{ "type": "URL", "indicator": "https://gchq.github.io/CyberChef/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://gchq.github.io/CyberChef/", "type": "url", "type_title": "URL", "validation": [ { "source": "whitelist", "message": "Whitelisted domain github.io", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain github.io", "name": "Whitelisted domain" } ], "base_indicator": { "id": 1578909948, "indicator": "https://gchq.github.io/CyberChef/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "67df904daf96180003ff1e14", "name": "hxxps://github[.]com/Cn33liz/p0wnedShell - 07.15.25 (Un-Enriched)", "description": "Yara Rules Triggered:\n\n9b0e9dce190e3dcf83b697ba2a08c9031aa2de00a6d3a3db9c86e2a8b4bc7bc0\np0wnedShell\n\nMatches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL at https://github.com/InQuest/yara-rules-vt by InQuest Labs\nThis signature fires on the presence of Base64 encoded URI prefixes (http:// and https://) across any file. The simple presence of such strings is not inherently an indicator of malicious content, but is worth further investigation. - a moment ago\n View Ruleset\nMatches rule Hacktool_Strings_p0wnedShell from ruleset gen_p0wnshell at https://github.com/Neo23x0/signature-base by Florian Roth\nDetects strings found in Runspace Post Exploitation Toolkit - a moment ago\nMatches rule p0wnedPotato from ruleset gen_p0wnshell at https://github.com/Neo23x0/signature-base by Florian Roth (Nextron Systems)\np0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs - a moment ago", "modified": "2025-08-16T05:00:22.327000", "created": "2025-03-23T04:38:37.512000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "prefetch8 ansi", "date", "threat level", "show process", "sha256", "hash seen", "pcap processing", "command decode", "pcap", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "path", "model", "strings", "contact", "threat intelligence", "feed", "ioc", "change theme", "contact us", "intelligence", "threats api", "analyze api", "overview", "threats explore", "rate limits", "stixtaxii", "bulk export", "please", "javascript", "virus", "ransomware", "static", "indicator of compromise", "extraction", "emulation", "platform", "entity", "report phishing", "suspicious urls", "error", "sorry" ], "references": [ "https://hybrid-analysis.com/sample/c801e05a1ee3423572349377ea9bdc3846b62e949611679e81c3d6cddcde77e5/67dde11e816206bd720dc9a0", "https://pulsedive.com/indicator/?iid=68355616", "https://www.virustotal.com/gui/url/bc0fe9233e19654c54cc439e9f3e06491556867cde40e25c8589dbee265f3f2f/details", "https://www.filescan.io/uploads/67df8925a175d31773454fd7/reports/d000025d-8403-4b03-8f76-a3b74d9b821f/overview", "https://www.virustotal.com/graph/embed/ga577e541c45f4ef3b8c2ee0e464a4264caf5439148f941db8c2615f1b83baebe?theme=dark", "https://www.virustotal.com/gui/collection/f5259d2e7f82856773d9a0867206fe5b571627740209eb72652fd2c04b099a16", "https://www.virustotal.com/gui/collection/f5259d2e7f82856773d9a0867206fe5b571627740209eb72652fd2c04b099a16/iocs", "https://report.netcraft.com/submission/OAoeOZfDFap5UPDTF52Uy5Q754Z5Fctm?tab=urls", "https://app.threat.zone/submission/ef652ac5-bc19-43e4-a603-e2d2ccae55ff/static-scan-report/strings", "https://www.filescan.io/uploads/685b8c3dcf2af157111779ff/reports/69c49cb3-aef0-4a32-b382-6b38ec8187d0/overview", "https://app.any.run/tasks/2f11fff7-a2bc-4744-af91-279753100630", "https://app.threat.zone/submission/2514e91a-4ad4-4c54-bee3-276c86dcc970/overview", "https://polyswarm.network/scan/results/url/bc0fe9233e19654c54cc439e9f3e06491556867cde40e25c8589dbee265f3f2f", "https://tria.ge/250717-f744tavxcy/behavioral1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Education", "Technology", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 219, "FileHash-SHA1": 203, "FileHash-SHA256": 530, "SSLCertFingerprint": 10, "email": 3, "hostname": 76, "URL": 164, "domain": 153 }, "indicator_count": 