{ "type": "URL", "indicator": "https://github.com/0x00-0x00/ShellPop", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://github.com/0x00-0x00/ShellPop", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #87", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #560", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain github.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain github.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3904012524, "indicator": "https://github.com/0x00-0x00/ShellPop", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6946cb8e3eff732bd3d47bff", "name": "Thor Lite - 07.27.25 - APT Detections [by Disable_Duck]", "description": "", "modified": "2025-12-20T16:15:10.914000", "created": "2025-12-20T16:15:10.914000", "tags": [ "data", "upload", "sg2backup drive", "no problems", "problems1", "supportavast", "progressb", "files", "onedrivenoprobs", "sg2suss", "trash", "fall", "Covenant Health", "AHS", "Alberta Health Services", "Rogers", "UAlberta", "APT", "Edmonton", "Telus" ], "references": [ "Bitch-On-Wheels_files_md5s.csv", "832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431", "f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106", "", "https://hybrid-analysis.com/sample/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://tria.ge/250729-s1vysaywgy", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3", "https://polyswarm.network/scan/results/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/a3528542-a121-4351-91fe-de5aab327fe2/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/3c22777d-9fa3-4d67-a00a-8aa505154874/overview", "https://metadefender.com/results/file/bzI1MDcyOV9QRkdmNWZwSkhvMG11YWczRVZMRw_mdaas", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/5fdda54a-0164-4d4e-a248-d07ec3780d8a/overview", "https://app.threat.zone/submission/ef60d9bd-bd97-4859-8e58-4f670d1f1783/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/21f7ed2c-7815-49f0-8697-998b341df34a/overview", "https://tip.neiki.dev/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://hybrid-analysis.com/sample/f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "https://hybrid-analysis.com/sample/902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106/6888ec5bd7a73585560d2ddd", "https://hybrid-analysis.com/sample/832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431/6888ec5cfd974c2a5b0f1cfa", "https://hybrid-analysis.com/sample/12f05b32365a6fc40b30d108ea0dc730f662c6ee48c0feccf7cb43263a0a8166/6888ec5d423dabf7de0872d7" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "6887d46c19a44d6affd7bd2d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4790, "FileHash-SHA1": 3172, "FileHash-SHA256": 2764, "domain": 453, "URL": 2688, "CVE": 59, "email": 31, "hostname": 638 }, "indicator_count": 14595, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6887d46c19a44d6affd7bd2d", "name": "Thor Lite - 07.27.25 - APT Detections [un-enriched]", "description": "Thor Lite Scan on Windows PC (a psuedo mirror of sorts) of a University of Alberta, Alberta Health Services, Covenant Health, Government of Alberta Portable Workstation. Files uploaded to VT.\nUpdated Note: Included IOCs from Filescanio\nRan files through: Neiki, FileScanio, Polyswarm, Triage, Metadefender, Hybrid Analysis, Threatzone, Virustotal\nTPs = This Pulse - IOCs from references", "modified": "2025-08-28T16:04:17.368000", "created": "2025-07-28T19:50:04.469000", "tags": [ "data", "upload", "sg2backup drive", "no problems", "problems1", "supportavast", "progressb", "files", "onedrivenoprobs", "sg2suss", "trash", "fall", "Covenant Health", "AHS", "Alberta Health Services", "Rogers", "UAlberta", "APT", "Edmonton", "Telus" ], "references": [ "Bitch-On-Wheels_files_md5s.csv", "832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431", "f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106", "", "https://hybrid-analysis.com/sample/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://tria.ge/250729-s1vysaywgy", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3", "https://polyswarm.network/scan/results/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/a3528542-a121-4351-91fe-de5aab327fe2/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/3c22777d-9fa3-4d67-a00a-8aa505154874/overview", "https://metadefender.com/results/file/bzI1MDcyOV9QRkdmNWZwSkhvMG11YWczRVZMRw_mdaas", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/5fdda54a-0164-4d4e-a248-d07ec3780d8a/overview", "https://app.threat.zone/submission/ef60d9bd-bd97-4859-8e58-4f670d1f1783/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/21f7ed2c-7815-49f0-8697-998b341df34a/overview", "https://tip.neiki.dev/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://hybrid-analysis.com/sample/f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "https://hybrid-analysis.com/sample/902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106/6888ec5bd7a73585560d2ddd", "https://hybrid-analysis.com/sample/832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431/6888ec5cfd974c2a5b0f1cfa", "https://hybrid-analysis.com/sample/12f05b32365a6fc40b30d108ea0dc730f662c6ee48c0feccf7cb43263a0a8166/6888ec5d423dabf7de0872d7" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4790, "FileHash-SHA1": 3172, "FileHash-SHA256": 2764, "domain": 453, "URL": 2688, "CVE": 59, "email": 31, "hostname": 638 }, "indicator_count": 14595, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "233 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67eb87f8beff23dfe3508000", "name": "Thor Lite Linux 64 - 03.31.25 - Sample PopOS Device", "description": "Thor Lite Linux 64 - 03.31.25 - Sample PopOS Device (She's had it)\nResults for matches uploaded to VT\nJust tossed results into this pulse so - sloppy.", "modified": "2025-04-01T07:52:30.117000", "created": "2025-04-01T06:30:16.309000", "tags": [ "fri mar", "filename ioc", "reasonscount", "sigtype1", "indicator type", "log entry", "entry", "exists1", "matched1", "exploit code", "score", "rooter", "warp", "cobaltstrike", "luckycat", "obfus", "code", "surtr", "9999", "powersploit", "bypass", "proftpd", "mimikatz", "info" ], "references": [ "https://www.virustotal.com/gui/collection/febf534513e07ef3b2a63b824827cc86b61c21d641bbb9da73933240dd9d2710/iocs", "https://www.virustotal.com/gui/collection/febf534513e07ef3b2a63b824827cc86b61c21d641bbb9da73933240dd9d2710/summary" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [ "Technology", "Healthcare", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 345, "FileHash-MD5": 111, "FileHash-SHA1": 174, "FileHash-SHA256": 131, "URL": 499, "domain": 38, "hostname": 47 }, "indicator_count": 1345, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "383 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666ac558d08da6cfb3ba135b", "name": "Thor Lite Scanner - Cigabuntu (Parrot Version) vs. The Book of Shadows", "description": "A little unclear on 'just exactly what all of this is' - Other than Huntress Catching things and Thor & Bitdefender Gravutyzone ****ing the bed\n\nScan ID: S-6vsmMgE47Gk\nScan Id: S-H9GdDtmU2vU\n\n06.13.24: https://www.virustotal.com/graph/embed/g14ccc2b5794648cc838da283a8fbfcda4d95dde6ddc44798be19c2832778787f?theme=dark", "modified": "2024-07-13T09:05:44.647000", "created": "2024-06-13T10:09:28.617000", "tags": [ "entity", "please", "javascript", "valhalla", "php", "filename ioc", "mon jun", "module", "sigtype1", "reasonscount", "tue jun", "exploit code", "file names", "matched1", "score", "shellcode", "form", "mimikatz", "powershell", "cobaltstrike", "null", "trace", "shell", "import", "empire", "hermanos", "cobalt strike", "void", "body", "exploit", "webshell", "antak", "anomaly", "error", "generic", "target", "obfus", "skeletonkey", "virustotal", "dllimport", "false", "flash", "info", "click", "macos", "test", "powersploit", "powercat", "tools", "metasploit", "twitter", "open", "path", "xploit" ], "references": [ "https://www.virustotal.com/graph/embed/g14ccc2b5794648cc838da283a8fbfcda4d95dde6ddc44798be19c2832778787f?theme=dark", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/summary", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/iocs", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/graph" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VALHALLA", "display_name": "VALHALLA", "target": null }, { "id": "PHP", "display_name": "PHP", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 74, "CVE": 156, "FileHash-MD5": 828, "FileHash-SHA1": 1126, "FileHash-SHA256": 746, "domain": 130, "email": 4, "hostname": 21 }, "indicator_count": 3085, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666a6ae5bb437ef87caedb43", "name": "Thor-Lite - ASUS, SG1 & 128 USB - 06.12.24", "description": "Just a thor-lite scan of a sample W11 Asus Device, a backup