{ "type": "URL", "indicator": "https://github.com/avast-tl/retdec", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://github.com/avast-tl/retdec", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #87", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #560", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain github.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain github.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3842473074, "indicator": "https://github.com/avast-tl/retdec", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "685ef2fc03ce0420e15042ed", "name": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe", "description": "MD5 84c82835a5d21bbcf75a61706d8ab549\nHere is the full text of the code-crunching tool, which is used by \nMicrosoft to store data on the operating system, as well as the text and characters on its built-up.\nhttps://www.virustotal.com/gui/file/15e6e251556675ddf1c524a6668d3ac82a84532f9c99a1f2f70d37f03128682b/details", "modified": "2025-10-01T00:01:22.860000", "created": "2025-06-27T19:37:32.636000", "tags": [ "result", "memcpy", "function405e27", "memcpy8", "v43 v45", "getprocaddress", "null", "closehandle", "memset", "result2", "false", "copy", "docsapiv2", "feed faq" ], "references": [ "https://otx.alienvault.com/indicator/file/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 23, "FileHash-MD5": 9, "FileHash-SHA1": 2, "FileHash-SHA256": 24, "domain": 2, "CVE": 3, "hostname": 1 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 125, "modified_text": "200 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685f1bca5b6f76aba3079f1e", "name": "Application Window Discovery, Technique T1010 - Enterprise | MITRE ATT&CK®", "description": "1340f7f39c177f42f701209a563c0e5a94352e20d37c3e0bb36adc82942m.", "modified": "2025-10-01T00:01:22.860000", "created": "2025-06-27T22:31:38.306000", "tags": [ "submission", "vhash", "ssdeep", "file type", "html internet", "magic html", "unicode text", "utf8 text", "trid file", "magika html", "body", "header", "united", "as8075", "passive dns", "soap", "clientheader", "client", "faultcode", "pulse search", "error", "pattern", "multiref", "fault", "server", "bea382500", "sendsyncr", "loanrequestmsg", "sha1", "imphash", "pehash", "richhash", "roth", "nextron", "detection rule", "license", "ransomware", "rule", "yara rule", "set author", "roth date", "identifier", "authentihash", "rich pe", "result", "memcpy", "function405e27", "memcpy8", "v43 v45", "getprocaddress", "null", "closehandle", "memset", "result2", "false", "copy", "ascii text", "crlf line", "rich text", "format", "ascii", "gif image", "c source", "microsoft asf", "intel", "ms windows", "july", "april", "november", "june", "february", "january", "august", "discovery", "darkgate", "os api", "window", "flagpro", "netwire", "qakbot", "rokrat", "attor", "cadelspy", "catchamas", "nirsoft", "darkwatchman", "duqu", "dusttrap", "funnydream", "grandoreiro", "hotcroissant", "invisimole", "metamorfo", "nightclub", "plead", "powerduke", "remexi", "soundbite", "winerack", "powershell", "stuxnet", "dust", "knight", "evolution", "lazarus", "zhang", "nettraveler", "travnet", "belarus", "carr", "sector", "jpeg image", "jfif", "png image", "rgba" ], "references": [ "http://www.adobe.com/support/security/bulletins/apsb12-03.html", "https://attack.mitre.org/techniques/T1010" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 258, "hostname": 156, "domain": 7, "FileHash-MD5": 353, "FileHash-SHA1": 187, "FileHash-SHA256": 681, "CVE": 1, "YARA": 6 }, "indicator_count": 1649, "is_author": false, "is_subscribing": null, "subscriber_count": 126, "modified_text": "200 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d34c8a64436a7aee2e25a1", "name": "Locky: File Deletion targeting incriminating archived files.", "description": "redhatdelete.com : Adversaries are deleting files in bulk from Virustotal, otx AlienVault, WebArchive, Perma.cc Urlscan.io, Archive.Today, Archive.ph, iCloud, apple data, photo deletion.\nVarious ransomware used. iOS service modified, cloud encrypted by adversary. Indicator point to a target with a zombie device. An iPhone and potentially other devices were targeted in a specific attack. | Locky Ransomware is a piece of malware that encrypts important files on your device, rendering them inaccessible and unusable.", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T12:41:46.707000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "760 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d34c91868744aa1449fef2", "name": "Locky: File Deletion targeting incriminating archived files.", "description": "redhatdelete.com : Adversaries are deleting files in bulk from Virustotal, otx AlienVault, WebArchive, Perma.cc Urlscan.io, Archive.Today, Archive.ph, iCloud, apple data, photo deletion.\nVarious ransomware used. iOS service modified, cloud encrypted by adversary. Indicator point to a target with a zombie device. An iPhone and potentially other devices were targeted in a specific attack. | Locky Ransomware is a piece of malware that encrypts important files on your device, rendering them inaccessible and unusable.", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T12:41:52.846000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "760 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d3acf32e1088e76165a307", "name": "Locky: File Deletion targeting incriminating archived files.", "description": "", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T19:33:07.504000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": "65d34c91868744aa1449fef2", "export_count": 64, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "760 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d3c31230455f6d8da3a9f0", "name": "Locky: File Deletion targeting incriminating archived files II", "description": "", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T21:07:30.887000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": "65d34c8a64436a7aee2e25a1", "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "760 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa/", "redhatdelete.com", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "http://www.adobe.com/support/security/bulletins/apsb12-03.html", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "https://attack.mitre.org/techniques/T1010" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Virtool", "Ransom:win32/wannacrypt.a!rsm", "Chaos (elf)", "Win.ransomware.locky-7766366-0", "Trojandropper:win32/gamehack", "Alf:e5.spikeaex.rhh_pid", "Trojan-ransom.win32.blocker.jgb checkin", "Rostpay", "Mitre attack", "Mirai" ], "industries": [], "unique_indicators": 17413 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/github.com", "whois": "http://whois.domaintools.com/github.com", "domain": "github.