1358, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67b459c6d9f3a4d98e4221f6", "name": "AHS Thor Lite Windows 11 Enterprise - 02.18.25 - not enriched", "description": "AHS Endpoint\nSCANID: S-Phu25Pdtc6Q\nThor Lite Scan (Custom Rules)\nUpdated: 05.12.25", "modified": "2025-06-11T18:01:20.529000", "created": "2025-02-18T09:58:30.041000", "tags": [ "custom", "yara rule", "capa", "function", "hostinteraction", "scanid", "filesystem", "basicblock", "create", "process", "write", "meta", "persistence", "service", "antivm", "info", "encrypt", "june", "timestomp", "mine", "impact", "shell", "copy", "window", "find", "inject", "keylog", "bypass", "thor", "yayih", "download", "chacha", "antiav", "pipes", "rootkit", "doublepulsar", "logger", "teamviewer", "virustotal", "cookie", "notify", "bitcoin", "openssl", "model", "arch", "hosts", "avemaria", "maze", "wabot", "bangat", "enfal", "risepro", "mirage", "naikon", "netwalker", "olyx", "plugx", "rooter", "safenet", "t5000", "warp", "xtremerat", "comspec", "error", "macho", "fusion", "sandbox", "mark", "malware", "dotnet", "njrat", "install", "compiler" ], "references": [ "https://www.virustotal.com/gui/collection/7eaf72c6d83e1a53843e882b3139de2f1adfb0694d941fc25711382f04550194/summary", "https://www.virustotal.com/gui/collection/7eaf72c6d83e1a53843e882b3139de2f1adfb0694d941fc25711382f04550194/iocs", "https://www.virustotal.com/gui/collection/7eaf72c6d83e1a53843e882b3139de2f1adfb0694d941fc25711382f04550194/iocs", "https://www.virustotal.com/graph/embed/g44bd45d852dc47059636e6dd4313a995ae2d247fe58745a6b270b46d0b330b39?theme=dark", "https://viz.greynoise.io/analysis/5ba1fbf1-b14f-4ccb-b055-ed78f6154e51", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665782e1dfbf8ec2d3c", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d9a33510abd7f7cb089 - Readable Strings", "https://www.hybrid-analysis.com/sample/f6263e96056bbb4e0b750fea1d4aa466f39f52c6052ad42084d4371273d5d264", "https://www.hybrid-analysis.com/sample/f6263e96056bbb4e0b750fea1d4aa466f39f52c6052ad42084d4371273d5d264/682236230d2a1dace50cac79", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d9c33510abd7f7cb0cc - EXIF Data", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d8933510abd7f7caf8a - YARA Rules" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 75, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 143, "CVE": 7, "FileHash-MD5": 667, "FileHash-SHA1": 307, "FileHash-SHA256": 1417, "domain": 78, "email": 6, "hostname": 793, "CIDR": 2, "SSLCertFingerprint": 5 }, "indicator_count": 3425, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "311 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67a219f7c06d372f86335d64", "name": "Thor Linux Lite Scan - Sample Device & SG2 - 02.07.25 - Unenriched", "description": "Took a few tries but here is the complete thor Linux 64 Lite Scan on: Sample Device & a single drive (one of many) of the 77 TB of: things I have but don't know what to do with\n---\nOld Notes on previous scan attempts for this sample.\nSee Comments on VT\nMD5\nde880994c51d4055c960e2d32db89774\n \nSHA-1\n539e7c2eefd7a6aa17db436d83738c117f26798c\n \nSHA-256\na6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45\n \nSSDEEP\n98304:hpUsCWtdIdOKfb44V0ipGuEwWPKhmMWMCURFfxzRq6R5qJJfrPOOD86U6BDfIokW:BKftFfuDfqAfPPfa4f3\n \nTLSH\nT10D571AC3C70811188D2373EBE1B4BA59BD06381EDECA9D59F08D642C97946467A2EDCF", "modified": "2025-03-09T16:04:43.604000", "created": "2025-02-04T13:45:27.169000", "tags": [ "stuff", "data", "no problems", "upload", "problems1", "progressb", "progressi", "onedrive", "files", "bitdefender", "scanid", "lite version", "ioc jan", "thor lite", "ip address", "writing", "cron", "envcheck", "filescan", "firewall", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "virustotal", "arch", "hosts" ], "references": [ "pop-os_files_md5s.csv", "https://www.virustotal.com/graph/embed/g532ea94109c54d96ba1bde62201fb4439ef00ab8d0af4a2f99ee42846ad158df?theme=dark", "SCANID: S-yIBIO4Ib0l4", "SCANID: S-9uT7vEdHwHk", "SCANID: S-4FSYbAVw6TA", "SCANID: S-4jjwyMrjTU0", "SCANID: S-jZUP9vdJp8E", "https://www.virustotal.com/gui/collection/d8bbd97abe2ea808a02db46380171df0803a43a379ed3795a316cb1f947939de/iocs", "SCANID: S-CadvV0Kd35c", "SCANID: S-0LxiGnOve0Q", "SCANID: S-YV38dG9guZE", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/iocs", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/summary" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Education", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 701, "FileHash-SHA1": 871, "FileHash-SHA256": 897, "URL": 2920, "domain": 388, "email": 17, "CVE": 830, "hostname": 295 }, "indicator_count": 6919, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "406 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666cc4389a708826aeeeb973", "name": "Thor Lite 64 and Orico Dive - 06.14.24", "description": "Description\nSCANID: S-MYo9X22NxW8\n\nTags:\ncrowdsourced\nbase64-embedded\ncontains-zip", "modified": "2024-07-14T21:03:03.342000", "created": "2024-06-14T22:29:12.766000", "tags": [ "please", "javascript", "fri may", "size1", "company1", "scanid", "mz created1", "desc1", "originalname1", "exists1", "internalname1", "imphash1", "service", "score", "cobaltstrike", "procdump", "powershell", "mimikatz", "powersploit", "info", "pipes", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "virustotal", "path", "model", "arch", "hosts" ], "references": [ "https://www.virustotal.com/gui/collection/5fee5bba85817a03920025d394d7998c8a9fc9ee02bbe3bd2a72de292aaeaf62/summary", "https://www.virustotal.com/gui/collection/5fee5bba85817a03920025d394d7998c8a9fc9ee02bbe3bd2a72de292aaeaf62/iocs", "https://www.virustotal.com/gui/collection/5fee5bba85817a03920025d394d7998c8a9fc9ee02bbe3bd2a72de292aaeaf62/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" } ], "industries": [ "Education", "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 74, "FileHash-MD5": 932, "FileHash-SHA1": 483, "FileHash-SHA256": 510, "domain": 4, "hostname": 47, "email": 1 }, "indicator_count": 2051, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "643 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.filescan.io/uploads/67df8925a175d31773454fd7/reports/d000025d-8403-4b03-8f76-a3b74d9b821f/overview", "https://pulsedive.com/indicator/?iid=68355616", "SCANID: S-9uT7vEdHwHk", "https://www.hybrid-analysis.com/sample/f6263e96056bbb4e0b750fea1d4aa466f39f52c6052ad42084d4371273d5d264/682236230d2a1dace50cac79", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d9c33510abd7f7cb0cc - EXIF Data", "pop-os_files_md5s.csv", "SCANID: S-yIBIO4Ib0l4", "https://www.virustotal.com/gui/collection/f5259d2e7f82856773d9a0867206fe5b571627740209eb72652fd2c04b099a16", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d9a33510abd7f7cb089 - Readable Strings", "SCANID: S-0LxiGnOve0Q", "https://app.threat.zone/submission/2514e91a-4ad4-4c54-bee3-276c86dcc970/overview", "https://polyswarm.network/scan/results/url/bc0fe9233e19654c54cc439e9f3e06491556867cde40e25c8589dbee265f3f2f", "SCANID: S-CadvV0Kd35c", "https://app.any.run/tasks/2f11fff7-a2bc-4744-af91-279753100630", "https://www.virustotal.com/gui/url/bc0fe9233e19654c54cc439e9f3e06491556867cde40e25c8589dbee265f3f2f/details", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d8933510abd7f7caf8a - YARA Rules", "https://hybrid-analysis.com/sample/c801e05a1ee3423572349377ea9bdc3846b62e949611679e81c3d6cddcde77e5/67dde11e816206bd720dc9a0", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665782e1dfbf8ec2d3c", "SCANID: S-YV38dG9guZE", "https://www.virustotal.com/gui/collection/7eaf72c6d83e1a53843e882b3139de2f1adfb0694d941fc25711382f04550194/summary", "https://www.virustotal.com/gui/collection/f5259d2e7f82856773d9a0867206fe5b571627740209eb72652fd2c04b099a16/iocs", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/summary", "https://www.virustotal.com/gui/collection/d8bbd97abe2ea808a02db46380171df0803a43a379ed3795a316cb1f947939de/iocs", "https://www.virustotal.com/gui/collection/7eaf72c6d83e1a53843e882b3139de2f1adfb0694d941fc25711382f04550194/iocs", "https://www.virustotal.com/graph/embed/g44bd45d852dc47059636e6dd4313a995ae2d247fe58745a6b270b46d0b330b39?theme=dark", "https://viz.greynoise.io/analysis/5ba1fbf1-b14f-4ccb-b055-ed78f6154e51", "https://www.filescan.io/uploads/685b8c3dcf2af157111779ff/reports/69c49cb3-aef0-4a32-b382-6b38ec8187d0/overview", "https://www.virustotal.com/gui/collection/5fee5bba85817a03920025d394d7998c8a9fc9ee02bbe3bd2a72de292aaeaf62/iocs", "https://www.virustotal.com/gui/collection/5fee5bba85817a03920025d394d7998c8a9fc9ee02bbe3bd2a72de292aaeaf62/graph", "https://app.threat.zone/submission/ef652ac5-bc19-43e4-a603-e2d2ccae55ff/static-scan-report/strings", "SCANID: S-jZUP9vdJp8E", "SCANID: S-4jjwyMrjTU0", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/iocs", "SCANID: S-4FSYbAVw6TA", "https://report.netcraft.com/submission/OAoeOZfDFap5UPDTF52Uy5Q754Z5Fctm?tab=urls", "https://www.virustotal.com/gui/collection/5fee5bba85817a03920025d394d7998c8a9fc9ee02bbe3bd2a72de292aaeaf62/summary", "https://www.virustotal.com/graph/embed/g532ea94109c54d96ba1bde62201fb4439ef00ab8d0af4a2f99ee42846ad158df?theme=dark", "https://www.virustotal.com/graph/embed/ga577e541c45f4ef3b8c2ee0e464a4264caf5439148f941db8c2615f1b83baebe?theme=dark", "https://www.hybrid-analysis.com/sample/f6263e96056bbb4e0b750fea1d4aa466f39f52c6052ad42084d4371273d5d264", "https://tria.ge/250717-f744tavxcy/behavioral1" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [ "Healthcare", "Government", "Technology", "Telecommunications", "Education" ], "unique_indicators": 7720 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/github.io", "whois": "http://whois.domaintools.com/github.io", "domain": "github.io", "hostname": "gchq.github.io" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "67df904daf96180003ff1e14", "name": "hxxps://github[.]com/Cn33liz/p0wnedShell - 07.15.25 (Un-Enriched)", "description": "Yara Rules Triggered:\n\n9b0e9dce190e3dcf83b697ba2a08c9031aa2de00a6d3a3db9c86e2a8b4bc7bc0\np0wnedShell\n\nMatches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL at https://github.com/InQuest/yara-rules-vt by InQuest Labs\nThis signature fires on the presence of Base64 encoded URI prefixes (http:// and https://) across any file. The simple presence of such strings is not inherently an indicator of malicious content, but is worth further investigation. - a moment ago\n View Ruleset\nMatches rule Hacktool_Strings_p0wnedShell from ruleset gen_p0wnshell at https://github.com/Neo23x0/signature-base by Florian Roth\nDetects strings found in Runspace Post Exploitation Toolkit - a moment ago\nMatches rule p0wnedPotato from ruleset gen_p0wnshell at https://github.com/Neo23x0/signature-base by Florian Roth (Nextron Systems)\np0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs - a moment ago", "modified": "2025-08-16T05:00:22.327000", "created": "2025-03-23T04:38:37.512000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "prefetch8 ansi", "date", "threat level", "show process", "sha256", "hash seen", "pcap processing", "command decode", "pcap", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "path", "model", "strings", "contact", "threat intelligence", "feed", "ioc", "change theme", "contact us", "intelligence", "threats api", "analyze api", "overview", "threats explore", "rate limits", "stixtaxii", "bulk export", "please", "javascript", "virus", "ransomware", "static", "indicator of compromise", "extraction", "emulation", "platform", "entity", "report phishing", "suspicious urls", "error", "sorry" ], "references": [ "https://hybrid-analysis.com/sample/c801e05a1ee3423572349377ea9bdc3846b62e949611679e81c3d6cddcde77e5/67dde11e816206bd720dc9a0", "https://pulsedive.com/indicator/?iid=68355616", "https://www.virustotal.com/gui/url/bc0fe9233e19654c54cc439e9f3e06491556867cde40e25c8589dbee265f3f2f/details", "https://www.filescan.io/uploads/67df8925a175d31773454fd7/reports/d000025d-8403-4b03-8f76-a3b74d9b821f/overview", "https://www.virustotal.com/graph/embed/ga577e541c45f4ef3b8c2ee0e464a4264caf5439148f941db8c2615f1b83baebe?theme=dark", "https://www.virustotal.com/gui/collection/f5259d2e7f82856773d9a0867206fe5b571627740209eb72652fd2c04b099a16", "https://www.virustotal.com/gui/collection/f5259d2e7f82856773d9a0867206fe5b571627740209eb72652fd2c04b099a16/iocs", "https://report.netcraft.com/submission/OAoeOZfDFap5UPDTF52Uy5Q754Z5Fctm?tab=urls", "https://app.threat.zone/submission/ef652ac5-bc19-43e4-a603-e2d2ccae55ff/static-scan-report/strings", "https://www.filescan.io/uploads/685b8c3dcf2af157111779ff/reports/69c49cb3-aef0-4a32-b382-6b38ec8187d0/overview", "https://app.any.run/tasks/2f11fff7-a2bc-4744-af91-279753100630", "https://app.threat.zone/submission/2514e91a-4ad4-4c54-bee3-276c86dcc970/overview", "https://polyswarm.network/scan/results/url/bc0fe9233e19654c54cc439e9f3e06491556867cde40e25c8589dbee265f3f2f", "https://tria.ge/250717-f744tavxcy/behavioral1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Education", "Technology", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 219, "FileHash-SHA1": 203, "FileHash-SHA256": 530, "SSLCertFingerprint": 10, "email": 3, "hostname": 76, "URL": 164, "domain": 153 }, "indicator_count": 1358, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67b459c6d9f3a4d98e4221f6", "name": "AHS Thor Lite Windows 11 Enterprise - 02.18.25 - not enriched", "description": "AHS Endpoint\nSCANID: S-Phu25Pdtc6Q\nThor Lite Scan (Custom Rules)\nUpdated: 05.12.25", "modified": "2025-06-11T18:01:20.529000", "created": "2025-02-18T09:58:30.041000", "tags": [ "custom", "yara rule", "capa", "function", "hostinteraction", "scanid", "filesystem", "basicblock", "create", "process", "write", "meta", "persistence", "service", "antivm", "info", "encrypt", "june", "timestomp", "mine", "impact", "shell", "copy", "window", "find", "inject", "keylog", "bypass", "thor", "yayih", "download", "chacha", "antiav", "pipes", "rootkit", "doublepulsar", "logger", "teamviewer", "virustotal", "cookie", "notify", "bitcoin", "openssl", "model", "arch", "hosts", "avemaria", "maze", "wabot", "bangat", "enfal", "risepro", "mirage", "naikon", "netwalker", "olyx", "plugx", "rooter", "safenet", "t5000", "warp", "xtremerat", "comspec", "error", "macho", "fusion", "sandbox", "mark", "malware", "dotnet", "njrat", "install", "compiler" ], "references": [ "https://www.virustotal.com/gui/collection/7eaf72c6d83e1a53843e882b3139de2f1adfb0694d941fc25711382f04550194/summary", "https://www.virustotal.com/gui/collection/7eaf72c6d83e1a53843e882b3139de2f1adfb0694d941fc25711382f04550194/iocs", "https://www.virustotal.com/gui/collection/7eaf72c6d83e1a53843e882b3139de2f1adfb0694d941fc25711382f04550194/iocs", "https://www.virustotal.com/graph/embed/g44bd45d852dc47059636e6dd4313a995ae2d247fe58745a6b270b46d0b330b39?theme=dark", "https://viz.greynoise.io/analysis/5ba1fbf1-b14f-4ccb-b055-ed78f6154e51", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/67ab2665782e1dfbf8ec2d3c", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d9a33510abd7f7cb089 - Readable Strings", "https://www.hybrid-analysis.com/sample/f6263e96056bbb4e0b750fea1d4aa466f39f52c6052ad42084d4371273d5d264", "https://www.hybrid-analysis.com/sample/f6263e96056bbb4e0b750fea1d4aa466f39f52c6052ad42084d4371273d5d264/682236230d2a1dace50cac79", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d9c33510abd7f7cb0cc - EXIF Data", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/681f8d8933510abd7f7caf8a - YARA Rules" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [ "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 75, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 143, "CVE": 7, "FileHash-MD5": 667, "FileHash-SHA1": 307, "FileHash-SHA256": 1417, "domain": 78, "email": 6, "hostname": 793, "CIDR": 2, "SSLCertFingerprint": 5 }, "indicator_count": 3425, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "311 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67a219f7c06d372f86335d64", "name": "Thor Linux Lite Scan - Sample Device & SG2 - 02.07.25 - Unenriched", "description": "Took a few tries but here is the complete thor Linux 64 Lite Scan on: Sample Device & a single drive (one of many) of the 77 TB of: things I have but don't know what to do with\n---\nOld Notes on previous scan attempts for this sample.