "language", "contained", "rticon neutral", "ico rtgroupicon", "neutral", "assembly common", "clr version", "assembly name", "metadata header", "entry point", "rva entry", "strong name", "streams size", "entropy chi2", "ip detections", "country", "executable", "info header", "allmul vbaget4", "adjfprem ord", "data rtversion", "generic", "file type", "win32 exe", "kb file", "graph", "user", "windir", "downloads", "written c", "files deleted", "dropped c", "process", "logistics", "cyber defense", "brazzers", "tsara brashears", "gpt analyzer", "apple private", "data collection", "twitter andor", "snatch", "ransomware", "default", "rticon english", "type name", "data", "getfilesize", "getdc copyimage", "rticon russian", "pe32 executable", "borland delphi", "delphi generic", "dos borland", "hkcuclsid", "registry keys", "hkcrclsid", "file system", "settings c", "files c", "shared c", "sharedink c", "hostname", "as29791", "as8426 claranet", "malware", "network", "apple ios", "apple", "tmobile metro", "apeaksoft ios", "spybanker", "remcos", "adwind", "njrat", "guloader", "banload", "asyncrat", "arkeistealer", "danabot", "nordvpnsetup", "kb graph", "summary", "sharedinkarsa c", "sharedinkbgbg c", "sharedinkcscz c", "sharedinkdadk c", "gmt etag", "x amz", "body", "body html", "bq jul", "et trojan", "v4inhxvlhx0", "medium", "memreserve", "checks amount", "t1082", "module load", "e weowe64e", "edelepexe", "e rev", "weinedoewse net", "ransom", "show", "filehash", "related", "reverse dns", "haut", "servers", "pulse submit", "as3215 orange", "france", "backdoor", "paris", "honeypot", "python", "callback phishing", "teams", "porn related", "harassment" ], "references": [ "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?", "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread", "Antivirus Detections: Win.Malware.Oxypumper-6900445-0", "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile", "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)", "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7", "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1", "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ", "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/", "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622", "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")", "scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99", "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9", "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx", "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp", "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com", "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com", "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com", "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com", "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E", "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/", "DotNET_Crypto_Obfuscator", "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,", "Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,", "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA", "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,", "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...", "https://otx.alienvault.com/indicator/ip/216.40.34.41", "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97", "ns2.tsaratsovo.net", "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955", "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79", "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848", "DotNET_Crypto_Obfuscator", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]", "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator", "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx", "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger", "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE", "Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string", "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc", "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9", "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5", "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com", "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "https://www.YouTube.com/polebote" ], "public": 1, "adversary": "Mustang Panda", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Oxypumper-6900445-0", "display_name": "Win.Malware.Oxypumper-6900445-0", "target": null }, { "id": "Backdoor:Win32/Plugx", "display_name": "Backdoor:Win32/Plugx", "target": "/malware/Backdoor:Win32/Plugx" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDropper:Win32/Tofsee", "display_name": "TrojanDropper:Win32/Tofsee", "target": "/malware/TrojanDropper:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": "6692440efac39f5213329f13", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 568, "FileHash-SHA1": 537, "FileHash-SHA256": 4887, "URL": 4775, "domain": 2346, "hostname": 1884, "SSLCertFingerprint": 15, "email": 16, "CVE": 1 }, "indicator_count": 15029, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1eb89f53c0a70219dddefb", "name": "credit scoreblue title [ Oxypumper : Mustang Panda | Suspicious..