drive, and a 128 GB US\n-Some false positives (b/c ya know - community edition)\n\n06.12.24: https://www.virustotal.com/graph/embed/g23296a8424204aeda69d32bb307e46820e4f1803c8f54cdd97b5e92a9cb58552?theme=dark", "modified": "2024-07-13T03:04:07.502000", "created": "2024-06-13T03:43:33.080000", "tags": [ "valhalla", "parrotthor lite", "lite", "kano", "big drive", "scanid", "size1", "company1", "mz created1", "exists1", "desc1", "originalname1", "fri may", "imphash1", "internalname1", "service", "anomaly", "error", "virustotal", "bypass", "score", "procdump", "cobaltstrike", "pipes", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "body", "powershell", "path", "shellcode", "model", "arch", "hosts", "pass", "powersploit", "powercat", "please", "javascript", "entity", "contains-pe", "contains-elf", "contains-zip", "base64-embedded" ], "references": [ "https://www.virustotal.com/gui/collection/ac61bce3fb3e41361f2977c65c924ebe8962d8000981e3c57e222388064bf67a/iocs", "https://www.virustotal.com/graph/embed/g23296a8424204aeda69d32bb307e46820e4f1803c8f54cdd97b5e92a9cb58552?theme=dark", "https://www.virustotal.com/gui/collection/ac61bce3fb3e41361f2977c65c924ebe8962d8000981e3c57e222388064bf67a/graph", "https://www.virustotal.com/gui/collection/ac61bce3fb3e41361f2977c65c924ebe8962d8000981e3c57e222388064bf67a/summary" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" } ], "industries": [ "Telecommunications", "Healthcare", "Government", "Education", "contains-embedded-js", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1064, "URL": 105, "CVE": 8, "FileHash-SHA1": 549, "FileHash-SHA256": 567, "domain": 19, "email": 2, "hostname": 77 }, "indicator_count": 2391, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6668b85065eec626e4766a38", "name": "Thor-Lite Linux 64 (06.11.24) - enriched a bit more but not 'pruned'", "description": "Please note: This sample is a tad 'outdated' as I ran both scans kind of by accident lol (i.e. did not update w. the utils utility). I was a bit tired so a happy accident of more data? - but gives a general 'picture' or 'painting' anyways on a rather small set of data.\n\nHave some more data to put up (picked up by Huntress Labs) - just have to get that back online.\n\nWould love to accommodate for some confounding variables - e.g. filter for false positives, windows logs, networking capabilities (better than what I have now) to better inform the team taking care of me (us). \n\nNote: Given it was using some outdated thor modules (lite-version), it was 'good enough' to provide some data worth looking into that 'falls in line' w. what I've come across. \n\nJust a combined sample (2 in 1) of a thor-lite scan of a linux instance (06.11.24)\n\nI've just listed a few places I have some direct ties to in one way or another (not including the other UAlberta students affected that have been in contact with me or reached out).", "modified": "2024-07-11T21:08:15.880000", "created": "2024-06-11T20:49:20.318000", "tags": [ "mon jun", "filename ioc", "scanid", "sigtype1", "group", "reason1", "matched1", "reasonscount", "dangerous file", "exploit code", "trace", "anomaly", "project", "import", "mimikatz", "form", "powershell", "shellcode", "cobaltstrike", "hermanos", "cobalt strike", "inject", "body", "null", "confuserex", "virustotal", "generic", "comspec", "injectdll", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "webshell", "phpshell", "error", "exploit", "dllimport", "info", "kill", "path", "arch", "hosts", "bifrost", "thor", "false", "tools", "flash", "cve201711882", "macos", "bypass", "green", "team", "target", "cred", "powersploit", "recursive", "term", "download", "zero", "antak", "install", "metasploit", "local", "meterpreter", "shell", "please", "javascript", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/iocs", "https://www.virustotal.com/graph/embed/gfdb1aa99d73447818bfcd10130b237a4e92dbf316d5f4f028ad64f71f882bccc?theme=dark", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/graph", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/summary", "https://urlscan.io/search/#user:me%20OR%20team:me", "https://viz.greynoise.io/analysis/eaa63cd1-14fd-4d03-9e83-29bd58eab538" ], "public": 1, "adversary": "Unknown", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Anguilla", "Panama", "Trinidad and Tobago", "Saint Martin (French part)", "Saint Vincent and the Grenadines", "Sint Maarten (Dutch part)", "Mexico", "Philippines", "Japan", "Aruba", "Costa Rica", "Guatemala", "China", "Barbados", "Saint Kitts and Nevis", "Cayman Islands", "Cura\u00e7ao", "Virgin Islands, U.S." ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" } ], "industries": [ "Education", "Technology", "Government", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 247, "FileHash-MD5": 1183, "FileHash-SHA1": 1553, "FileHash-SHA256": 1240, "URL": 486, "domain": 294, "email": 8, "hostname": 138 }, "indicator_count": 5149, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "646 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "https://tip.neiki.dev/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://www.virustotal.com/graph/embed/g23296a8424204aeda69d32bb307e46820e4f1803c8f54cdd97b5e92a9cb58552?theme=dark", "f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "Bitch-On-Wheels_files_md5s.csv", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/3c22777d-9fa3-4d67-a00a-8aa505154874/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/a3528542-a121-4351-91fe-de5aab327fe2/overview", "https://www.virustotal.com/graph/embed/g14ccc2b5794648cc838da283a8fbfcda4d95dde6ddc44798be19c2832778787f?theme=dark", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/iocs", "https://hybrid-analysis.com/sample/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/summary", "https://hybrid-analysis.com/sample/f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/summary", "902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106", "https://www.virustotal.com/gui/collection/ac61bce3fb3e41361f2977c65c924ebe8962d8000981e3c57e222388064bf67a/iocs", "https://www.virustotal.com/gui/collection/febf534513e07ef3b2a63b824827cc86b61c21d641bbb9da73933240dd9d2710/summary", "832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/21f7ed2c-7815-49f0-8697-998b341df34a/overview", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/graph", "https://hybrid-analysis.com/sample/12f05b32365a6fc40b30d108ea0dc730f662c6ee48c0feccf7cb43263a0a8166/6888ec5d423dabf7de0872d7", "https://www.virustotal.com/gui/collection/ac61bce3fb3e41361f2977c65c924ebe8962d8000981e3c57e222388064bf67a/summary", "https://www.virustotal.com/gui/collection/ac61bce3fb3e41361f2977c65c924ebe8962d8000981e3c57e222388064bf67a/graph", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/graph", "https://hybrid-analysis.com/sample/902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106/6888ec5bd7a73585560d2ddd", "https://tria.ge/250729-s1vysaywgy", "https://www.virustotal.com/gui/collection/febf534513e07ef3b2a63b824827cc86b61c21d641bbb9da73933240dd9d2710/iocs", "https://metadefender.com/results/file/bzI1MDcyOV9QRkdmNWZwSkhvMG11YWczRVZMRw_mdaas", "https://urlscan.io/search/#user:me%20OR%20team:me", "https://viz.greynoise.io/analysis/eaa63cd1-14fd-4d03-9e83-29bd58eab538", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/5fdda54a-0164-4d4e-a248-d07ec3780d8a/overview", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/iocs", "https://app.threat.zone/submission/ef60d9bd-bd97-4859-8e58-4f670d1f1783/overview", "https://polyswarm.network/scan/results/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://www.virustotal.com/graph/embed/gfdb1aa99d73447818bfcd10130b237a4e92dbf316d5f4f028ad64f71f882bccc?theme=dark", "https://hybrid-analysis.com/sample/832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431/6888ec5cfd974c2a5b0f1cfa" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Unknown" ], "malware_families": [ "Php", "Valhalla" ], "industries": [ "Contains-embedded-js", "Healthcare", "Education", "Telecommunications", "Technology", "Government" ], "unique_indicators": 11739 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/github.com", "whois": "http://whois.domaintools.com/github.com", "domain": "github.