{
  "type": "URL",
  "indicator": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/malicious-network-drv.md",
  "general": {
    "sections": [
      "general",
      "url_list",
      "http_scans",
      "screenshot"
    ],
    "indicator": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/malicious-network-drv.md",
    "type": "url",
    "type_title": "URL",
    "validation": [
      {
        "source": "alexa",
        "message": "Alexa rank: #87",
        "name": "Listed on Alexa"
      },
      {
        "source": "akamai",
        "message": "Akamai rank: #560",
        "name": "Akamai Popular Domain"
      },
      {
        "source": "whitelist",
        "message": "Whitelisted domain github.com",
        "name": "Whitelisted domain"
      },
      {
        "source": "majestic",
        "message": "Whitelisted domain github.com",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 4355031166,
      "indicator": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/malicious-network-drv.md",
      "type": "URL",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 1,
      "pulses": [
        {
          "id": "6a01f5402b91332b1cd63cd7",
          "name": "*  No Flags, Drops, MITRE + More. * CAPE Sandbox",
          "description": "ID\tOB0012\nCreated\t1 August 2019\nLast Modified\t27 September 2023\nPersistence\n\nToday I discovered this {https://github.com/MBCProject/mbc-markdown/blob/3559ac6c87a7e8ea9a1fa01bf1155032d7fcdcac/persistence/shutdown-event.md] <this rep. is likely being used in this malware. I haven't ever used Git so I need to look through this more. Do not run this.\n\nBehaviors that enable malware to remain on a system regardless of system events, such as reboots.\n\nBootkit F0013\nComponent Firmware F0009\nHide Artifacts E1564\nHidden Files and Directories F0005\nHijack Execution Flow F0015\nInstall Insecure or Malicious Configuration B0047\nKernel Modules and Extensions F0010\nMalicious Network Driver B0026\nModify Existing Service F0011\nModify Registry E1112\nRegistry Run Keys / Startup Folder F0012\nIngress Tool Transfer E1105\nShutdown Event B0035",
          "modified": "2026-05-22T07:35:44.550000",
          "created": "2026-05-11T15:26:56.832000",
          "tags": [
            "default",
            "file size",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "strong",
            "library",
            "file type",
            "sha1",
            "accept",
            "bootkit",
            "shutdown",
            "defense evasion",
            "mitre attack",
            "network info",
            "processes extra",
            "sigma",
            "performs dns",
            "overview",
            "overview zenbox",
            "verdict",
            "guest system",
            "ultimate file",
            "next",
            "rules not",
            "injection",
            "evasion",
            "not found",
            "mitre",
            "medium",
            "info ids",
            "found sigma",
            "found",
            "files",
            "destruction",
            "cape sandbox",
            "zenbox",
            "detections not",
            "found mitre",
            "fraud",
            "wiper",
            "pdfkit[.net]",
            "sandbox evasion",
            "shellcode hiding in md5",
            "expired",
            "not signed"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778512413&Signature=e%2FOQUFCdl6mG%2FVw1jWUt7JVEvUMDGdL0qTkVuMhleZvju90tDDGBWkN70V6AEMn81ckpNectbzu%2B35Ofrit1gTXkEdOLHigu6qE%2BrT3vIC81BH65xFoYz4vAmE2UdFt21KE9Zas%2BRpTOTqbTAPwoprdoH9KmCcVRpcj2fVn7jij4cQmlFbayz%2FH4AkRMh1EAr9IyxYEcUXUj4bkLvn7%2BMHZIYqsFP65EbtVAws7CxvbFmiF9",
            "https://vtbehaviour.commondatastorage.googleapis.com/c0df36ccf88d5c8434b13b58f7a55a9715643a126148b9d078a93075d09cad26_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778512494&Signature=IyGjHZi7N286Zz2nRVR3HMmGSVCpdy6tyAKCyI4hGwox9174JLlTx73eEIXC5CkxOw85f%2BvcX%2BiV90DJ2IENlMD5h3mvRRG8Pr63SeXvNFNEDZXEr06GYORqKum94zNlDJsyCtOO1WBS%2B6zVEo2EI%2Bwf7WDs6fF12dXKWZPlqohK7buL36UkZI0%2FKKr0se40JjqaZj%2B2GT%2F7568PBNfUT%2FXydO3FPBN0zTRQRTG72Wyxth7o%2Flc7",
            "cddfaa769d227e9b8c7d78be3169895d SHA-1 b719eff788239f59cec3f0ea4efab4aa5c8cfd28 SHA-256 64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b Vhash 94005c460c2f34db9d47d4d59c392e7ff SSDEEP 6144:/mkxHzOMbL9Ygyd7fJoHQX3ZSSZACkGSim+trsgGg:PHKM/y1dTWHOZnVk13g TLSH T1524412A4CE47D183DD63D43909A0B192DBD2B1479AC424A93AAC5BE35F01B53EE23DC7 File type PDF  document pdf Magic PDF document, version 1.7 (zip deflate encoded) TrID Adobe Portable Document Format (100%) Magika PDF File size 256.84 KB (263001 byt",
            ""
          ],
          "public": 1,