\"] user note: There are too many similarities by ten+ researchers on here. united.", "description": "", "modified": "2026-06-02T11:31:40.987000", "created": "2026-06-02T11:03:59.936000", "tags": [ "historical ssl", "referrer", "june", "october", "july", "hacker", "pe resource", "mustang panda", "plugx", "cryptbot", "threat roundup", "december", "process32nextw", "regsetvalueexa", "x00x00", "regdword", "memcommit", "high", "regbinary", "okrnserver", "regsetvalueexw", "download", "copy", "as15169 google", "united", "aaaa", "unknown", "gmt path", "passive dns", "search", "cname", "showing", "cookie", "ascii text", "pattern match", "error", "null", "typeerror", "sha1", "mitre att", "et tor", "known tor", "date", "infinity", "onload", "trident", "android", "void", "hybrid", "local", "encrypt", "click", "strings", "generator", "third-party-cookies", "text/html", "trackers", "external-resources", "iframes", "entries", "status", "name servers", "urls", "next", "nxdomain", "susp", "a nxdomain", "domain", "win32", "as62597", "france unknown", "for privacy", "moved", "a domains", "meta", "gmt cache", "trojan", "creation date", "record value", "script urls", "as55293 a2", "as44273 host", "canada unknown", "scan endpoints", "all scoreblue", "pulse pulses", "files", "ip address", "location canada", "443 ma2592000", "code", "trojanspy", "type", "ipv4", "twitter", "trojandropper", "find", "form", "less see", "formbook cnc", "checkin", "a li", "li ul", "cycbot", "emails", "as20940", "as54113", "asnone denmark", "worm", "asnone", "as4230 claro", "refloadapihash", "salicode", "div div", "wi fi", "orion wi", "orion", "a div", "div section", "orion logo", "target", "fast", "contact", "open", "virtool", "content type", "found", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "ubuntu", "accept", "keepalive", "site", "find people", "numbers", "sptox", "utc google", "html info", "title spytox", "emails meta", "tags viewport", "spytox og", "type win32", "exe size", "mb first", "seen", "file name", "avg win32", "fortinet", "double click", "solutions", "domains", "sneaky server", "replacement", "unauthorized", "malware http", "core", "sim unlock", "emotet", "ta569", "critical", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 protector", "confuser", "confuserex", "checker", "samplename", "bonusbitcoin", "xslayer", "samplepath", "names", "details", "header intel", "name md5", "language", "contained", "rticon neutral", "ico rtgroupicon", "neutral", "assembly common", "clr version", "assembly name", "metadata header", "entry point", "rva entry", "strong name", "streams size", "entropy chi2", "ip detections", "country", "executable", "info header", "allmul vbaget4", "adjfprem ord", "data rtversion", "generic", "file type", "win32 exe", "kb file", "graph", "user", "windir", "downloads", "written c", "files deleted", "dropped c", "process", "logistics", "cyber defense", "brazzers", "tsara brashears", "gpt analyzer", "apple private", "data collection", "twitter andor", "snatch", "ransomware", "default", "rticon english", "type name", "data", "getfilesize", "getdc copyimage", "rticon russian", "pe32 executable", "borland delphi", "delphi generic", "dos borland", "hkcuclsid", "registry keys", "hkcrclsid", "file system", "settings c", "files c", "shared c", "sharedink c", "hostname", "as29791", "as8426 claranet", "malware", "network", "apple ios", "apple", "tmobile metro", "apeaksoft ios", "spybanker", "remcos", "adwind", "njrat", "guloader", "banload", "asyncrat", "arkeistealer", "danabot", "nordvpnsetup", "kb graph", "summary", "sharedinkarsa c", "sharedinkbgbg c", "sharedinkcscz c", "sharedinkdadk c", "gmt etag", "x amz", "body", "body html", "bq jul", "et trojan", "v4inhxvlhx0", "medium", "memreserve", "checks amount", "t1082", "module load", "e weowe64e", "edelepexe", "e rev", "weinedoewse net", "ransom", "show", "filehash", "related", "reverse dns", "haut", "servers", "pulse submit", "as3215 orange", "france", "backdoor", "paris", "honeypot", "python", "callback phishing", "teams", "porn related", "harassment" ], "references": [ "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?", "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread", "Antivirus Detections: Win.Malware.Oxypumper-6900445-0", "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile", "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)", "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7", "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1", "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ", "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/", "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622", "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")", "scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99", "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9", "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx", "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp", "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com", "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com", "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com", "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com", "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E", "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/", "DotNET_Crypto_Obfuscator", "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,", "Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,", "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA", "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,", "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...", "https://otx.alienvault.com/indicator/ip/216.40.34.41", "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97", "ns2.tsaratsovo.net", "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955", "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79", "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848", "DotNET_Crypto_Obfuscator", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]", "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator", "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx", "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger", "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE", "Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string", "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc", "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9", "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5", "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com", "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "https://www.YouTube.com/polebote" ], "public": 