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6946cb8e3eff732bd3d47bff", "name": "Thor Lite - 07.27.25 - APT Detections [by Disable_Duck]", "description": "", "modified": "2025-12-20T16:15:10.914000", "created": "2025-12-20T16:15:10.914000", "tags": [ "data", "upload", "sg2backup drive", "no problems", "problems1", "supportavast", "progressb", "files", "onedrivenoprobs", "sg2suss", "trash", "fall", "Covenant Health", "AHS", "Alberta Health Services", "Rogers", "UAlberta", "APT", "Edmonton", "Telus" ], "references": [ "Bitch-On-Wheels_files_md5s.csv", "832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431", "f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106", "", "https://hybrid-analysis.com/sample/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://tria.ge/250729-s1vysaywgy", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3", "https://polyswarm.network/scan/results/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/a3528542-a121-4351-91fe-de5aab327fe2/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/3c22777d-9fa3-4d67-a00a-8aa505154874/overview", "https://metadefender.com/results/file/bzI1MDcyOV9QRkdmNWZwSkhvMG11YWczRVZMRw_mdaas", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/5fdda54a-0164-4d4e-a248-d07ec3780d8a/overview", "https://app.threat.zone/submission/ef60d9bd-bd97-4859-8e58-4f670d1f1783/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/21f7ed2c-7815-49f0-8697-998b341df34a/overview", "https://tip.neiki.dev/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://hybrid-analysis.com/sample/f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "https://hybrid-analysis.com/sample/902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106/6888ec5bd7a73585560d2ddd", "https://hybrid-analysis.com/sample/832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431/6888ec5cfd974c2a5b0f1cfa", "https://hybrid-analysis.com/sample/12f05b32365a6fc40b30d108ea0dc730f662c6ee48c0feccf7cb43263a0a8166/6888ec5d423dabf7de0872d7" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "6887d46c19a44d6affd7bd2d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4790, "FileHash-SHA1": 3172, "FileHash-SHA256": 2764, "domain": 453, "URL": 2688, "CVE": 59, "email": 31, "hostname": 638 }, "indicator_count": 14595, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6887d46c19a44d6affd7bd2d", "name": "Thor Lite - 07.27.25 - APT Detections [un-enriched]", "description": "Thor Lite Scan on Windows PC (a psuedo mirror of sorts) of a University of Alberta, Alberta Health Services, Covenant Health, Government of Alberta Portable Workstation. Files uploaded to VT.\nUpdated Note: Included IOCs from Filescanio\nRan files through: Neiki, FileScanio, Polyswarm, Triage, Metadefender, Hybrid Analysis, Threatzone, Virustotal\nTPs = This Pulse - IOCs from references", "modified": "2025-08-28T16:04:17.368000", "created": "2025-07-28T19:50:04.469000", "tags": [ "data", "upload", "sg2backup drive", "no problems", "problems1", "supportavast", "progressb", "files", "onedrivenoprobs", "sg2suss", "trash", "fall", "Covenant Health", "AHS", "Alberta Health Services", "Rogers", "UAlberta", "APT", "Edmonton", "Telus" ], "references": [ "Bitch-On-Wheels_files_md5s.csv", "832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431", "f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106", "", "https://hybrid-analysis.com/sample/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://tria.ge/250729-s1vysaywgy", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3", "https://polyswarm.network/scan/results/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/a3528542-a121-4351-91fe-de5aab327fe2/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/3c22777d-9fa3-4d67-a00a-8aa505154874/overview", "https://metadefender.com/results/file/bzI1MDcyOV9QRkdmNWZwSkhvMG11YWczRVZMRw_mdaas", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/5fdda54a-0164-4d4e-a248-d07ec3780d8a/overview", "https://app.threat.zone/submission/ef60d9bd-bd97-4859-8e58-4f670d1f1783/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/21f7ed2c-7815-49f0-8697-998b341df34a/overview", "https://tip.neiki.dev/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://hybrid-analysis.com/sample/f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "https://hybrid-analysis.com/sample/902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106/6888ec5bd7a73585560d2ddd", "https://hybrid-analysis.com/sample/832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431/6888ec5cfd974c2a5b0f1cfa", "https://hybrid-analysis.com/sample/12f05b32365a6fc40b30d108ea0dc730f662c6ee48c0feccf7cb43263a0a8166/6888ec5d423dabf7de0872d7" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4790, "FileHash-SHA1": 3172, "FileHash-SHA256": 2764, "domain": 453, "URL": 2688, "CVE": 59, "email": 31, "hostname": 638 }, "indicator_count": 14595, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "233 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67eb87f8beff23dfe3508000", "name": "Thor