          "adversary": "TrojanSpy",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1014",
              "name": "Rootkit",
              "display_name": "T1014 - Rootkit"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1047",
              "name": "Windows Management Instrumentation",
              "display_name": "T1047 - Windows Management Instrumentation"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1203",
              "name": "Exploitation for Client Execution",
              "display_name": "T1203 - Exploitation for Client Execution"
            },
            {
              "id": "T1485",
              "name": "Data Destruction",
              "display_name": "T1485 - Data Destruction"
            },
            {
              "id": "T1496",
              "name": "Resource Hijacking",
              "display_name": "T1496 - Resource Hijacking"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1542",
              "name": "Pre-OS Boot",
              "display_name": "T1542 - Pre-OS Boot"
            },
            {
              "id": "T1548",
              "name": "Abuse Elevation Control Mechanism",
              "display_name": "T1548 - Abuse Elevation Control Mechanism"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1564",
              "name": "Hide Artifacts",
              "display_name": "T1564 - Hide Artifacts"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1064",
              "name": "Scripting",
              "display_name": "T1064 - Scripting"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "IPv4": 91,
            "FileHash-MD5": 130,
            "FileHash-SHA1": 112,
            "FileHash-SHA256": 135,
            "URL": 73,
            "hostname": 73,
            "domain": 31,
            "Mutex": 2
          },
          "indicator_count": 647,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "9 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "",
        "cddfaa769d227e9b8c7d78be3169895d SHA-1 b719eff788239f59cec3f0ea4efab4aa5c8cfd28 SHA-256 64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b Vhash 94005c460c2f34db9d47d4d59c392e7ff SSDEEP 6144:/mkxHzOMbL9Ygyd7fJoHQX3ZSSZACkGSim+trsgGg:PHKM/y1dTWHOZnVk13g TLSH T1524412A4CE47D183DD63D43909A0B192DBD2B1479AC424A93AAC5BE35F01B53EE23DC7 File type PDF  document pdf Magic PDF document, version 1.7 (zip deflate encoded) TrID Adobe Portable Document Format (100%) Magika PDF File size 256.84 KB (263001 byt",
        "https://vtbehaviour.commondatastorage.googleapis.com/64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778512413&Signature=e%2FOQUFCdl6mG%2FVw1jWUt7JVEvUMDGdL0qTkVuMhleZvju90tDDGBWkN70V6AEMn81ckpNectbzu%2B35Ofrit1gTXkEdOLHigu6qE%2BrT3vIC81BH65xFoYz4vAmE2UdFt21KE9Zas%2BRpTOTqbTAPwoprdoH9KmCcVRpcj2fVn7jij4cQmlFbayz%2FH4AkRMh1EAr9IyxYEcUXUj4bkLvn7%2BMHZIYqsFP65EbtVAws7CxvbFmiF9",
        "https://vtbehaviour.commondatastorage.googleapis.com/c0df36ccf88d5c8434b13b58f7a55a9715643a126148b9d078a93075d09cad26_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778512494&Signature=IyGjHZi7N286Zz2nRVR3HMmGSVCpdy6tyAKCyI4hGwox9174JLlTx73eEIXC5CkxOw85f%2BvcX%2BiV90DJ2IENlMD5h3mvRRG8Pr63SeXvNFNEDZXEr06GYORqKum94zNlDJsyCtOO1WBS%2B6zVEo2EI%2Bwf7WDs6fF12dXKWZPlqohK7buL36UkZI0%2FKKr0se40JjqaZj%2B2GT%2F7568PBNfUT%2FXydO3FPBN0zTRQRTG72Wyxth7o%2Flc7"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": [],
          "unique_indicators": 0
        },
        "other": {
          "adversary": [
            "TrojanSpy"
          ],
          "malware_families": [],
          "industries": [],
          "unique_indicators": 474
        }
      }
    },
    "false_positive": [],
    "alexa": "http://www.alexa.com/siteinfo/github.com",
    "whois": "http://whois.domaintools.com/github.com",
    "domain": "github.com",
    "hostname": "Unavailable"
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 1,
  "pulses": [
    {
      "id": "6a01f5402b91332b1cd63cd7",
      "name": "*  No Flags, Drops, MITRE + More. * CAPE Sandbox",
      "description": "ID\tOB0012\nCreated\t1 August 2019\nLast Modified\t27 September 2023\nPersistence\n\nToday I discovered this {https://github.com/MBCProject/mbc-markdown/blob/3559ac6c87a7e8ea9a1fa01bf1155032d7fcdcac/persistence/shutdown-event.md] <this rep. is likely being used in this malware. I haven't ever used Git so I need to look through this more. Do not run this.\n\nBehaviors that enable malware to remain on a system regardless of system events, such as reboots.\n\nBootkit F0013\nComponent Firmware F0009\nHide Artifacts E1564\nHidden Files and Directories F0005\nHijack Execution Flow F0015\nInstall Insecure or Malicious Configuration B0047\nKernel Modules and Extensions F0010\nMalicious Network Driver B0026\nModify Existing Service F0011\nModify Registry E1112\nRegistry Run Keys / Startup Folder F0012\nIngress Tool Transfer E1105\nShutdown Event B0035",