1, "adversary": "Mustang Panda", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Oxypumper-6900445-0", "display_name": "Win.Malware.Oxypumper-6900445-0", "target": null }, { "id": "Backdoor:Win32/Plugx", "display_name": "Backdoor:Win32/Plugx", "target": "/malware/Backdoor:Win32/Plugx" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDropper:Win32/Tofsee", "display_name": "TrojanDropper:Win32/Tofsee", "target": "/malware/TrojanDropper:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": "6692440efac39f5213329f13", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 568, "FileHash-SHA1": 537, "FileHash-SHA256": 4887, "URL": 4778, "domain": 2347, "hostname": 1888, "SSLCertFingerprint": 15, "email": 16, "CVE": 1, "IPv4": 1 }, "indicator_count": 15038, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68930449988277cd29c25cb7", "name": "https://firebase.google.com/ - Ransom \u2022 Wiper\u2022 Trojan dropper", "description": "", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:29:13.136000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": "6893032410060f658d862c60", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6893032410060f658d862c60", "name": "Hosting App - Partial research | Emotet Worm", "description": "#firebase #google #dark_web_hosting #ransom #tracking #locate #monitored_targets #worm #emotet #malware #remoted_devices #trojan #reputation\n\n\u2022 Targets likely unaware.\n\n[m.pornsexer.xxx.3.1.adiosfil.roksit.net - reputation tool]", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:24:20.645000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "271 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "652a901fe2dbea9024b3d614", "name": "Black Tech", "description": "Found in a malicious Apple iTunes link. Lists several independent artists. Music \"producer\" is potentially highly dependent on use of AI generated instrumentation and conception. Hacking seems to target a single target and associates.", "modified": "2024-09-24T00:01:38.502000", "created": "2023-10-14T12:57:03.183000", "tags": [ "referrer", "historical ssl", "ssl certificate", "whois record", "whois ssl", "whois", "historical", "siblings parent", "network", "number", "label shanghai", "blue cloud", "ltd regional", "apnic country", "cn continent", "algorithm", "data", "v3 serial", "cus cndigicert", "basic rsa", "cn ca", "g2 odigicert", "inc validity", "oshanghai blue", "road", "beijing country", "beijing", "please", "apnic person", "cn phone", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "cnnic", "whois lookups", "updated date", "apnic netname", "beijing abusec", "abuse cnniccn", "liu registrant", "country", "dns replication", "date", "domain", "first", "blacklist https", "heur", "html", "malware", "alexa top", "site", "filerepmetagen", "suspected", "adware", "cisco umbrella", "malware site", "win64", "opencandy", "cleaner", "artemis", "iframe", "agent", "unsafe", "riskware", "acint", "nircmd", "swrort", "downldr", "systweak", "behav", "crack", "tiggre", "genkryptik", "exploit", "presenoker", "filetour", "conduit", "wacatac", "softcnapp", "xtrat", "cve201711882", "memscan", "phishing", "maltiverse", "zbot", "webtoolbar", "trojanspy", "million", "united", "phishing site", "malicious site", "proxy", "firehol", "detection list", "ip address", "blacklist", "safe site", "team", "fusioncore", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "installcore", "webshell", "alexa", "adposhel", "installpack", "xrat", "azorult", "service", "runescape", "facebook", "download", "gamehack", "verdict", "falcon sandbox", "pattern match", "show", "file", "indicator", "ascii text", "appdata", "mitre att", "et tor", "known tor", "severity", "hybrid", "general", "misc attack", "beginstring", "script", "relayrouter", "exit", "node traffic", "null", "error", "unknown", "span", "body", "refresh", "class", "critical", "tools", "look", "verify", "restart", "click", "strings", "meta", "anonymizer", "team proxy", "host", "control server", "meterpreter", "dnspionage", "filerepmalware", "fakealert", "pony", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "patcher", "adload", "webcompanion", "seraph", "downloader", "generic", "dapato", "redline stealer", "beach research", "blacklist http", "generic malware", "fakedout threat", "ip summary", "url summary", "summary", "sample", "samples", "bundled", "dropped", "contacted", "most malicious", "server", "parent parent" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Maltiverse", "display_name": "Maltiverse", "target": null }, { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "Behav", "display_name": "Behav", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "GameHack", "display_name": "GameHack", "target": null }, { "id": "Beach Research", "display_name": "Beach