\nSee Comments on VT\nMD5\nde880994c51d4055c960e2d32db89774\n \nSHA-1\n539e7c2eefd7a6aa17db436d83738c117f26798c\n \nSHA-256\na6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45\n \nSSDEEP\n98304:hpUsCWtdIdOKfb44V0ipGuEwWPKhmMWMCURFfxzRq6R5qJJfrPOOD86U6BDfIokW:BKftFfuDfqAfPPfa4f3\n \nTLSH\nT10D571AC3C70811188D2373EBE1B4BA59BD06381EDECA9D59F08D642C97946467A2EDCF", "modified": "2025-03-09T16:04:43.604000", "created": "2025-02-04T13:45:27.169000", "tags": [ "stuff", "data", "no problems", "upload", "problems1", "progressb", "progressi", "onedrive", "files", "bitdefender", "scanid", "lite version", "ioc jan", "thor lite", "ip address", "writing", "cron", "envcheck", "filescan", "firewall", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "virustotal", "arch", "hosts" ], "references": [ "pop-os_files_md5s.csv", "https://www.virustotal.com/graph/embed/g532ea94109c54d96ba1bde62201fb4439ef00ab8d0af4a2f99ee42846ad158df?theme=dark", "SCANID: S-yIBIO4Ib0l4", "SCANID: S-9uT7vEdHwHk", "SCANID: S-4FSYbAVw6TA", "SCANID: S-4jjwyMrjTU0", "SCANID: S-jZUP9vdJp8E", "https://www.virustotal.com/gui/collection/d8bbd97abe2ea808a02db46380171df0803a43a379ed3795a316cb1f947939de/iocs", "SCANID: S-CadvV0Kd35c", "SCANID: S-0LxiGnOve0Q", "SCANID: S-YV38dG9guZE", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/iocs", "https://www.virustotal.com/gui/collection/f890b10e639770c7e6ef3eeb804ee9e7391360557aedca7b1daaee02da0f7682/summary" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Education", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 701, "FileHash-SHA1": 871, "FileHash-SHA256": 897, "URL": 2920, "domain": 388, "email": 17, "CVE": 830, "hostname": 295 }, "indicator_count": 6919, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "406 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666cc4389a708826aeeeb973", "name": "Thor Lite 64 and Orico Dive - 06.14.24", "description": "Description\nSCANID: S-MYo9X22NxW8\n\nTags:\ncrowdsourced\nbase64-embedded\ncontains-zip", "modified": "2024-07-14T21:03:03.342000", "created": "2024-06-14T22:29:12.766000", "tags": [ "please", "javascript", "fri may", "size1", "company1", "scanid", "mz created1", "desc1", "originalname1", "exists1", "internalname1", "imphash1", "service", "score", "cobaltstrike", "procdump", "powershell", "mimikatz", "powersploit", "info", "pipes", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "virustotal", "path", "model", "arch", "hosts" ], "references": [ "https://www.virustotal.com/gui/collection/5fee5bba85817a03920025d394d7998c8a9fc9ee02bbe3bd2a72de292aaeaf62/summary", "https://www.virustotal.com/gui/collection/5fee5bba85817a03920025d394d7998c8a9fc9ee02bbe3bd2a72de292aaeaf62/iocs", "https://www.virustotal.com/gui/collection/5fee5bba85817a03920025d394d7998c8a9fc9ee02bbe3bd2a72de292aaeaf62/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" } ], "industries": [ "Education", "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 74, "FileHash-MD5": 932, "FileHash-SHA1": 483, "FileHash-SHA256": 510, "domain": 4, "hostname": 47, "email": 1 }, "indicator_count": 2051, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "643 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://gchq.github.io/CyberChef/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://gchq.github.io/CyberChef/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776618340.3590112 }