      "modified": "2026-05-22T07:35:44.550000",
      "created": "2026-05-11T15:26:56.832000",
      "tags": [
        "default",
        "file size",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "strong",
        "library",
        "file type",
        "sha1",
        "accept",
        "bootkit",
        "shutdown",
        "defense evasion",
        "mitre attack",
        "network info",
        "processes extra",
        "sigma",
        "performs dns",
        "overview",
        "overview zenbox",
        "verdict",
        "guest system",
        "ultimate file",
        "next",
        "rules not",
        "injection",
        "evasion",
        "not found",
        "mitre",
        "medium",
        "info ids",
        "found sigma",
        "found",
        "files",
        "destruction",
        "cape sandbox",
        "zenbox",
        "detections not",
        "found mitre",
        "fraud",
        "wiper",
        "pdfkit[.net]",
        "sandbox evasion",
        "shellcode hiding in md5",
        "expired",
        "not signed"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778512413&Signature=e%2FOQUFCdl6mG%2FVw1jWUt7JVEvUMDGdL0qTkVuMhleZvju90tDDGBWkN70V6AEMn81ckpNectbzu%2B35Ofrit1gTXkEdOLHigu6qE%2BrT3vIC81BH65xFoYz4vAmE2UdFt21KE9Zas%2BRpTOTqbTAPwoprdoH9KmCcVRpcj2fVn7jij4cQmlFbayz%2FH4AkRMh1EAr9IyxYEcUXUj4bkLvn7%2BMHZIYqsFP65EbtVAws7CxvbFmiF9",
        "https://vtbehaviour.commondatastorage.googleapis.com/c0df36ccf88d5c8434b13b58f7a55a9715643a126148b9d078a93075d09cad26_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778512494&Signature=IyGjHZi7N286Zz2nRVR3HMmGSVCpdy6tyAKCyI4hGwox9174JLlTx73eEIXC5CkxOw85f%2BvcX%2BiV90DJ2IENlMD5h3mvRRG8Pr63SeXvNFNEDZXEr06GYORqKum94zNlDJsyCtOO1WBS%2B6zVEo2EI%2Bwf7WDs6fF12dXKWZPlqohK7buL36UkZI0%2FKKr0se40JjqaZj%2B2GT%2F7568PBNfUT%2FXydO3FPBN0zTRQRTG72Wyxth7o%2Flc7",
        "cddfaa769d227e9b8c7d78be3169895d SHA-1 b719eff788239f59cec3f0ea4efab4aa5c8cfd28 SHA-256 64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b Vhash 94005c460c2f34db9d47d4d59c392e7ff SSDEEP 6144:/mkxHzOMbL9Ygyd7fJoHQX3ZSSZACkGSim+trsgGg:PHKM/y1dTWHOZnVk13g TLSH T1524412A4CE47D183DD63D43909A0B192DBD2B1479AC424A93AAC5BE35F01B53EE23DC7 File type PDF  document pdf Magic PDF document, version 1.7 (zip deflate encoded) TrID Adobe Portable Document Format (100%) Magika PDF File size 256.84 KB (263001 byt",
        ""
      ],
      "public": 1,
      "adversary": "TrojanSpy",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1012",
          "name": "Query Registry",
          "display_name": "T1012 - Query Registry"
        },
        {
          "id": "T1014",
          "name": "Rootkit",
          "display_name": "T1014 - Rootkit"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1047",
          "name": "Windows Management Instrumentation",
          "display_name": "T1047 - Windows Management Instrumentation"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1203",
          "name": "Exploitation for Client Execution",
          "display_name": "T1203 - Exploitation for Client Execution"
        },
        {
          "id": "T1485",
          "name": "Data Destruction",
          "display_name": "T1485 - Data Destruction"
        },
        {
          "id": "T1496",
          "name": "Resource Hijacking",
          "display_name": "T1496 - Resource Hijacking"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1542",
          "name": "Pre-OS Boot",
          "display_name": "T1542 - Pre-OS Boot"
        },
        {
          "id": "T1548",
          "name": "Abuse Elevation Control Mechanism",
          "display_name": "T1548 - Abuse Elevation Control Mechanism"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1564",
          "name": "Hide Artifacts",
          "display_name": "T1564 - Hide Artifacts"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1064",
          "name": "Scripting",
          "display_name": "T1064 - Scripting"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "IPv4": 91,
        "FileHash-MD5": 130,
        "FileHash-SHA1": 112,
        "FileHash-SHA256": 135,
        "URL": 73,
        "hostname": 73,
        "domain": 31,
        "Mutex": 2
      },
      "indicator_count": 647,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "9 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/malicious-network-drv.md",
    "type": "URL"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "https://github.com/MBCProject/mbc-markdown/blob/master/persistence/malicious-network-drv.md",
    "type": "URL",
    "found": false,
    "verdict": "clean",
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780237419.3720484
}