Research", "target": null }, { "id": "Generic", "display_name": "Generic", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2449, "FileHash-SHA1": 217, "FileHash-SHA256": 3441, "URL": 2044, "domain": 258, "hostname": 1100, "CIDR": 1, "email": 4, "CVE": 37 }, "indicator_count": 9551, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "617 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6692440efac39f5213329f13", "name": "Mustang Panda: Oxypumper | Ransom Suspicious verifier SpyTox", "description": "Mustang Panda is an alleged;China-based' non-governmental cyber espionage threat actor that was first observed in 2017. Targeting non-governmental civilians. Likely target is in many bot networks. Potential HoneyPot, this tool makes itself visible to target when researching the validity of an email or phone number. Notable for Gand Crane ransomware text embedded in SpyTox page image. Injection process observed. Affects most types of devices including iOS and Android. Critical issues found. IP's registrar's, domains 'not' contacted.\n\nHackers, harassment, cybercrime, cyber espionage.", "modified": "2024-08-12T08:04:00.041000", "created": "2024-07-13T09:08:30.431000", "tags": [ "historical ssl", "referrer", "june", "october", "july", "hacker", "pe resource", "mustang panda", "plugx", "cryptbot", "threat roundup", "december", "process32nextw", "regsetvalueexa", "x00x00", "regdword", "memcommit", "high", "regbinary", "okrnserver", "regsetvalueexw", "download", "copy", "as15169 google", "united", "aaaa", "unknown", "gmt path", "passive dns", "search", "cname", "showing", "cookie", "ascii text", "pattern match", "error", "null", "typeerror", "sha1", "mitre att", "et tor", "known tor", "date", "infinity", "onload", "trident", "android", "void", "hybrid", "local", "encrypt", "click", "strings", "generator", "third-party-cookies", "text/html", "trackers", "external-resources", "iframes", "entries", "status", "name servers", "urls", "next", "nxdomain", "susp", "a nxdomain", "domain", "win32", "as62597", "france unknown", "for privacy", "moved", "a domains", "meta", "gmt cache", "trojan", "creation date", "record value", "script urls", "as55293 a2", "as44273 host", "canada unknown", "scan endpoints", "all scoreblue", "pulse pulses", "files", "ip address", "location canada", "443 ma2592000", "code", "trojanspy", "type", "ipv4", "twitter", "trojandropper", "find", "form", "less see", "formbook cnc", "checkin", "a li", "li ul", "cycbot", "emails", "as20940", "as54113", "asnone denmark", "worm", "asnone", "as4230 claro", "refloadapihash", "salicode", "div div", "wi fi", "orion wi", "orion", "a div", "div section", "orion logo", "target", "fast", "contact", "open", "virtool", "content type", "found", "http response", "final url", "status code", "body length", "kb body", "sha256", "headers", "ubuntu", "accept", "keepalive", "site", "find people", "numbers", "sptox", "utc google", "html info", "title spytox", "emails meta", "tags viewport", "spytox og", "type win32", "exe size", "mb first", "seen", "file name", "avg win32", "fortinet", "double click", "solutions", "domains", "sneaky server", "replacement", "unauthorized", "malware http", "core", "sim unlock", "emotet", "ta569", "critical", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 protector", "confuser", "confuserex", "checker", "samplename", "bonusbitcoin", "xslayer", "samplepath", "names", "details", "header intel", "name md5", "language", "contained", "rticon neutral", "ico rtgroupicon", "neutral", "assembly common", "clr version", "assembly name", "metadata header", "entry point", "rva entry", "strong name", "streams size", "entropy chi2", "ip detections", "country", "executable", "info header", "allmul vbaget4", "adjfprem ord", "data rtversion", "generic", "file type", "win32 exe", "kb file", "graph", "user", "windir", "downloads", "written c", "files deleted", "dropped c", "process", "logistics", "cyber defense", "brazzers", "tsara brashears", "gpt analyzer", "apple private", "data collection", "twitter andor", "snatch", "ransomware", "default", "rticon english", "type name", "data", "getfilesize", "getdc copyimage", "rticon russian", "pe32 executable", "borland delphi", "delphi generic", "dos borland", "hkcuclsid", "registry keys", "hkcrclsid", "file system", "settings c", "files c", "shared c", "sharedink c", "hostname", "as29791", "as8426 claranet", "malware", "network", "apple ios", "apple", "tmobile metro", "apeaksoft ios", "spybanker", "remcos", "adwind", "njrat", "guloader", "banload", "asyncrat", "arkeistealer", "danabot", "nordvpnsetup", "kb graph", "summary", "sharedinkarsa c", "sharedinkbgbg c", "sharedinkcscz c", "sharedinkdadk c", "gmt etag", "x amz", "body", "body html", "bq jul", "et trojan", "v4inhxvlhx0", "medium", "memreserve", "checks amount", "t1082", "module load", "e weowe64e", "edelepexe", "e rev", "weinedoewse net", "ransom", "show", "filehash", "related", "reverse dns", "haut", "servers", "pulse submit", "as3215 orange", "france", "backdoor", "paris", "honeypot", "python", "callback phishing", "teams", "porn related", "harassment" ], "references": [ "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?", "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread", "Antivirus Detections: Win.Malware.Oxypumper-6900445-0", "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile", "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)", "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1 