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "685ef2fc03ce0420e15042ed", "name": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe", "description": "MD5 84c82835a5d21bbcf75a61706d8ab549\nHere is the full text of the code-crunching tool, which is used by \nMicrosoft to store data on the operating system, as well as the text and characters on its built-up.\nhttps://www.virustotal.com/gui/file/15e6e251556675ddf1c524a6668d3ac82a84532f9c99a1f2f70d37f03128682b/details", "modified": "2025-10-01T00:01:22.860000", "created": "2025-06-27T19:37:32.636000", "tags": [ "result", "memcpy", "function405e27", "memcpy8", "v43 v45", "getprocaddress", "null", "closehandle", "memset", "result2", "false", "copy", "docsapiv2", "feed faq" ], "references": [ "https://otx.alienvault.com/indicator/file/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 23, "FileHash-MD5": 9, "FileHash-SHA1": 2, "FileHash-SHA256": 24, "domain": 2, "CVE": 3, "hostname": 1 }, "indicator_count": 64, "is_author": false, "is_subscribing": null, "subscriber_count": 125, "modified_text": "200 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "685f1bca5b6f76aba3079f1e", "name": "Application Window Discovery, Technique T1010 - Enterprise | MITRE ATT&CK®", "description": "1340f7f39c177f42f701209a563c0e5a94352e20d37c3e0bb36adc82942m.", "modified": "2025-10-01T00:01:22.860000", "created": "2025-06-27T22:31:38.306000", "tags": [ "submission", "vhash", "ssdeep", "file type", "html internet", "magic html", "unicode text", "utf8 text", "trid file", "magika html", "body", "header", "united", "as8075", "passive dns", "soap", "clientheader", "client", "faultcode", "pulse search", "error", "pattern", "multiref", "fault", "server", "bea382500", "sendsyncr", "loanrequestmsg", "sha1", "imphash", "pehash", "richhash", "roth", "nextron", "detection rule", "license", "ransomware", "rule", "yara rule", "set author", "roth date", "identifier", "authentihash", "rich pe", "result", "memcpy", "function405e27", "memcpy8", "v43 v45", "getprocaddress", "null", "closehandle", "memset", "result2", "false", "copy", "ascii text", "crlf line", "rich text", "format", "ascii", "gif image", "c source", "microsoft asf", "intel", "ms windows", "july", "april", "november", "june", "february", "january", "august", "discovery", "darkgate", "os api", "window", "flagpro", "netwire", "qakbot", "rokrat", "attor", "cadelspy", "catchamas", "nirsoft", "darkwatchman", "duqu", "dusttrap", "funnydream", "grandoreiro", "hotcroissant", "invisimole", "metamorfo", "nightclub", "plead", "powerduke", "remexi", "soundbite", "winerack", "powershell", "stuxnet", "dust", "knight", "evolution", "lazarus", "zhang", "nettraveler", "travnet", "belarus", "carr", "sector", "jpeg image", "jfif", "png image", "rgba" ], "references": [ "http://www.adobe.com/support/security/bulletins/apsb12-03.html", "https://attack.mitre.org/techniques/T1010" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 258, "hostname": 156, "domain": 7, "FileHash-MD5": 353, "FileHash-SHA1": 187, "FileHash-SHA256": 681, "CVE": 1, "YARA": 6 }, "indicator_count": 1649, "is_author": false, "is_subscribing": null, "subscriber_count": 126, "modified_text": "200 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d34c8a64436a7aee2e25a1", "name": "Locky: File Deletion targeting incriminating archived files.", "description": "redhatdelete.com : Adversaries are deleting files in bulk from Virustotal, otx AlienVault, WebArchive, Perma.cc Urlscan.io, Archive.Today, Archive.ph, iCloud, apple data, photo deletion.\nVarious ransomware used. iOS service modified, cloud encrypted by adversary. Indicator point to a target with a zombie device. An iPhone and potentially other devices were targeted in a specific attack. | Locky Ransomware is a piece of malware that encrypts important files on your device, rendering them inaccessible and unusable.", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T12:41:46.707000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "760 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d34c91868744aa1449fef2", "name": "Locky: File Deletion targeting incriminating archived files.", "description": "redhatdelete.com : Adversaries are deleting files in bulk from Virustotal, otx AlienVault, WebArchive, Perma.cc Urlscan.io, Archive.Today, Archive.ph, iCloud, apple data, photo deletion.\nVarious ransomware used. iOS service modified, cloud encrypted by adversary. Indicator point to a target with a zombie device. An iPhone and potentially other devices were targeted in a specific attack. | Locky Ransomware is a piece of malware that encrypts important files on your device, rendering them inaccessible and unusable.", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T12:41:52.846000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "760 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d3acf32e1088e76165a307", "name": "Locky: File Deletion targeting incriminating archived files.", "description": "", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T19:33:07.504000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": "65d34c91868744aa1449fef2", "export_count": 64, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "760 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65d3c31230455f6d8da3a9f0", "name": "Locky: File Deletion targeting incriminating archived files II", "description": "", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T21:07:30.887000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": "65d34c8a64436a7aee2e25a1", "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "760 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://github.com/avast-tl/retdec", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://github.com/avast-tl/retdec", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776639663.2535403 }