Lite Linux 64 - 03.31.25 - Sample PopOS Device", "description": "Thor Lite Linux 64 - 03.31.25 - Sample PopOS Device (She's had it)\nResults for matches uploaded to VT\nJust tossed results into this pulse so - sloppy.", "modified": "2025-04-01T07:52:30.117000", "created": "2025-04-01T06:30:16.309000", "tags": [ "fri mar", "filename ioc", "reasonscount", "sigtype1", "indicator type", "log entry", "entry", "exists1", "matched1", "exploit code", "score", "rooter", "warp", "cobaltstrike", "luckycat", "obfus", "code", "surtr", "9999", "powersploit", "bypass", "proftpd", "mimikatz", "info" ], "references": [ "https://www.virustotal.com/gui/collection/febf534513e07ef3b2a63b824827cc86b61c21d641bbb9da73933240dd9d2710/iocs", "https://www.virustotal.com/gui/collection/febf534513e07ef3b2a63b824827cc86b61c21d641bbb9da73933240dd9d2710/summary" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [ "Technology", "Healthcare", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 345, "FileHash-MD5": 111, "FileHash-SHA1": 174, "FileHash-SHA256": 131, "URL": 499, "domain": 38, "hostname": 47 }, "indicator_count": 1345, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "383 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666ac558d08da6cfb3ba135b", "name": "Thor Lite Scanner - Cigabuntu (Parrot Version) vs. The Book of Shadows", "description": "A little unclear on 'just exactly what all of this is' - Other than Huntress Catching things and Thor & Bitdefender Gravutyzone ****ing the bed\n\nScan ID: S-6vsmMgE47Gk\nScan Id: S-H9GdDtmU2vU\n\n06.13.24: https://www.virustotal.com/graph/embed/g14ccc2b5794648cc838da283a8fbfcda4d95dde6ddc44798be19c2832778787f?theme=dark", "modified": "2024-07-13T09:05:44.647000", "created": "2024-06-13T10:09:28.617000", "tags": [ "entity", "please", "javascript", "valhalla", "php", "filename ioc", "mon jun", "module", "sigtype1", "reasonscount", "tue jun", "exploit code", "file names", "matched1", "score", "shellcode", "form", "mimikatz", "powershell", "cobaltstrike", "null", "trace", "shell", "import", "empire", "hermanos", "cobalt strike", "void", "body", "exploit", "webshell", "antak", "anomaly", "error", "generic", "target", "obfus", "skeletonkey", "virustotal", "dllimport", "false", "flash", "info", "click", "macos", "test", "powersploit", "powercat", "tools", "metasploit", "twitter", "open", "path", "xploit" ], "references": [ "https://www.virustotal.com/graph/embed/g14ccc2b5794648cc838da283a8fbfcda4d95dde6ddc44798be19c2832778787f?theme=dark", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/summary", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/iocs", "https://www.virustotal.com/gui/collection/a5d9ceedc1dd9b912db6270e583ef306f5d3130912ffe4c519496cb53b2179f9/graph" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VALHALLA", "display_name": "VALHALLA", "target": null }, { "id": "PHP", "display_name": "PHP", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 74, "CVE": 156, "FileHash-MD5": 828, "FileHash-SHA1": 1126, "FileHash-SHA256": 746, "domain": 130, "email": 4, "hostname": 21 }, "indicator_count": 3085, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666a6ae5bb437ef87caedb43", "name": "Thor-Lite - ASUS, SG1 & 128 USB - 06.12.24", "description": "Just a thor-lite scan of a sample W11 Asus Device, a backup drive, and a 128 GB US\n-Some false positives (b/c ya know - community edition)\n\n06.12.24: https://www.virustotal.com/graph/embed/g23296a8424204aeda69d32bb307e46820e4f1803c8f54cdd97b5e92a9cb58552?theme=dark", "modified": "2024-07-13T03:04:07.502000", "created": "2024-06-13T03:43:33.080000", "tags": [ "valhalla", "parrotthor lite", "lite", "kano", "big drive", "scanid", "size1", "company1", "mz created1", "exists1", "desc1", "originalname1", "fri may", "imphash1", "internalname1", "service", "anomaly", "error", "virustotal", "bypass", "score", "procdump", "cobaltstrike", "pipes", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "body", "powershell", "path", "shellcode", "model", "arch", "hosts", "pass", "powersploit", "powercat", "please", "javascript", "entity", "contains-pe", "contains-elf", "contains-zip", "base64-embedded" ], "references": [ "https://www.virustotal.com/gui/collection/ac61bce3fb3e41361f2977c65c924ebe8962d8000981e3c57e222388064bf67a/iocs", "https://www.virustotal.com/graph/embed/g23296a8424204aeda69d32bb307e46820e4f1803c8f54cdd97b5e92a9cb58552?theme=dark", "https://www.virustotal.com/gui/collection/ac61bce3fb3e41361f2977c65c924ebe8962d8000981e3c57e222388064bf67a/graph", "https://www.virustotal.com/gui/collection/ac61bce3fb3e41361f2977c65c924ebe8962d8000981e3c57e222388064bf67a/summary" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" } ], "industries": [ "Telecommunications", "Healthcare", "Government", "Education", "contains-embedded-js", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1064, "URL": 105, "CVE": 8, "FileHash-SHA1": 549, "FileHash-SHA256": 567, "domain": 19, "email": 2, "hostname": 77 }, "indicator_count": 2391, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6668b85065eec626e4766a38", "name": "Thor-Lite Linux 64 (06.11.24) - enriched a bit more but not 'pruned'", "description": "Please note: This sample is a tad 'outdated' as I ran both scans kind of by accident lol (i.e. did not update w. the utils utility). I was a bit tired so a happy accident of more data? - but gives a general 'picture' or 'painting' anyways on a rather small set of data.\n\nHave some more data to put up (picked up by Huntress Labs) - just have to get that back online.\n\nWould love to accommodate for some confounding variables - e.g. filter for false positives, windows logs, networking capabilities (better than what I have now) to better inform the team taking care of me (us). \n\nNote: Given it was using some outdated thor modules (lite-version), it was 'good enough' to provide some data worth looking into that 'falls in line' w. what I've come across. \n\nJust a combined sample (2 in 1) of a thor-lite scan of a linux instance (06.11.24)\n\nI've just listed a few places I have some direct ties to in one way or another (not including the other UAlberta students affected that have been in contact with me or reached out).", "modified": "2024-07-11T21:08:15.880000", "created": "2024-06-11T20:49:20.318000", "tags": [ "mon jun", "filename ioc", "scanid", "sigtype1", "group", "reason1", "matched1", "reasonscount", "dangerous file", "exploit code", "trace", "anomaly", "project", "import", "mimikatz", "form", "powershell", "shellcode", "cobaltstrike", "hermanos", "cobalt strike", "inject", "body", "null", "confuserex", "virustotal", "generic", "comspec", "injectdll", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "webshell", "phpshell", "error", "exploit", "dllimport", "info", "kill", "path", "arch", "hosts", "bifrost", "thor", "false", "tools", "flash", "cve201711882", "macos", "bypass", "green", "team", "target", "cred", "powersploit", "recursive", "term", "download", "zero", "antak", "install", "metasploit", "local", "meterpreter", "shell", "please", "javascript", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/iocs", "https://www.virustotal.com/graph/embed/gfdb1aa99d73447818bfcd10130b237a4e92dbf316d5f4f028ad64f71f882bccc?theme=dark", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/graph", "https://www.virustotal.com/gui/collection/2b33908584f5c3987941edc9aa8995f797fe13900feeb9fa8fb86ccb5abdaa01/summary", "https://urlscan.io/search/#user:me%20OR%20team:me", "https://viz.greynoise.io/analysis/eaa63cd1-14fd-4d03-9e83-29bd58eab538" ], "public": 1, "adversary": "Unknown", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Anguilla", "Panama", "Trinidad and Tobago", "Saint Martin (French part)", "Saint Vincent and the Grenadines", "Sint Maarten (Dutch part)", "Mexico", "Philippines", "Japan", "Aruba", "Costa Rica", "Guatemala", "China", "Barbados", "Saint Kitts and Nevis", "Cayman Islands", "Cura\u00e7ao", "Virgin Islands, U.S." ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1558", "name": "Steal or Forge Kerberos Tickets", "display_name": "T1558 - Steal or Forge Kerberos Tickets" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" } ], "industries": [ "Education", "Technology", "Government", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 247, "FileHash-MD5": 1183, "FileHash-SHA1": 1553, "FileHash-SHA256": 1240, "URL": 486, "domain": 294, "email": 8, "hostname": 138 }, "indicator_count": 5149, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "646 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://github.com/0x00-0x00/ShellPop", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://github.com/0x00-0x00/ShellPop", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776591714.6991334 }