05e520126ee1100c98263bfbd5a6ff0ce6ace4f7", "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8", "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1", "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ", "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/", "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622", "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")", "scanning_hosts: 138.197.217.6, IPv4 142.251.18.103, IPv4 142.251.31.99", "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9", "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a", "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx", "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp", "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com", "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com", "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com", "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com", "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E", "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/", "DotNET_Crypto_Obfuscator", "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit , ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 , PWS:Win32/QQpass.B!MTB ,", "Antivirus Detections: Trojan:Win32/Bulta!rfn , TrojanDownloader:Win32/Cutwail , TrojanDropper:Win32/Loring , TrojanSpy:Win32/Nivdort.CB ,", "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA , TrojanSpy:Win32/Nivdort.DB ... , TrojanSpy:Win32/Nivdort.CB , TrojanSpy:Win32/Nivdort.CW , TrojanSpy:Win32/Nivdort.DA", "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,", "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...", "https://otx.alienvault.com/indicator/ip/216.40.34.41", "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97", "ns2.tsaratsovo.net", "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955", "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79", "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848", "DotNET_Crypto_Obfuscator", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]", "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 , DotNET_DotFuscator", "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx", "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger", "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29", "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] , Win.Ransomware.Gandcrab-9967304-0 , Ransom:Win32/GandCrab.AE", "Yara Detections ReflectiveLoader , Win32_Ransomware_GandCrab , stack_string", "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc", "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9", "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5", "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com", "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "https://www.YouTube.com/polebote" ], "public": 1, "adversary": "Mustang Panda", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Oxypumper-6900445-0", "display_name": "Win.Malware.Oxypumper-6900445-0", "target": null }, { "id": "Backdoor:Win32/Plugx", "display_name": "Backdoor:Win32/Plugx", "target": "/malware/Backdoor:Win32/Plugx" }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cycbot", "display_name": "Cycbot", "target": null }, { "id": "Ransom:Win32/GandCrab.AE", "display_name": "Ransom:Win32/GandCrab.AE", "target": "/malware/Ransom:Win32/GandCrab.AE" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDropper:Win32/Tofsee", "display_name": "TrojanDropper:Win32/Tofsee", "target": "/malware/TrojanDropper:Win32/Tofsee" } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 71, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 568, "FileHash-SHA1": 537, "FileHash-SHA256": 4887, "URL": 4773, "domain": 2346, "hostname": 1884, "SSLCertFingerprint": 15, "email": 16, "CVE": 1 }, "indicator_count": 15027, "is_author": false, "is_subscribing": null, "subscriber_count": 238, "modified_text": "660 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a9123acb8410d1158f8a", "name": "DNSpionage", "description": "", "modified": "2023-12-06T17:02:10.861000", "created": "2023-12-06T17:02:10.861000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 27, "FileHash-SHA256": 3307, "hostname": 1083, "FileHash-MD5": 2420, "FileHash-SHA1": 189, "domain": 255, "URL": 1933, "CIDR": 1, "email": 4 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "910 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a90bc683765a535061dc", "name": "27 CVE Talley | GameHack l Beach Research", "description": "", "modified": "2023-12-06T17:02:03.119000", "created": "2023-12-06T17:02:03.119000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 27, "FileHash-SHA256": 3307, "hostname": 1083, "FileHash-MD5": 2420, "FileHash-SHA1": 189, "domain": 255, "URL": 1933, "CIDR": 1, "email": 4 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "910 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a903fc0836f148fa45c9", "name": "Oshanghai Blue", "description": "", "modified": "2023-12-06T17:01:55.465000", "created": "2023-12-06T17:01:55.465000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 27, "FileHash-SHA256": 3307, "hostname": 1083, "FileHash-MD5": 2420, "FileHash-SHA1": 189, "domain": 255, "URL": 1933, "CIDR": 1, "email": 4 }, "indicator_count": 9219, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "910 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://fonts.google.com/license/googlerestricted@font-face", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://fonts.google.com/license/googlerestricted@font-face", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780507208.9310894 }